View Full Version : S&D, HJT, TrendMicro AV, RootkitBuster all abort and then are blocked from re-running
JeffeVerde
2009-08-04, 04:58
Windows XP SP3. Has TrendMicro anti-virus, but was unprotected for a week when subscription expired and wasn't immediately renewed.
=After renewing TM and attempting to run a scan, it repeatedly hung at the same point, scanning "HKLM\....507a01" (full path is too long to display in the app's window and is truncated).
=I found BRAVIAX.EXE in the \WINDOWS and \SYSTEM32 folders and deleted it (no affect) I also found a file on the desktop called CATCHME.TXT. It appeared to be a log file and had a single entry showing USER32.DLL being copied from \SYSTEM32 to \SYSTEM32\DLLCACHE
=Installed and ran HiJackThis - it shutdown while scanning HKLM... - leaving no log. After HJT aborts, it can't be re-run (no error - just won't open), or copied/renamed/moved (error message - access violation). The file can be deleted.
=Installed and ran TrendMicro's Rootkit Buster. It shutdown while scanning HKLM... - leaving no log. After abort, file can't be copied/renamed/moved. Once it's aborted, attempting to re-run in normal mode causes it to update it's driver and request a reboot - reboot and rerun, and same thing happens. Trying to re-run in safe mode, it generates an error about the TMCOMM service being unavailable.
=Installed and ran Search&Destroy. Started scan - it ran for a second, then SD shutdown and couldn't be re-opened. Launched SD via the .SCR file - same behavior - launched, then shutdown on start of scan, and now can't launch via the .SCR either.
So what next? This thing bug seems to recognize anything hunting it, and shuts it down. I've tried renaming the HJT, RKB and S&D exe's, but same behavior - they start to scan, shutdown, and then can't be launched again.
Hi,
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
JeffeVerde
2009-08-05, 23:29
RSIT could not be run succesfully. On clicking "Continue" at the disclaimer screen, a progress bar window opens, and immediately an error message opens-
------------------------------------------
AutoIt Error
Line -1:
Error: Variable used without being declared
------------------------------------------
Tried it both with HJT already installed, and with HJT completely removed and internet access up. Keep in mind that one of the behaviors of this bug is that it blocks HJT from running a complete scan, and once a scan has been aborted, that specific install of HJT cannot be launched again (a clean copy in a new location or with a different name will run - but with the same results - first scan aborts and can't relaunch after that).
JeffeVerde
2009-08-05, 23:31
GMER did run succesfully. Here's the log-
------------------------------------------------------
GMER 1.0.15.15011 [4rnpkv2m.exe] - http://www.gmer.net
Rootkit scan 2009-08-05 13:11:13
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT 85329C40 ZwCreateKey
SSDT 85329140 ZwCreateProcess
SSDT 85329400 ZwCreateProcessEx
SSDT 8532AAA0 ZwCreateThread
SSDT 8532A1C0 ZwDeleteKey
SSDT 8532A480 ZwDeleteValueKey
SSDT 8532AC40 ZwLoadDriver
SSDT 853296C0 ZwOpenProcess
SSDT 85329F00 ZwSetValueKey
SSDT 85329980 ZwTerminateProcess
SSDT 8532A900 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B1001 7 Bytes JMP 86DA67E0
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[1208] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[1208] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[1208] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] user32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1696] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1696] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1696] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[2724] user32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[2724] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[2724] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 100010AB C:\WINDOWS\system32\xwreg32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 100010AB C:\WINDOWS\system32\xwreg32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\eHome\ehSched.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\eHome\ehSched.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Phone\Skype.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Phone\Skype.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[3104] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[3104] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [284] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [340] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe [352] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [512] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [620] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [820] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [920] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe [944] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\BM\TMBMSRV.exe [1044] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1056] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1124] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [1168] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [1208] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1260] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1656] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Skype\Plugin Manager\skypePM.exe [1692] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1696] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [1872] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1960] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [2448] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Skype\Phone\Skype.exe [2724] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2948] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2984] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3104] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3376] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3440] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3520] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3580] 0x35670000
---- Files - GMER 1.0.15 ----
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0062823.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0063810.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0063868.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP193\A0063902.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP193\A0064021.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0064279.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0065388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0064448.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0065376.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0065384.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0066388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0067388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0067392.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069392.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069400.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069418.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069447.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069458.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070458.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0068392.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070542.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070552.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070566.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070571.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070583.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070589.sys:1 8192 bytes executable
---- EOF - GMER 1.0.15 ----
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
JeffeVerde
2009-08-07, 04:55
I figured out how the virus is disabling HJT, etc after they're run once -- it changes the file access security. I can "revive" an app by re-enabling it's access rights.
So - running GMER again, it kept aborting before completing it's scan. Monitoring GMER as it ran, the last folder I saw scanned was in C:\Windows\$hf_mig$\... Browsing that folder, along with the 100-odd KB##### folders, there was a folder with a long hex name, like {28f123d......}. Trying to open that folder, I got the same access error I'd get after the virus "disabled" any of the scanner/hunter apps I've been trying to use. So I opened the folders properties and granted full rights to admin.
As soon as I hit "apply", the system shutdown. On reboot, I got my wallpaper, but no desktop. Ctrl-Alt-Del brought up TaskManager, and I attempted to launch Explorer, but I got the same access error I've been getting after the virus disables the HJT --- and now I can't even bring up TaskMgr.
Any suggestions? Or is it time to FDISK?
JeffeVerde
2009-08-07, 05:05
I can still launch SafeMode-CommandPrompt. Is there a way to set access rights from the command prompt?
JeffeVerde
2009-08-07, 05:21
Figured it out -- was able to use CACLS to re-enable explorere.exe and taskmgr.exe, and at least I'm back to where we were. I'll get the DDS log up in a minute. But that \win\$hf_mig$\{1234...} folder certainly seems suspect.
JeffeVerde
2009-08-07, 05:37
I went back to look at the folders in $hf_mig$, and I can browse all the subfolders except the one with the long hex name. As soon as I click on it explorer shuts down (which I can now recover from by resetting the rights in cmd). Whatever that folder is, the virus is guarding it. The folder name is {29f8ddc1-9487-49b8-b27e-3e0c3c1298ff}
JeffeVerde
2009-08-07, 05:48
Attached are the DDS results
Thanks for the logs.
Why have you run ComboFix there? I can't recall giving you any instructions related to it. Post contents of c:\ComboFix.txt file, please.
JeffeVerde
2009-08-07, 23:24
Sorry about that -- my daughter's boyfriend tried to "help" yesterday while I was at work -- I've told them hands-off till we're done.
I can't find combofix.txt - or .exe for that matter. I assume he deleted the files after he was done.
Then we can do nothing else than run it again.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
JeffeVerde
2009-08-08, 12:22
ComboFix 09-08-07.09 - Owner 08/08/2009 2:03:21.4.1 - NTFSx86
Running from: C:\CFIx\ComboFix.exe
Command switches used :: C:\CFIx\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
/wow section - STAGE 32A
Access is denied.
/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
/wow section - STAGE 50
Access is denied.
