Jump to content

Dlmarti

Members
  • Posts

    17
  • Joined

  • Last visited

Everything posted by Dlmarti

  1. I have been having a problem with my IE 7 being very slow when I'm closing out a particular page that I have browsed...sometimes up to 10-12 seconds before it decides to close...I don't have any particular problem with opening up a page, it's just closing it that takes forever. I have Malwarebytes (free version) and AVG (paid version) and both are coming up clean...I am also running with no add-ons (don't know if that would make a difference or not). Any assistance is greatly appreciated. Thanks, Daphne
  2. Yardbird, Do I remove my Trend Micro before I download the free version of Avira/Avast? I haven't decided which one I'm going to use, but my trend micro ends on August 1, so I will be making a decision tomorrow. In your opinion, which one is more user friendly? Thanks, Daphne
  3. Thanks for the suggestions about the free AV software. I will probably do that within the next day or two. However, I would like to know if it is safe for me to allow Trend Micro to clean the two trojans it has quarantined. They are listed in my original post. Thanks guys! Daphne
  4. My TrendMicro Subscription ends in 13 days, I am thinking about just letting it expire and go with another Antivirus --- I forgot the programs that were suggested to me on this site before --- but would like to see if you guys have any other recommendations. Are the free programs just as effective as the ones we pay for? Thanks again.
  5. I visited this site about a month ago, and after much work, you guys helped me clear up a trojan. Well, I'm back with a different problem(s). 1. While doing a MBAM quick scan, my trend micro alert will pop-up stating that mbam.exe is attempting to perform an unexpected action on a windows process - C:\windows\system32\userinit.exe --- and it says it blocked it. Also, my MBAM is not detecting any malicious items during the scan. 2. Trendmicro was scheduled to run an automatic scan last night and showed up with two viruses/trojans (Troj-swizzor.TND) that it quarantined. --- replace.exe located in C:\hp\bin and also A0007555.exe located in C:\system volume info\restore. -----IS IT SAFE FOR ME TO CLEAN THESE AND THEN DELETE THEM FROM QUARANTINE? I'm not sure why my Trendmicro is blocking some of the scan items during the MBAM scan and that's what it was doing about a month ago ---- it seems like it happends after I do a MBAM update. Please instruct me on what to do in this situation, do I just let my trendmicro clean these trojans that it found or is there more I need to do? Thank you in advance.
  6. I just finished working with an administrator on the Hijack Log forum. We successfully removed an infection, and I think my computer is back to normal now! However, I do have a couple of questions regarding my computer. 1. I am using Trend-Micro as my Anti-Virus Program and as my Firewall. I also have MBAM installed for quick scans. Can I download & use Spyware Blaster in addition to these or would that be overkill? 2. While the administrator was helping to clean up my computer, I was instructed to delete Java because I had older versions. Now that they are deleted, do I need to install a new version of Java? 3. My teenage son loves to visit lyric sites. I was told by an administrator that lyric sites are very bad for malware, etc. Does anyone know of any legitimate lyric sites that is safe to visit? Thanks in advance for any assistance you can provide!
  7. Okay, Here's what I have done most recently: Step 1: I uninstalled Java - I ran JavaRa - I removed the Java folders that you said to remove. Here is the JavaRa Log: JavaRa 1.14 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Sat Jun 27 21:06:21 2009 Found and removed: C:\Program Files\Java\jre1.5.0_05 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_05\ Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\ ------------------------------------ Finished reporting. Step 2: I updated and ran my Trend Micro Anti-Virus Protection Program. I can't figure out how to copy the results. However, it found and deleted 12 threats --- all threats were cookies listed under spyware. Step 3: Just for my own benefit, I ran malwarebytes' scan and here is that log. Malwarebytes' Anti-Malware 1.38 Database version: 2340 Windows 5.1.2600 Service Pack 3 6/27/2009 10:43:19 PM mbam-log-2009-06-27 (22-43-19).txt Scan type: Quick Scan Objects scanned: 100720 Time elapsed: 5 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I have a couple of questions for you: If I did have an infection to one of my drivers like you stated, why didn't my trend micro stop that in the first place? I am due to renew my trend micro at the end of July, do you have a suggestion for a better anti-virus program. Or was this an infection that no anti-virus program would have stopped? Do I need to now re-install a newer version of Java since I uninstalled the older versions like you instructed? Am I now free of all viruses or malware? If not, please instruct further. Thank you sooo much for the time and effort you have put into helping me!