JeffeVerde
2009-08-08, 12:25
DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Administrator at 19:41:30.15 on Thu 08/06/2009
Internet Explorer: 7.0.5730.13
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = about:blank
mStart Page = about:blank
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRunOnce: [SPRTRA] iexplore https://www.tmremote.com/sdcxuser/rassist/ra_reconnect.asp?qguid=d76dddac%2D1b4c%2D4555%2Db847%2D8bbbfcf253ff&mode=2&op=reboot
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\owner.your-25a3bd3417\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.tmremote.com/sdccommon/download/tgctlcm.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2009-08-06 14:37 <DIR> --ds---- C:\test
2009-08-06 14:37 389,120 a------- c:\windows\system32\CF18593.exe
2009-08-06 12:49 389,120 a------- c:\windows\system32\CF30086.exe
2009-08-06 12:43 <DIR> --d----- C:\RootkitBuster2.52.0.1013
2009-08-06 12:42 0 a------- C:\settings.dat
2009-08-06 12:42 1,055,676 a------- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 12:33 <DIR> --d----- C:\Autoruns
2009-08-06 12:33 576,280 a------- C:\Autoruns.zip
2009-08-06 12:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-06 12:15 <DIR> --d----- c:\windows\system32\Service
2009-08-06 12:06 219,648 a------- c:\windows\PEV.exe
2009-08-06 12:06 161,792 a------- c:\windows\SWREG.exe
2009-08-06 12:06 98,816 a------- c:\windows\sed.exe
2009-08-06 12:04 <DIR> --d----- c:\docume~1\admini~1\applic~1\SupportSoft
2009-08-06 11:07 <DIR> --d----- c:\program files\tmRemoteProdPID
2009-08-06 11:07 <DIR> --d----- c:\program files\common files\supportsoft
2009-08-05 11:52 <DIR> --d----- C:\Pesticide
2009-08-03 17:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-03 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-02 00:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-02 00:49 <DIR> --d----- c:\windows\ERUNT
2009-08-02 00:35 <DIR> --d----- C:\SDfix
2009-08-01 15:28 153,104 a------- c:\windows\system32\tmcomm.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmevtmgr.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmactmon.sys
2009-08-01 11:59 <DIR> --d----- c:\windows\LocalSSL
2009-08-01 11:48 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-07-31 08:50 17,446 a------- c:\docume~1\alluse~1\applic~1\ukeginyzal.sys
2009-07-31 08:50 15,603 a------- c:\docume~1\alluse~1\applic~1\relu.com
2009-07-31 08:50 13,422 a------- c:\program files\common files\zojytamy.vbs
2009-07-31 08:50 13,415 a------- c:\program files\common files\lodydob.bin
2009-07-31 08:49 <DIR> --d----- c:\program files\HomeAntivirus2010
2009-07-24 23:51 <DIR> --d----- c:\program files\Hero Editor
2009-07-24 23:51 249,856 -------- c:\windows\Setup1.exe
2009-07-24 23:51 73,216 a------- c:\windows\ST6UNST.EXE
2009-07-24 21:55 <DIR> --d----- c:\program files\Shared
2009-07-20 10:41 <DIR> --d----- c:\program files\DoylesRoom
2009-07-13 12:16 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-13 12:16 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-13 12:16 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-13 11:55 35,715 a------- c:\windows\DIIUnin.dat
2009-07-13 11:55 94,208 a------- c:\windows\DIIUnin.exe
2009-07-13 11:55 2,829 a------- c:\windows\DIIUnin.pif
2009-07-13 11:43 <DIR> --d----- c:\program files\Diablo II
2009-07-13 10:26 <DIR> --d----- c:\program files\Poker Pal Pro Edition
2009-07-11 14:55 139,264 a------- c:\windows\system32\igfxres.dll
2009-07-10 09:04 126,976 a------- c:\windows\W3DemoUnin.exe
2009-07-10 09:04 12,692 a------- c:\windows\W3DemoUnin.dat
2009-07-10 09:04 2,829 a------- c:\windows\W3DemoUnin.pif
2009-07-10 09:04 <DIR> --d----- c:\program files\Warcraft III Demo
2009-07-08 11:28 <DIR> --d----- c:\program files\Gateway
==================== Find3M ====================
2009-07-05 17:29 102,400 a------- c:\windows\DIIDUnin.exe
2009-07-05 17:29 19,143 a------- c:\windows\DIIDUnin.dat
2009-07-05 17:29 2,829 a------- c:\windows\DIIDUnin.pif
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
============= FINISH: 19:41:44.43 ===============
Hi,
See if you're able to run ComboFix in safe mode.
JeffeVerde
2009-08-08, 19:27
ComboFix 09-08-07.09 - Administrator 08/08/2009 9:18:58.6.1 - NTFSx86 MINIMAL
Running from: C:\CFIx\ComboFix.exe
Command switches used :: C:\CFIx\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
/wow section - STAGE 32A
Access is denied.
/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
/wow section - STAGE 50
Access is denied.
JeffeVerde
2009-08-08, 19:31
Watching the screen as ComboFix runs, when it first starts, I see "access denied" twice, and then at the end of the scan, after the line about "the system will restart don't restart manually", I again see "access denied" three more times
Hi,
Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you have ComboFix.exe in C:\CFIx folder):
cd\CFIx
ComboFix.exe
When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.
JeffeVerde
2009-08-09, 06:48
Here's ComboFix run from SafeMode-CommandPrompt. Watch it run, I'm still seeing two "Access denied" when it first opens, and three more after the "rebooting system" message.
=====================================
ComboFix 09-08-07.09 - Administrator 08/08/2009 20:30:30.7.1 - NTFSx86 MINIMAL
Running from: C:\CFIx\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 32A
Access is denied.
/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
/wow section - STAGE 50
Access is denied.
Hi,
Trying to figure out something. Do you have your Windows media available?
JeffeVerde
2009-08-09, 12:34
No. It's a laptop, and instead of install disks, it came with a system restore volume. I've got other XP disks, if you want me to replace a file. But the laptop has XP Media Center installed and I've only got copies of XP Pro - I think it will complain and abort if I try to do a restore with a different version of XP.
Hi,
XP pro media will do. Let's see if we'll need it or not. Let's try other thing first.
Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands:
c:
cd\
dir scecli.dll /s /a >c:\locations.txt
You should end up with locations.txt file in root of c: drive. Reboot back into normal mode and attach c:\locations.txt file to your reply.
JeffeVerde
2009-08-09, 20:18
All I got was-
=============================
Volume in drive C has no label.
volume Serial Number is 409D-676B
=============================
Then it killed the cmdline and cleared the access rights for CMD.EXE. Fortunately I was able to run taskmgr and launch explorere.exe, and reset the rights on CMD.EXE. But we need to be careful of doing anything else with CMD.EXE. If the virus clears the access rights on it and taskmgr or explorerer, then I'm really dead in the water (remember, if I use taskmgr to re-run a file that the virus has "locked", then the virus locks taskmgr too)
JeffeVerde
2009-08-09, 20:21
Doh! explorere and explorerer = explorer . . . haven't had my morning coffee yet :red:
Hi,
Let's see if this works.
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
scecli.dll
winnt32.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
JeffeVerde
2009-08-09, 21:39
Another observation - I did a "dir /s /a" of each subfolder out of C:\ to see if anything else is being "protected" by the virus. Everything is accessible accept for C:\Windows\$hf_mig$ -- and everything in \$hf_mig$ appears to be accessible except for the suspect folder \{29F...}
I did a CACLS listing of \$hf_mig$, and everything looks normal for the \{29F...} folder, and it's shows a setting I'm not familiar with. The other folders' rights are all-
BUILTIN\Administrator:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
but the \{29F...} folder's rights are-
Everyone:(OI)(CI)F
Everyone:(special access)
SYNCHRONIZE
The Everyone:(OI)(CI)F is how a zapped file shows after I've made it accessible again (I had changed the rights on the \{29F...} several days ago in an attempt to see what's in it), but I don't know what the (special access) and SYNCHRONIZE parts are from
JeffeVerde
2009-08-09, 21:43
sorry --
"I did a CACLS listing of \$hf_mig$, and everything looks normal EXCEPT for the \{29F...} folder, and it's shows a setting I'm not familiar with. The other folders' rights are all-"
Hi,
Please see if you are able to make SystemLook run with those instructions I posted above :)
JeffeVerde
2009-08-09, 22:05
Nope - blocked by the virus. The window closed and the log didn't open. All the log shows is-
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:01 on 09/08/2009 by Administrator (Administrator - Elevation successful)
========== filefind ==========
searching for "scecli.dll"
JeffeVerde
2009-08-09, 22:07
This thing is very aggressively killing any process that trys to touch the c:\windows\$hf_mig$\{29F...} folder
Hi,
Go to C:\Documents and Settings\All Users\Application Data folder and look for folders with pure digits (e.g. 23812491) in their names. Move each of these to your desktop.
Then try running SystemLook again.
JeffeVerde
2009-08-09, 22:43
Nope, no \##### folders. I've got a folder \{8CD7...}, but it's from the GEAR ASPI driver, and four months old
JeffeVerde
2009-08-09, 22:45
I also checked all of the \Doc&Set\...\ApplicationData folders
Hi,
Please try this (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (make sure that you're in c:\windows folder before giving them):
cd system32
dir scecli.dll > c:\amihere.txt
dir sceclt.dll > c:\amioriginal.txt
exit
Attach c:\amihere.txt and c:\amioriginal.txt files to your reply.
JeffeVerde
2009-08-09, 23:13
amihere.txt -- scecli.dll
Volume in drive C has no label.
Volume Serial Number is 409D-676B
Directory of C:\WINDOWS\system32
04/13/2008 05:12 PM 181,248 scecli.dll
1 File(s) 181,248 bytes
0 Dir(s) 61,382,524,928 bytes free
amioriginal.txt -- sceclt.dll
Volume in drive C has no label.
Volume Serial Number is 409D-676B
Directory of C:\WINDOWS\system32
doing DIR of sce*.* in \system32, I only find scecli and scesrv
Hi,
It's almost midnight here and I have to be ready for upcoming work day. Let the system be untouched for now. I'll return with further instructions tomorrow.
JeffeVerde
2009-08-09, 23:54
No worries - Thank you for all your help
Hi,
Please try this (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (make sure that you're in c:\windows folder before giving them):
cd system32
dir netlogon.dll > c:\amihere.txt
dir ntelogon.dll > c:\amioriginal.txt
exit
Attach c:\amihere.txt and c:\amioriginal.txt files to your reply.
JeffeVerde
2009-08-10, 18:52
NETLOGON.DLL
Volume in drive C has no label.
Volume Serial Number is 409D-676B
Directory of C:\WINDOWS\system32
04/13/2008 05:12 PM 60,416 netlogon.dll
1 File(s) 60,416 bytes
0 Dir(s) 61,427,986,432 bytes free
NTELOGON.DLL
Volume in drive C has no label.
Volume Serial Number is 409D-676B
Directory of C:\WINDOWS\system32
04/13/2008 05:12 PM 407,040 ntelogon.dll
1 File(s) 407,040 bytes
0 Dir(s) 61,427,986,432 bytes free
Hi again,
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
copy C:\WINDOWS\system32\ntelogon.dll c:\netlogon.dll
Double-click on fixes.bat file to execute it.
Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to move:
c:\netlogon.dll | C:\WINDOWS\system32\netlogon.dll
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
When done, try to run ComboFix and post back its log too.
JeffeVerde
2009-08-10, 20:15
Success! (maybe?)
Avenger completed, and I'm currently running Malwarebytes. Malwarebytes made it through the \win\$hf_mig$\{29F...} without bombing, which is encouraging. I'll post the results when it's finished
JeffeVerde
2009-08-10, 20:48
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "c:\netlogon.dll|C:\WINDOWS\system32\netlogon.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
JeffeVerde
2009-08-10, 20:51
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3
8/10/2009 10:36:40 AM
mbam-log-2009-08-10 (10-36-40).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 196707
Time elapsed: 39 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winvd52 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winvd52 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winvd52 (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\HomeAntivirus2010 (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\netlogon.dll.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0063808.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0063866.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0063867.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0067391.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0067400.cpl (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP196\A0073620.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP196\A0073738.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP196\A0073740.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\i386\Apps\App31126\add-gateway.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\HomeAntivirus2010\AVEngn.dll (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winvd52.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Great :)
See if you're able to run ComboFix now. Also, attempt to run DDS and post back its logs.
JeffeVerde
2009-08-10, 20:59
I'm currently running a full scan with my TrendMicro, and it's already passed the point where it was aborting before we started all this.
The suspect \windows\$hf_mig$\{29D...} folder is still there, and it's access rights are currently set so that I can't browse it. Would the access rights on that folder prevent Malwarebytes from scanning it?
JeffeVerde
2009-08-10, 21:13
Great :)
See if you're able to run ComboFix now. Also, attempt to run DDS and post back its logs.
From SafeMode, or normal?
JeffeVerde
2009-08-10, 21:17
FYI-- I asked my daughter about the HomeAntivirus2010 that was in the Malwarebytes log. She remembers a window for that opening just before the infection. She says she clicked the "x" to close it, but it sounds like the whole window was a click hotspot.
Try to run it in normal mode.
FYI-- I asked my daughter about the HomeAntivirus2010 that was in the Malwarebytes log. She remembers a window for that opening just before the infection. She says she clicked the "x" to close it, but it sounds like the whole window was a click hotspot.
Yep. Those windows are booby trapped. If one opens on website then best method is to shut the browser down. If one gains an access to desktop then the related process(es) should be nuked from task manager if possible. Clicking those windows leads into deeper trouble.
JeffeVerde
2009-08-10, 22:32
ComboFix 09-08-07.09 - Administrator 08/10/2009 12:04.8.1 - NTFSx86 MINIMAL
Running from: c:\cfix\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-10 16:38 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:43 . 2009-08-06 19:44 -------- d-----w- C:\RootkitBuster2.52.0.1013
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-08-01 18:48 . 2007-08-22 17:16 46456 ----a-r- c:\windows\system32\exitwx.exe
2009-07-31 15:50 . 2009-07-31 15:50 18474 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\rolu.sys
2009-07-31 15:50 . 2009-07-31 15:50 18158 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\votu.reg
2009-07-31 15:50 . 2009-07-31 15:50 17672 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\ydyxebu.bat
2009-07-31 15:50 . 2009-07-31 15:50 17446 ----a-w- c:\documents and settings\All Users\Application Data\ukeginyzal.sys
2009-07-31 15:50 . 2009-07-31 15:50 15603 ----a-w- c:\documents and settings\All Users\Application Data\relu.com
2009-07-31 15:50 . 2009-07-31 15:50 13422 ----a-w- c:\program files\Common Files\zojytamy.vbs
2009-07-31 15:50 . 2009-07-31 15:50 13415 ----a-w- c:\program files\Common Files\lodydob.bin
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-07-31 16:22 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-07-25 06:51 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-07-25 06:51 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
2009-07-13 19:16 . 2009-07-13 20:39 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 19:16 . 2009-07-13 20:39 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 19:16 . 2009-07-13 20:39 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 20:41 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 18:43 . 2009-08-09 16:10 -------- d-----w- c:\program files\Diablo II
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-11 21:55 . 2006-09-18 21:58 139264 ----a-w- c:\windows\system32\igfxres.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-29 07:00 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 06:07 . 2009-02-06 02:39 -------- d-----w- c:\program files\Safari
2009-06-14 06:03 . 2009-06-14 06:03 -------- d-----w- c:\program files\iPod
2009-06-14 06:03 . 2008-11-07 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 06:00 . 2009-06-14 06:00 -------- d-----w- c:\program files\QuickTime
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 18:55 . 2009-06-13 18:55 -------- d-----w- c:\program files\Virtual Magnifying Glass
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 clr_optimization_v2.0.50727_32Messenger;.NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32Messenger;ð%€|x srv [x]
R2 COMSysAppCOMSysApp;COM+ System Application COMSysAppCOMSysApp;ð%€|x srv [x]
R2 EventSystemNtmsSvc;COM+ Event System EventSystemNtmsSvc;ð%€|x srv [x]
R2 IDriverTRasAuto;InstallDriver Table Manager IDriverTRasAuto;ð%€|x srv [x]
R2 IDriverTRemoteRegistry;InstallDriver Table Manager IDriverTRemoteRegistry;ð%€|x srv [x]
R2 Messengertmproxy;Messenger Messengertmproxy;ð%€|x srv [x]
R2 NetDDETermService;Network DDE NetDDETermService;ð%€|x srv [x]
R2 RasManBrowser;Remote Access Connection Manager RasManBrowser;ð%€|x srv [x]
R2 tmproxyS24EventMonitor;Trend Micro Proxy Service tmproxyS24EventMonitor;ð%€|x srv [x]
R2 UPSupnphost;Uninterruptible Power Supply UPSupnphost;ð%€|x srv [x]
R2 UPSupnphostSharedAccess;Uninterruptible Power Supply UPSupnphost UPSupnphostSharedAccess;ð%€|x srv [x]
R2 wuauservTermService;Automatic Updates wuauservTermService;ð%€|x srv [x]
R4 nbuembxy;IPv6 Windows Firewall Monitor;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nbuembxy
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-10 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 12:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32Messenger]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysAppCOMSysApp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystemNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRasAuto]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRemoteRegistry]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messengertmproxy]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nbuembxy]
"ServiceDll"=""
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDETermService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasManBrowser]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmproxyS24EventMonitor]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphost]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphostSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservTermService]
"ImagePath"="ð%€|x\01\09 srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wdfmgr.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-08-10 12:15 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-08-10 19:15
Pre-Run: 61,405,827,072 bytes free
Post-Run: 61,350,817,792 bytes free
295 --- E O F --- 2009-08-02 22:01
JeffeVerde
2009-08-10, 22:34
DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 12:25:14.39 on Mon 08/10/2009
Internet Explorer: 7.0.5730.13
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uLocal Page = \blank.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\owner.your-25a3bd3417\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: weather.gov\radar
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.tmremote.com/sdccommon/download/tgctlcm.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2009-08-10 09:49 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\Malwarebytes
2009-08-10 09:49 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 09:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-10 09:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-10 09:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 09:18 <DIR> --d----- C:\cmdcons
2009-08-08 01:21 <DIR> --d----- C:\CFIx
2009-08-06 14:37 <DIR> --ds---- C:\test
2009-08-06 12:43 <DIR> --d----- C:\RootkitBuster2.52.0.1013
2009-08-06 12:42 0 a------- C:\settings.dat
2009-08-06 12:42 1,055,676 a------- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 12:33 <DIR> --d----- C:\Autoruns
2009-08-06 12:33 576,280 a------- C:\Autoruns.zip
2009-08-06 12:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-06 12:15 <DIR> --d----- c:\windows\system32\Service
2009-08-06 12:06 216,064 a------- c:\windows\PEV.exe
2009-08-06 12:06 161,792 a------- c:\windows\SWREG.exe
2009-08-06 12:06 98,816 a------- c:\windows\sed.exe
2009-08-06 11:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\SupportSoft
2009-08-06 11:07 <DIR> --d----- c:\program files\tmRemoteProdPID
2009-08-06 11:07 <DIR> --d----- c:\program files\common files\supportsoft
2009-08-05 11:52 <DIR> --d----- C:\Pesticide
2009-08-03 17:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-03 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-02 02:15 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\.housecall6.6
2009-08-02 00:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-02 00:49 <DIR> --d----- c:\windows\ERUNT
2009-08-02 00:35 <DIR> --d----- C:\SDfix
2009-08-01 15:28 153,104 a------- c:\windows\system32\tmcomm.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmevtmgr.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmactmon.sys
2009-08-01 15:10 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\log
2009-08-01 11:59 <DIR> --d----- c:\windows\LocalSSL
2009-08-01 11:48 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-07-31 08:50 18,474 a------- c:\docume~1\owner~1.you\applic~1\rolu.sys
2009-07-31 08:50 17,672 a------- c:\docume~1\owner~1.you\applic~1\ydyxebu.bat
2009-07-31 08:50 17,446 a------- c:\docume~1\alluse~1\applic~1\ukeginyzal.sys
2009-07-31 08:50 15,603 a------- c:\docume~1\alluse~1\applic~1\relu.com
2009-07-31 08:50 13,422 a------- c:\program files\common files\zojytamy.vbs
2009-07-31 08:50 13,415 a------- c:\program files\common files\lodydob.bin
2009-07-25 12:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\GetRightToGo
2009-07-24 23:51 <DIR> --d----- c:\program files\Hero Editor
2009-07-24 23:51 249,856 -------- c:\windows\Setup1.exe
2009-07-24 23:51 73,216 a------- c:\windows\ST6UNST.EXE
2009-07-24 21:55 <DIR> --d----- c:\program files\Shared
2009-07-20 10:41 <DIR> --d----- c:\program files\DoylesRoom
2009-07-13 12:16 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-13 12:16 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-13 12:16 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-13 11:55 35,715 a------- c:\windows\DIIUnin.dat
2009-07-13 11:55 94,208 a------- c:\windows\DIIUnin.exe
2009-07-13 11:55 2,829 a------- c:\windows\DIIUnin.pif
2009-07-13 11:43 <DIR> --d----- c:\program files\Diablo II
2009-07-13 10:26 <DIR> --d----- c:\program files\Poker Pal Pro Edition
2009-07-11 14:55 139,264 a------- c:\windows\system32\igfxres.dll
==================== Find3M ====================
2009-07-10 09:05 12,692 a------- c:\windows\W3DemoUnin.dat
2009-07-10 09:04 126,976 a------- c:\windows\W3DemoUnin.exe
2009-07-10 09:04 2,829 a------- c:\windows\W3DemoUnin.pif
2009-07-05 17:29 102,400 a------- c:\windows\DIIDUnin.exe
2009-07-05 17:29 19,143 a------- c:\windows\DIIDUnin.dat
2009-07-05 17:29 2,829 a------- c:\windows\DIIDUnin.pif
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-11-30 21:26 34,472 a------- c:\docume~1\owner~1.you\applic~1\GDIPFONTCACHEV1.DAT
2008-03-05 11:18 0 a------- c:\docume~1\owner~1.you\applic~1\wklnhst.dat
============= FINISH: 12:25:28.79 ===============
JeffeVerde
2009-08-10, 22:36
I was finally able to complete a full scan with TrendMicro AV. It found and removed two additional instances of TROJ_VIRANTIX.BF in the c:\sys vol info\_restore{348...}\RP192 folder (where Malwarebytes had found other files).
Hi again,
Please do following steps in normal mode and let ComboFix install recovery console if prompted.
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=327666#post327666
Driver::
nbuembxy
Collect::
c:\windows\system32\exitwx.exe
c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\rolu.sys
c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\votu.reg
c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\ydyxebu.bat
c:\documents and settings\All Users\Application Data\ukeginyzal.sys
c:\documents and settings\All Users\Application Data\relu.com
c:\program files\Common Files\zojytamy.vbs
c:\program files\Common Files\lodydob.bin
DDS::
uLocal Page = \blank.htm
uStart Page = about:blank
mStart Page = about:blank
NetSvc::
nbuembxy
DirLook::
c:\windows\system32\Service
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 & 9.1.3 for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 15 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a fresh dds.txt log and above mentioned ComboFix resultant log.
JeffeVerde
2009-08-11, 09:25
ComboFix 09-08-10.03 - Owner 08/10/2009 23:09.9.1 - NTFSx86
Running from: c:\cfix\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
file zipped: c:\documents and settings\All Users\Application Data\relu.com
file zipped: c:\documents and settings\All Users\Application Data\ukeginyzal.sys
file zipped: c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\rolu.sys
file zipped: c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\ydyxebu.bat
file zipped: c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\votu.reg
file zipped: c:\program files\Common Files\lodydob.bin
file zipped: c:\program files\Common Files\zojytamy.vbs
file zipped: c:\windows\system32\exitwx.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\relu.com
c:\documents and settings\All Users\Application Data\ukeginyzal.sys
c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\rolu.sys
c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\ydyxebu.bat
c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\votu.reg
c:\program files\Common Files\lodydob.bin
c:\program files\Common Files\zojytamy.vbs
c:\windows\system32\exitwx.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NBUEMBXY
-------\Service_nbuembxy
((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-11 06:07 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:43 . 2009-08-06 19:44 -------- d-----w- C:\RootkitBuster2.52.0.1013
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-07-31 16:22 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-07-25 06:51 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-07-25 06:51 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
2009-07-13 19:16 . 2009-07-13 20:39 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 19:16 . 2009-07-13 20:39 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 19:16 . 2009-07-13 20:39 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 20:41 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 18:43 . 2009-08-10 20:03 -------- d-----w- c:\program files\Diablo II
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 01:04 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 06:07 . 2009-02-06 02:39 -------- d-----w- c:\program files\Safari
2009-06-14 06:03 . 2009-06-14 06:03 -------- d-----w- c:\program files\iPod
2009-06-14 06:03 . 2008-11-07 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 06:00 . 2009-06-14 06:00 -------- d-----w- c:\program files\QuickTime
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 18:55 . 2009-06-13 18:55 -------- d-----w- c:\program files\Virtual Magnifying Glass
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\Service ----
2009-08-06 19:15 . 2009-08-06 19:15 928 ----a-w- c:\windows\system32\Service\06082009_TIS17_SfFniAU.log
((((((((((((((((((((((((((((( SnapShot@2009-08-10_19.11.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-11 06:14 . 2009-08-11 06:14 57344 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 696320 c:\windows\ERDNT\subs\Users\00000007\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 245760 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 4173824 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 clr_optimization_v2.0.50727_32Messenger;.NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32Messenger;ð%€|x srv [x]
R2 COMSysAppCOMSysApp;COM+ System Application COMSysAppCOMSysApp;ð%€|x srv [x]
R2 EventSystemNtmsSvc;COM+ Event System EventSystemNtmsSvc;ð%€|x srv [x]
R2 IDriverTRasAuto;InstallDriver Table Manager IDriverTRasAuto;ð%€|x srv [x]
R2 IDriverTRemoteRegistry;InstallDriver Table Manager IDriverTRemoteRegistry;ð%€|x srv [x]
R2 Messengertmproxy;Messenger Messengertmproxy;ð%€|x srv [x]
R2 NetDDETermService;Network DDE NetDDETermService;ð%€|x srv [x]
R2 RasManBrowser;Remote Access Connection Manager RasManBrowser;ð%€|x srv [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R2 tmproxyS24EventMonitor;Trend Micro Proxy Service tmproxyS24EventMonitor;ð%€|x srv [x]
R2 UPSupnphost;Uninterruptible Power Supply UPSupnphost;ð%€|x srv [x]
R2 UPSupnphostSharedAccess;Uninterruptible Power Supply UPSupnphost UPSupnphostSharedAccess;ð%€|x srv [x]
R2 wuauservTermService;Automatic Updates wuauservTermService;ð%€|x srv [x]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-10 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 23:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32Messenger]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysAppCOMSysApp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystemNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRasAuto]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRemoteRegistry]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messengertmproxy]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDETermService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasManBrowser]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmproxyS24EventMonitor]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphost]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphostSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservTermService]
"ImagePath"="ð%€|x\01\09 srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wdfmgr.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-11 23:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-11 06:20
ComboFix2.txt 2009-08-10 19:16
Pre-Run: 61,446,148,096 bytes free
Post-Run: 61,443,751,936 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows XP Media Center Edition" /noexecute=optin /fastdetect
305 --- E O F --- 2009-08-02 22:01
JeffeVerde
2009-08-11, 11:14
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=03be920dd882074996c25fb2462a4433
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-11 07:56:36
# local_time=2009-08-11 12:56:36 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=516 37 100 100 47775625000
# scanned=81776
# found=1
# cleaned=0
# scan_time=2499
C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP196\A0073739.exe a variant of Win32/Kryptik.ABT trojan 00000000000000000000000000000000 I
JeffeVerde
2009-08-11, 11:17
DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 1:15:27.04 on Tue 08/11/2009
Internet Explorer: 7.0.5730.13
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\owner.your-25a3bd3417\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: weather.gov\radar
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.tmremote.com/sdccommon/download/tgctlcm.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2009-08-11 00:04 <DIR> --d----- c:\program files\ESET
2009-08-10 23:54 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-10 23:09 <DIR> --d----- C:\cmdcons
2009-08-10 09:49 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\Malwarebytes
2009-08-10 09:49 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 09:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-10 09:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-10 09:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 01:21 <DIR> --d----- C:\CFIx
2009-08-06 14:37 <DIR> --ds---- C:\test
2009-08-06 12:43 <DIR> --d----- C:\RootkitBuster2.52.0.1013
2009-08-06 12:42 0 a------- C:\settings.dat
2009-08-06 12:42 1,055,676 a------- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 12:33 <DIR> --d----- C:\Autoruns
2009-08-06 12:33 576,280 a------- C:\Autoruns.zip
2009-08-06 12:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-06 12:15 <DIR> --d----- c:\windows\system32\Service
2009-08-06 12:06 216,064 a------- c:\windows\PEV.exe
2009-08-06 12:06 161,792 a------- c:\windows\SWREG.exe
2009-08-06 12:06 98,816 a------- c:\windows\sed.exe
2009-08-06 11:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\SupportSoft
2009-08-06 11:07 <DIR> --d----- c:\program files\tmRemoteProdPID
2009-08-06 11:07 <DIR> --d----- c:\program files\common files\supportsoft
2009-08-05 11:52 <DIR> --d----- C:\Pesticide
2009-08-03 17:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-03 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-02 02:15 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\.housecall6.6
2009-08-02 00:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-02 00:49 <DIR> --d----- c:\windows\ERUNT
2009-08-02 00:35 <DIR> --d----- C:\SDfix
2009-08-01 15:28 153,104 a------- c:\windows\system32\tmcomm.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmevtmgr.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmactmon.sys
2009-08-01 15:10 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\log
2009-08-01 11:59 <DIR> --d----- c:\windows\LocalSSL
2009-07-25 12:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\GetRightToGo
2009-07-24 23:51 <DIR> --d----- c:\program files\Hero Editor
2009-07-24 23:51 249,856 -------- c:\windows\Setup1.exe
2009-07-24 23:51 73,216 a------- c:\windows\ST6UNST.EXE
2009-07-24 21:55 <DIR> --d----- c:\program files\Shared
2009-07-20 10:41 <DIR> --d----- c:\program files\DoylesRoom
2009-07-13 12:16 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-13 12:16 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-13 12:16 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-13 11:55 35,715 a------- c:\windows\DIIUnin.dat
2009-07-13 11:55 94,208 a------- c:\windows\DIIUnin.exe
2009-07-13 11:55 2,829 a------- c:\windows\DIIUnin.pif
2009-07-13 11:43 <DIR> --d----- c:\program files\Diablo II
2009-07-13 10:26 <DIR> --d----- c:\program files\Poker Pal Pro Edition
==================== Find3M ====================
2009-08-10 23:54 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-10 09:05 12,692 a------- c:\windows\W3DemoUnin.dat
2009-07-10 09:04 126,976 a------- c:\windows\W3DemoUnin.exe
2009-07-10 09:04 2,829 a------- c:\windows\W3DemoUnin.pif
2009-07-05 17:29 102,400 a------- c:\windows\DIIDUnin.exe
2009-07-05 17:29 19,143 a------- c:\windows\DIIDUnin.dat
2009-07-05 17:29 2,829 a------- c:\windows\DIIDUnin.pif
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-11-30 21:26 34,472 a------- c:\docume~1\owner~1.you\applic~1\GDIPFONTCACHEV1.DAT
2008-03-05 11:18 0 a------- c:\docume~1\owner~1.you\applic~1\wklnhst.dat
============= FINISH: 1:15:48.29 ===============
Hi,
Please go to c:\Qoobox folder and see if you can find under it (or one of its subfolders) zip file that begins as [4]-Submit. Please upload it to this website: http://www.bleepingcomputer.com/submit-malware.php?channel=4
Kindly include a link to this topic in the message.
This one bothers me:
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Seems that of some reason recovery console (RC) for home edition got installed while media center edition needs same RC as pro edition.
You tried earlier to run ComboFix with WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe. Do you still have the file available? If you do, please see here (http://www.theeldergeek.com/recovery_console.htm) under "Removing the Recovery Console" -part to uninstall present RC and then run ComboFix with correct RC file. When done, post ComboFix log back here.
JeffeVerde
2009-08-11, 20:50
Qoobox file posted.
Because I was initially working with the system offline, I downloaded WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe to "manually" install RC (by dragging it onto CF). When I boot, I get the RC boot prompt -- but everytime I run CF, it complains that RC is not installed. Per your last instructions, I ran CF and let it download/install RC itself.
I'll remove RC. But when you say "run ComboFix with the correct RC file", do you mean run CF and let it dl/install RC itself?
JeffeVerde
2009-08-11, 21:08
When I boot, I get the RC boot prompt . . .
Correction -- I was actually seeing a pre-boot prompt to run the laptop-makers (Gateway) recovery process (wipes and restores to original state), not Recovery Console.
Trying to delete C:\cmdcons , I get an error that the files are in use
JeffeVerde
2009-08-11, 21:16
Don't know if this is relavent, but from the OS boot menu, my choices are
Windows XP Media Center Edition
Windows (default)
When I select Media Center, I get an error-
Windows could not start because the following file is missing
or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file.
Selecting Windows (default) works
Hi,
Is your system media center edition or some other (to check, right click "my computer")? Please post contents of your c:\boot.ini file.
JeffeVerde
2009-08-11, 22:14
Per MyCompoter>Properties, it's Media Center
BOOT.INI-
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Hi,
Kindly replace current c:\boot.ini contents with this:
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Reboot and you should get to Windows without that bootup menu screen. When that's done, get fresh copy of ComboFix and after that drag WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe file to it. Post back ComboFix resultant log.
JeffeVerde
2009-08-12, 10:06
ComboFix 09-08-10.06 - Owner 08/11/2009 23:49.10.1 - NTFSx86
Running from: c:\cfix\ComboFix.exe
Command switches used :: c:\cfix\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe.bad
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.
2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-12 06:48 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
2009-07-13 19:16 . 2009-07-13 20:39 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 19:16 . 2009-07-13 20:39 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 19:16 . 2009-07-13 20:39 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 20:41 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 18:43 . 2009-08-11 15:29 -------- d-----w- c:\program files\Diablo II
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 05:05 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-11 19:39 . 2009-03-20 02:31 145920 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 06:07 . 2009-02-06 02:39 -------- d-----w- c:\program files\Safari
2009-06-14 06:03 . 2009-06-14 06:03 -------- d-----w- c:\program files\iPod
2009-06-14 06:03 . 2008-11-07 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 06:00 . 2009-06-14 06:00 -------- d-----w- c:\program files\QuickTime
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 18:55 . 2009-06-13 18:55 -------- d-----w- c:\program files\Virtual Magnifying Glass
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-08-10_19.11.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-12 06:44 . 2009-08-12 06:44 16384 c:\windows\temp\Perflib_Perfdata_458.dat
+ 2009-08-11 06:49 . 2009-08-11 06:49 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-08-11 06:43 . 2009-08-11 06:43 20480 c:\windows\Installer\64295.msi
+ 2009-08-11 06:42 . 2009-08-11 06:42 26624 c:\windows\Installer\6428f.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 57344 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 149280 c:\windows\system32\javaws.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\javaw.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\java.exe
+ 2009-08-11 06:14 . 2009-08-11 06:14 696320 c:\windows\ERDNT\subs\Users\00000007\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 245760 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:54 . 2009-08-11 06:54 1757696 c:\windows\Installer\6429f.msi
+ 2009-08-11 06:44 . 2009-08-11 06:44 3938816 c:\windows\Installer\6429b.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 4173824 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 clr_optimization_v2.0.50727_32Messenger;.NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32Messenger;ð%€|x srv [x]
R2 COMSysAppCOMSysApp;COM+ System Application COMSysAppCOMSysApp;ð%€|x srv [x]
R2 EventSystemNtmsSvc;COM+ Event System EventSystemNtmsSvc;ð%€|x srv [x]
R2 IDriverTRasAuto;InstallDriver Table Manager IDriverTRasAuto;ð%€|x srv [x]
R2 IDriverTRemoteRegistry;InstallDriver Table Manager IDriverTRemoteRegistry;ð%€|x srv [x]
R2 Messengertmproxy;Messenger Messengertmproxy;ð%€|x srv [x]
R2 NetDDETermService;Network DDE NetDDETermService;ð%€|x srv [x]
R2 RasManBrowser;Remote Access Connection Manager RasManBrowser;ð%€|x srv [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R2 tmproxyS24EventMonitor;Trend Micro Proxy Service tmproxyS24EventMonitor;ð%€|x srv [x]
R2 UPSupnphost;Uninterruptible Power Supply UPSupnphost;ð%€|x srv [x]
R2 UPSupnphostSharedAccess;Uninterruptible Power Supply UPSupnphost UPSupnphostSharedAccess;ð%€|x srv [x]
R2 wuauservTermService;Automatic Updates wuauservTermService;ð%€|x srv [x]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-11 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 23:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32Messenger]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysAppCOMSysApp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystemNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRasAuto]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRemoteRegistry]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messengertmproxy]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDETermService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasManBrowser]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmproxyS24EventMonitor]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphost]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphostSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservTermService]
"ImagePath"="ð%€|x\01\09 srv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2836)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-12 23:56
ComboFix-quarantined-files.txt 2009-08-12 06:56
ComboFix2.txt 2009-08-10 19:16
Pre-Run: 60,878,532,608 bytes free
Post-Run: 60,883,005,440 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe.bad
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
296 --- E O F --- 2009-08-02 22:01
JeffeVerde
2009-08-12, 10:26
I ran ComboFix with the RC install file, but still no RC. And I'm not able to delete the \cmdcons folder to uninstall RC. I get a message that files are in use.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe.bad
Take of that bolded part of file name. Then try drag 'n' drop again. If it still doesn't install, run ComboFix normally and let it install RC if asked for permission.
JeffeVerde
2009-08-12, 21:21
Doh! I forgot I'd done that when I was trying to uninstall RC, to make sure something wasn't running it.
Dropped the .bad, ran CF with it, but still no RC. Also, I still can't delete the \cmdcons folder. I searched the registry and can't find any reference to that path
==================================
ComboFix 09-08-10.06 - Owner 08/12/2009 10:49.11.1 - NTFSx86
Running from: c:\cfix\ComboFix.exe
Command switches used :: c:\cfix\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.
2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-12 17:46 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
2009-07-13 19:16 . 2009-07-13 20:39 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 19:16 . 2009-07-13 20:39 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 19:16 . 2009-07-13 20:39 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 20:41 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 18:43 . 2009-08-11 15:29 -------- d-----w- c:\program files\Diablo II
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 05:05 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 06:07 . 2009-02-06 02:39 -------- d-----w- c:\program files\Safari
2009-06-14 06:03 . 2009-06-14 06:03 -------- d-----w- c:\program files\iPod
2009-06-14 06:03 . 2008-11-07 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 06:00 . 2009-06-14 06:00 -------- d-----w- c:\program files\QuickTime
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 18:55 . 2009-06-13 18:55 -------- d-----w- c:\program files\Virtual Magnifying Glass
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-08-10_19.11.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-12 07:23 . 2009-08-12 07:23 16384 c:\windows\temp\Perflib_Perfdata_45c.dat
+ 2009-08-11 06:49 . 2009-08-11 06:49 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-08-11 06:43 . 2009-08-11 06:43 20480 c:\windows\Installer\64295.msi
+ 2009-08-11 06:42 . 2009-08-11 06:42 26624 c:\windows\Installer\6428f.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 57344 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 149280 c:\windows\system32\javaws.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\javaw.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\java.exe
+ 2009-08-11 06:14 . 2009-08-11 06:14 696320 c:\windows\ERDNT\subs\Users\00000007\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 245760 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:54 . 2009-08-11 06:54 1757696 c:\windows\Installer\6429f.msi
+ 2009-08-11 06:44 . 2009-08-11 06:44 3938816 c:\windows\Installer\6429b.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 4173824 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 clr_optimization_v2.0.50727_32Messenger;.NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32Messenger;ð%€|x srv [x]
R2 COMSysAppCOMSysApp;COM+ System Application COMSysAppCOMSysApp;ð%€|x srv [x]
R2 EventSystemNtmsSvc;COM+ Event System EventSystemNtmsSvc;ð%€|x srv [x]
R2 IDriverTRasAuto;InstallDriver Table Manager IDriverTRasAuto;ð%€|x srv [x]
R2 IDriverTRemoteRegistry;InstallDriver Table Manager IDriverTRemoteRegistry;ð%€|x srv [x]
R2 Messengertmproxy;Messenger Messengertmproxy;ð%€|x srv [x]
R2 NetDDETermService;Network DDE NetDDETermService;ð%€|x srv [x]
R2 RasManBrowser;Remote Access Connection Manager RasManBrowser;ð%€|x srv [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R2 tmproxyS24EventMonitor;Trend Micro Proxy Service tmproxyS24EventMonitor;ð%€|x srv [x]
R2 UPSupnphost;Uninterruptible Power Supply UPSupnphost;ð%€|x srv [x]
R2 UPSupnphostSharedAccess;Uninterruptible Power Supply UPSupnphost UPSupnphostSharedAccess;ð%€|x srv [x]
R2 wuauservTermService;Automatic Updates wuauservTermService;ð%€|x srv [x]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-12 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 10:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32Messenger]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysAppCOMSysApp]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystemNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRasAuto]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRemoteRegistry]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messengertmproxy]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDETermService]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasManBrowser]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmproxyS24EventMonitor]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphost]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphostSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservTermService]
"ImagePath"="ð%€|x\01\09 srv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1336)
c:\windows\system32\igfxdev.dll
- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-12 10:56
ComboFix-quarantined-files.txt 2009-08-12 17:56
ComboFix2.txt 2009-08-12 06:56
ComboFix3.txt 2009-08-10 19:16
Pre-Run: 60,833,611,776 bytes free
Post-Run: 60,792,598,528 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
298 --- E O F --- 2009-08-02 22:01
JeffeVerde
2009-08-12, 22:17
What are your "forum hours"? With our time difference (I'm GMT -8), I'm not sure when to look for your posts, and I hate to lose half a day like last night (your yesterday?), because I didn't know it was your "in" time.
Thank you again for all time and effort
Hi,
Finland is on GMT +2 timezone.
Also, I still can't delete the \cmdcons folder.
Let that folder be. I didn't remember to say that in my previous post.
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
clr_optimization_v2.0.50727_32Messenger
COMSysAppCOMSysApp
EventSystemNtmsSvc
IDriverTRasAuto
IDriverTRemoteRegistry
Messengertmproxy
NetDDETermService
RasManBrowser
tmproxyS24EventMonitor
UPSupnphost
UPSupnphostSharedAccess
wuauservTermService
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Let ComboFix update itself and also install recovery console if it asks for permission to do so.
Then post the resultant log & a fresh dds.txt log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
JeffeVerde
2009-08-13, 09:01
Let that folder be. I didn't remember to say that in my previous post.
Yesterday you posted-
...Seems that of some reason recovery console (RC) for home edition got installed while media center edition needs same RC as pro edition.
You tried earlier to run ComboFix with WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe. Do you still have the file available? If you do, please see here (http://www.theeldergeek.com/recovery_console.htm) under "Removing the Recovery Console" -part to uninstall present RC and then run ComboFix with correct RC file. When done, post ComboFix log back here.
The uninstall instructions you linked to directed me to delete c:\cmldrs. and the c:\cmdcons folder
And I said "I didn't remember to say that in my previous post.". That means I didn't remember to say that skip over that folder deleting if it fails. Sorry for not telling this clearly enough.
JeffeVerde
2009-08-13, 09:21
ComboFix 09-08-10.06 - Owner 08/12/2009 23:06.12.1 - NTFSx86
Running from: c:\cfix\ComboFix.exe
Command switches used :: c:\cfix\CFscript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLR_OPTIMIZATION_V2.0.50727_32MESSENGER
-------\Legacy_COMSYSAPPCOMSYSAPP
-------\Legacy_EVENTSYSTEMNTMSSVC
-------\Legacy_IDRIVERTRASAUTO
-------\Legacy_IDRIVERTREMOTEREGISTRY
-------\Legacy_MESSENGERTMPROXY
-------\Legacy_NETDDETERMSERVICE
-------\Legacy_RASMANBROWSER
-------\Legacy_TMPROXYS24EVENTMONITOR
-------\Legacy_UPSUPNPHOST
-------\Legacy_UPSUPNPHOSTSHAREDACCESS
-------\Legacy_WUAUSERVTERMSERVICE
-------\Service_clr_optimization_v2.0.50727_32Messenger
-------\Service_COMSysAppCOMSysApp
-------\Service_EventSystemNtmsSvc
-------\Service_IDriverTRasAuto
-------\Service_IDriverTRemoteRegistry
-------\Service_Messengertmproxy
-------\Service_NetDDETermService
-------\Service_RasManBrowser
-------\Service_tmproxyS24EventMonitor
-------\Service_UPSupnphost
-------\Service_UPSupnphostSharedAccess
-------\Service_wuauservTermService
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.
2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-13 06:06 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 20:03 . 2009-07-13 18:43 -------- d-----w- c:\program files\Diablo II
2009-08-12 05:05 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 20:41 . 2009-07-13 18:55 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 20:39 . 2009-07-13 19:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 20:39 . 2009-07-13 19:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 20:39 . 2009-07-13 19:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-08-10_19.11.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-11 06:49 . 2009-08-11 06:49 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-08-11 06:43 . 2009-08-11 06:43 20480 c:\windows\Installer\64295.msi
+ 2009-08-11 06:42 . 2009-08-11 06:42 26624 c:\windows\Installer\6428f.msi
+ 2009-08-13 06:10 . 2009-08-13 06:10 57344 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-13 06:10 . 2009-08-13 06:10 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-13 06:10 . 2009-08-13 06:10 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 149280 c:\windows\system32\javaws.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\javaw.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\java.exe
+ 2009-08-13 06:10 . 2009-08-13 06:10 696320 c:\windows\ERDNT\subs\Users\00000007\NTUSER.DAT
+ 2009-08-13 06:10 . 2009-08-13 06:10 241664 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-13 06:10 . 2009-08-13 06:10 249856 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-13 06:10 . 2009-08-13 06:10 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:54 . 2009-08-11 06:54 1757696 c:\windows\Installer\6429f.msi
+ 2009-08-11 06:44 . 2009-08-11 06:44 3938816 c:\windows\Installer\6429b.msi
+ 2009-08-13 06:10 . 2009-08-13 06:10 4173824 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-12 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 23:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1692)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wdfmgr.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-08-13 23:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 06:16
ComboFix2.txt 2009-08-12 17:56
ComboFix3.txt 2009-08-12 06:56
ComboFix4.txt 2009-08-10 19:16
Pre-Run: 60,768,055,296 bytes free
Post-Run: 60,740,837,376 bytes free
304 --- E O F --- 2009-08-02 22:01
JeffeVerde
2009-08-13, 09:37
FYI -- It looks like part of the CFscript you had me run was intended to disable TrendMicro. TrendMicro 2009 includes a seperate utility called TISTOOL that can be used to start/stop all components of TrendMicro.
Hi,
Those TM related values mean if Windows will notify you when TM firewall or av program is disabled. If those values are present and set then you won't get notification. Normally those values are not needed. Remember that I'm not giving instructions to make system weaker ;)
Post a fresh dds.txt log and let me know how's the system running, please.
JeffeVerde
2009-08-13, 22:27
Remember that I'm not giving instructions to make system weaker ;)
Of course. I was just passing on an easy way to enable/disable TrendMicro while running other tools.
Here's the latest DDS-
p.s. should I be including ATTACH.TXT, or do you just need the DDS log?
=====================================
DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 12:12:10.65 on Thu 08/13/2009
Internet Explorer: 7.0.5730.13
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\owner.your-25a3bd3417\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: weather.gov\radar
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.tmremote.com/sdccommon/download/tgctlcm.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2009-08-12 10:48 <DIR> --d----- C:\cmdcons
2009-08-11 00:04 <DIR> --d----- c:\program files\ESET
2009-08-10 23:54 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-10 09:49 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\Malwarebytes
2009-08-10 09:49 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 09:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-10 09:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-10 09:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 01:21 <DIR> --d----- C:\CFIx
2009-08-06 14:37 <DIR> --ds---- C:\test
2009-08-06 12:42 0 a------- C:\settings.dat
2009-08-06 12:42 1,055,676 a------- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 12:33 <DIR> --d----- C:\Autoruns
2009-08-06 12:33 576,280 a------- C:\Autoruns.zip
2009-08-06 12:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-06 12:15 <DIR> --d----- c:\windows\system32\Service
2009-08-06 12:06 216,064 a------- c:\windows\PEV.exe
2009-08-06 12:06 161,792 a------- c:\windows\SWREG.exe
2009-08-06 12:06 98,816 a------- c:\windows\sed.exe
2009-08-06 11:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\SupportSoft
2009-08-06 11:07 <DIR> --d----- c:\program files\tmRemoteProdPID
2009-08-06 11:07 <DIR> --d----- c:\program files\common files\supportsoft
2009-08-05 11:52 <DIR> --d----- C:\Pesticide
2009-08-03 17:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-03 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-02 02:15 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\.housecall6.6
2009-08-02 00:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-02 00:49 <DIR> --d----- c:\windows\ERUNT
2009-08-02 00:35 <DIR> --d----- C:\SDfix
2009-08-01 15:28 153,104 a------- c:\windows\system32\tmcomm.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmevtmgr.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmactmon.sys
2009-08-01 15:10 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\log
2009-08-01 11:59 <DIR> --d----- c:\windows\LocalSSL
2009-07-25 12:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\GetRightToGo
2009-07-24 23:51 <DIR> --d----- c:\program files\Hero Editor
2009-07-24 23:51 249,856 -------- c:\windows\Setup1.exe
2009-07-24 23:51 73,216 a------- c:\windows\ST6UNST.EXE
2009-07-24 21:55 <DIR> --d----- c:\program files\Shared
2009-07-20 10:41 <DIR> --d----- c:\program files\DoylesRoom
==================== Find3M ====================
2009-08-10 23:54 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-13 13:41 35,715 a------- c:\windows\DIIUnin.dat
2009-07-13 13:39 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-13 13:39 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-13 13:39 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-13 11:55 94,208 a------- c:\windows\DIIUnin.exe
2009-07-13 11:55 2,829 a------- c:\windows\DIIUnin.pif
2009-07-10 09:05 12,692 a------- c:\windows\W3DemoUnin.dat
2009-07-10 09:04 126,976 a------- c:\windows\W3DemoUnin.exe
2009-07-10 09:04 2,829 a------- c:\windows\W3DemoUnin.pif
2009-07-05 17:29 102,400 a------- c:\windows\DIIDUnin.exe
2009-07-05 17:29 19,143 a------- c:\windows\DIIDUnin.dat
2009-07-05 17:29 2,829 a------- c:\windows\DIIDUnin.pif
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-11-30 21:26 34,472 a------- c:\docume~1\owner~1.you\applic~1\GDIPFONTCACHEV1.DAT
2008-03-05 11:18 0 a------- c:\docume~1\owner~1.you\applic~1\wklnhst.dat
============= FINISH: 12:12:27.29 ===============
JeffeVerde
2009-08-13, 22:33
. . . and let me know how's the system running, please.
Except for not being able to succesfully install Recovery Console (which isn't affecting the system use - just odd), everything seems to be fine. No mystery windows or unidentified processes trying to "phone home" :D:
Yes, that recovery console thing is a bit mysterious. Could you download a fresh copy of ComboFix and then run it to see if it asks permission to install RC (let it install if asked)?
JeffeVerde
2009-08-14, 01:58
Yes, that recovery console thing is a bit mysterious. Could you download a fresh copy of ComboFix and then run it to see if it asks permission to install RC (let it install if asked)?
Just to clarify -- every time I run CF (without using the RC installer to launch it), it warns that RC is not installed and prompts me to let CF install it. If let CF download/install RC, it goes through the process, reports that RC was successfully installed, and continues on with it's scan.
I'll try it again with a fresh copy of CF.
Ok. Let me know how it goes.
JeffeVerde
2009-08-14, 10:21
-ran combofix /u
-deleted combofix.exe and the RC installer
-downloaded a fresh copy of combofix from bleepingcomputer.com
-ran combofix and let it install
=Combofix still gets the same two "access denied"s when it first happens, then 3 more after RC is installed.
=Still no entry RC entry in the startup
Here's the latest combofix log-
ComboFix 09-08-10.06 - Owner 08/13/2009 23:06.13.1 - NTFSx86
Running from: c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\COMBOF1X.exe.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.
2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-14 06:03 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 02:40 . 2009-07-13 18:43 -------- d-----w- c:\program files\Diablo II
2009-08-13 23:15 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-13 16:41 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 20:41 . 2009-07-13 18:55 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 20:39 . 2009-07-13 19:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 20:39 . 2009-07-13 19:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 20:39 . 2009-07-13 19:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-13 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 23:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1340)
c:\windows\system32\igfxdev.dll
- - - - - - - > 'explorer.exe'(6920)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-14 23:12
ComboFix-quarantined-files.txt 2009-08-14 06:12
ComboFix2.txt 2009-08-13 06:16
Pre-Run: 60,747,603,968 bytes free
Post-Run: 60,730,408,960 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
231 --- E O F --- 2009-08-02 22:01
JeffeVerde
2009-08-14, 11:24
Figured out why I couldn't delete the RC install (special rights inherited from the parent folder). Cleared the rights and was finally able to delete the files.
Reran CF and let it install RC again. It installed the files but it's still not updating BOOT.INI. I mentioned that there are several "Access is denied" lines before it starts scanning -- I noticed that after it unpacked the RC files, there was a line "SED: can't read C:\Boot.bak: No such file or directory"
Here's the log-
============================
ComboFix 09-08-10.06 - Owner 08/14/2009 0:42.14.1 - NTFSx86
Running from: c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\COMBOF1X.exe.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.
2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-14 07:37 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 02:40 . 2009-07-13 18:43 -------- d-----w- c:\program files\Diablo II
2009-08-13 23:15 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-13 16:41 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 20:41 . 2009-07-13 18:55 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 20:39 . 2009-07-13 19:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 20:39 . 2009-07-13 19:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 20:39 . 2009-07-13 19:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-08-14_06.10.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-14 07:29 . 2009-08-14 07:29 16384 c:\windows\temp\Perflib_Perfdata_440.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-13 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 00:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-14 0:48
ComboFix-quarantined-files.txt 2009-08-14 07:47
ComboFix2.txt 2009-08-13 06:16
Pre-Run: 60,752,646,144 bytes free
Post-Run: 60,703,936,512 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
233 --- E O F --- 2009-08-02 22:01
Hi,
I've asked the creator of the tool what could cause the issue. I'll be back with further instructions ASAP.
Hi,
Let's give RC installing one more try. Please make sure your antivirus protection is all disabled. If installing still fails and the system runs otherwise without issues then I think we'll leave it not installed.
JeffeVerde
2009-08-15, 07:07
Hi,
Let's give RC installing one more try. . .
Got it! The infestation had stripped the rights on ATTRIB.EXE. The "access denied" errors where occuring as CF tried to change the SHR attributes on BOOT.INI, and it never created a BOOT.BAK because it couldn't modify BOOT.INI in the first place.
I re-enabled rights on ATTRIB.EXE, and CF ran without errors, and added an RC launch option to BOOT.INI. BOOT.INI now reads-
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
JeffeVerde
2009-08-15, 07:08
err -- I ran CF, and CF added an RC option to BOOT.INI
Good catch :bigthumb:
Let's optimize boot.ini a bit to make boot menu appear less time during the bootup.
Make boot.ini contents to be like this:
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
That will make boot menu appear for 3 seconds.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,[b]NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste "c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\COMBOF1X.exe.exe" /u in the runbox and click OK
Next we remove all used tools.
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
JeffeVerde
2009-08-15, 20:55
I'll procede with the rest of the cleanup steps. But re:
That will make boot menu appear for 3 seconds.
I'm not seeing the boot loader menu during startup. I have to F11 or F8 and "select OS" to get it. Also, if I select the option in MSCONFIG or TrendMicro's TISTOOL utility, to have the system restart in safe mode, it doesn't have any effect - it just comes up in normal mode. Maybe another file that's had it's access rights stripped?
Hi,
When infection was present permissions of those commands you tried may have got altered (just like happened for attrib.exe for example). It's impossible for me to know what commands were attempted than those I've instructed here. That's why users shouldn't do anything else than what their helpers instruct them to do. Does msconfig.exe have right permissions?
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.