  8. OK, will do what you just instructed, but I do have a few questions: Are you seeing anything in my logs that looks like I have a virus/malware/trojan, etc? My original problem was malwarebytes was reporting trojan.agent, but it did not find it on the last scan. Is combofix just a log or does it actually remove items? If it removes malicious items, maybe it removed the trojan.agent........just guessing here! Or since I uninstalled spybot, could that have removed the trojan.agent. I'm just a little confused as to why it's not showing up anymore, but I'm still having to do all of these steps that you say to do ....not that I mind, I'm very grateful for your help.....I'm just confused. When I download JavaRa, how do I unzip to my desktop, does that mean just save it to the desktop and then run it from there? Thank you for your patience and assistance. Daphne
  9. Here are the logs you requested - I did notice that my original problem with malwarebytes finding trojan.agent did not happen this time - strange! Step 1: I uninstalled Spybot to remove Tea Timer Step 2: Combo Fix Log: ComboFix 09-06-26.02 - HP_Administrator 06/26/2009 21:10.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.477 [GMT -5:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFscript.txt AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} FILE :: "c:\windows\system32\drivers\vkfzyvj.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_rkrs ((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 ))))))))))))))))))))))))))))))) . 2009-06-26 21:17 . 2008-05-14 22:54 595208 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OE\oe_engine\01\tmaseng.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-27 01:57 . 2006-07-18 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-27 01:55 . 2007-08-13 16:51 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-21 11:29 . 2009-05-25 05:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-21 11:29 . 2009-05-28 01:33 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-17 16:27 . 2009-05-25 15:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 16:27 . 2009-05-25 15:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-28 23:48 . 2008-09-14 21:08 -------- d-----w- c:\program files\Microsoft Silverlight 2009-05-25 16:07 . 2008-07-31 09:36 -------- d-----w- c:\program files\Common 2009-05-25 15:43 . 2009-05-25 15:43 8 ----a-w- c:\documents and settings\HP_Administrator\settings.dat 2009-05-09 03:56 . 2009-05-08 20:43 49 ----a-w- c:\windows\popcinfot.dat 2009-05-09 03:31 . 2009-05-09 03:31 0 ----a-w- c:\windows\popcreg.dat 2009-05-09 03:31 . 2009-05-08 01:19 -------- d-----w- c:\program files\PopCap Games 2009-05-08 20:43 . 2009-05-08 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games 2009-05-07 15:51 . 2009-05-07 15:51 -------- d-----w- c:\program files\Coupons 2009-05-07 15:32 . 2004-08-09 21:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-08-09 21:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2004-08-09 21:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-09 21:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-02 21:00 . 2008-08-01 16:43 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2009-04-02 21:00 . 2008-08-01 16:43 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2009-04-02 21:00 . 2008-08-01 16:43 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys . ((((((((((((((((((((((((((((( SnapShot@2009-06-26_21.53.45 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-26 21:56 . 2008-10-16 20:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe + 2009-06-26 21:56 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll + 2009-06-26 21:56 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe + 2009-06-26 21:56 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe + 2009-06-26 21:56 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe + 2009-06-26 21:56 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll + 2009-06-26 21:56 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe + 2009-06-26 21:56 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys + 2009-06-26 21:56 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys + 2009-06-26 21:56 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe + 2009-06-26 21:56 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe + 2009-06-26 21:56 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\cache\wininet.dll + 2009-06-26 21:56 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll + 2009-06-26 21:56 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll + 2009-06-26 21:56 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys + 2009-06-26 21:56 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe + 2009-06-26 21:56 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys + 2009-06-26 21:56 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll + 2009-06-26 21:56 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll + 2009-06-26 21:56 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll + 2009-06-26 21:56 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll + 2009-06-26 21:56 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe + 2009-06-26 21:56 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe + 2009-06-26 21:56 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-22 27136] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled ImageMixer for HDD Camcorder.lnk - c:\program files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe [2006-12-3 1871872] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"= "c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/1/2008 11:43 AM 52624] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [8/1/2008 11:43 AM 488768] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 11:39 PM 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/25/2007 1:06 PM 24652] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 11:39 PM 333328] R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/1/2008 11:43 AM 648456] . Contents of the 'Scheduled Tasks' folder 2009-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://search.msn.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://phototeklc.lifepics.com/net/Uploader/LPUploader45.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-26 21:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\arservice.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Trend Micro\Internet Security\SfCtlCom.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Trend Micro\BM\TMBMSRV.exe c:\windows\system32\dllhost.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-06-27 21:22 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-27 02:22 ComboFix2.txt 2009-06-26 22:10 ComboFix3.txt 2009-06-26 21:57 Pre-Run: 162,385,420,288 bytes free Post-Run: 162,447,314,944 bytes free 187 --- E O F --- 2009-06-12 08:04 Step 3: Malwarebytes' Scan with Trend Micro and my Firewall disabled: Malwarebytes' Anti-Malware 1.38 Database version: 2340 Windows 5.1.2600 Service Pack 3 6/26/2009 9:29:59 PM mbam-log-2009-06-26 (21-29-59).txt Scan type: Quick Scan Objects scanned: 100344 Time elapsed: 4 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes log with Trend Micro and Firewall Enabled: Malwarebytes' Anti-Malware 1.38 Database version: 2340 Windows 5.1.2600 Service Pack 3 6/26/2009 9:36:18 PM mbam-log-2009-06-26 (21-36-18).txt Scan type: Quick Scan Objects scanned: 100343 Time elapsed: 5 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hijackthis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:37:24 PM, on 6/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: AutorunsDisabled O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://phototeklc.lifepics.com/net/Uploader/LPUploader45.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://games.myspace.com/gameshell/games/c...h2.1.0.0.68.cab O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/...tg.1.0.0.37.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8388 bytes Step 4: DDS and Attachment DDS (Ver_09-06-26.01) - NTFSx86 Run by HP_Administrator at 21:42:06.41 on Fri 06/26/2009 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.496 [GMT -5:00] AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\HP_Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://search.msn.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [ufSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime dRunOnce: [RunNarrator] Narrator.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\imagem~1.lnk - c:\program files\pixela\imagemixer for hdd camcorder\IMx3Launcher.exe IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://phototeklc.lifepics.com/net/Uploader/LPUploader45.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--965cbb7c-e8b3-4df1-8441-267b248a6323/online/DinerDash2/DinerDash2.1.0.0.68.cab DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--173b264b-186b-4cbc-ad18-0d9ff96e4e5c/online/Diner_Dash_3/en/ddfotg.1.0.0.37.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab ============= SERVICES / DRIVERS =============== R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-15 1123008] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-8-1 52624] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-8-1 488768] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-15 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-25 24652] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-15 333328] R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-8-1 648456] UnknownUnknown vkquwexg;vkquwexg; [x] =============== Created Last 30 ================ 2009-06-26 16:56 <DIR> --d----- c:\windows\system32\dllcache\cache 2009-06-26 16:43 161,792 a------- c:\windows\SWREG.exe 2009-06-26 16:43 155,136 a------- c:\windows\PEV.exe 2009-06-26 16:43 98,816 a------- c:\windows\sed.exe ==================== Find3M ==================== 2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-05-25 10:43 8 a------- c:\documents and settings\hp_administrator\settings.dat 2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll 2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll 2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll 2009-04-28 23:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll 2009-04-28 23:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll 2009-04-28 23:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll 2009-04-28 23:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll 2009-04-28 23:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll 2009-04-28 23:56 105,984 a------- c:\windows\system32\dllcache\url.dll 2009-04-28 23:56 102,912 a------- c:\windows\system32\dllcache\occache.dll 2009-04-28 23:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll 2009-04-28 23:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll 2009-04-28 23:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll 2009-04-28 23:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll 2009-04-28 04:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe 2009-04-28 04:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe 2009-04-25 00:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe 2009-04-25 00:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll 2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys 2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys 2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll 2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll 2006-07-16 23:29 0 a------- c:\docume~1\hp_adm~1\applic~1\internaldb41.dat 2008-12-19 11:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121920081220\index.dat ============= FINISH: 21:42:42.94 =============== Attach.txt log UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-06-26.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 5/20/2006 10:14:09 PM System Uptime: 6/26/2009 9:16:27 PM (0 hours ago) Motherboard: ASUSTek Computer INC. | | NAGAMI Processor: AMD Athlon 64 X2 Dual Core Processor 3800+ | Socket 939 | 2004/199mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 224 GiB total, 151.31 GiB free. D: is FIXED (FAT32) - 8 GiB total, 0.533 GiB free. E: is CDROM () F: is Removable G: is Removable H: is Removable I: is Removable ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 5/25/2009 11:44:05 AM - System Checkpoint RP2: 5/26/2009 11:48:41 AM - System Checkpoint RP3: 5/27/2009 11:49:55 AM - System Checkpoint RP4: 5/28/2009 10:58:58 AM - Software Distribution Service 3.0 RP5: 5/29/2009 11:16:56 AM - System Checkpoint RP6: 5/30/2009 12:15:09 PM - System Checkpoint RP7: 5/31/2009 12:31:47 PM - System Checkpoint RP8: 6/1/2009 1:31:41 PM - System Checkpoint RP9: 6/2/2009 2:02:44 PM - System Checkpoint RP10: 6/3/2009 2:23:03 PM - System Checkpoint RP11: 6/4/2009 2:53:41 PM - System Checkpoint RP12: 6/5/2009 2:56:01 PM - System Checkpoint RP13: 6/6/2009 3:21:05 PM - System Checkpoint RP14: 6/7/2009 3:33:03 PM - System Checkpoint RP15: 6/8/2009 3:54:39 PM - System Checkpoint RP16: 6/9/2009 3:55:41 PM - System Checkpoint RP17: 6/10/2009 5:19:32 PM - System Checkpoint RP18: 6/11/2009 6:10:59 PM - System Checkpoint RP19: 6/12/2009 3:00:22 AM - Software Distribution Service 3.0 RP20: 6/12/2009 10:38:24 AM - Software Distribution Service 3.0 RP21: 6/13/2009 10:44:01 AM - System Checkpoint RP22: 6/14/2009 10:53:51 AM - System Checkpoint RP23: 6/15/2009 11:52:01 AM - System Checkpoint RP24: 6/16/2009 12:46:35 PM - System Checkpoint RP25: 6/17/2009 1:09:02 PM - System Checkpoint RP26: 6/18/2009 1:20:42 PM - System Checkpoint RP27: 6/19/2009 2:24:08 PM - System Checkpoint RP28: 6/20/2009 3:09:26 PM - System Checkpoint RP29: 6/21/2009 3:43:03 PM - System Checkpoint RP30: 6/22/2009 4:43:42 PM - System Checkpoint RP31: 6/23/2009 4:58:09 PM - System Checkpoint RP32: 6/24/2009 5:44:38 PM - System Checkpoint RP33: 6/25/2009 6:16:18 PM - System Checkpoint ==== Installed Programs ====================== Adobe Flash Player 10 ActiveX Adobe Photoshop Elements 6.0 Adobe Reader 7.0.8 Adobe Shockwave Player Age of Empires III Age of Empires III - The Asian Dynasties Agere Systems PCI-SV92PP Soft Modem AIM 6 AiO_Scan AiO_Scan_CDA AiOSoftware AiOSoftwareNPI AOL Instant Messenger Apple Mobile Device Support Apple Software Update Bonjour BufferChm CameraDrivers Cognitive Tutor Cognitive Tutor Review Coupon Printer for Windows CP_AtenaShokunin1Config CP_CalendarTemplates1 cp_LightScribeConfig cp_OnlineProjectsConfig CP_Package_Basic1 CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CP_Panorama1Config cp_PosterPrintConfig cp_UpdateProjectsConfig Critical Update for Windows Media Player 11 (KB959772) CueTour Destinations DeviceFunctionQFolder DeviceManagementQFolder DocProc DocumentViewer DocumentViewerQFolder Fax Fax_CDA Feeding Frenzy 2 Deluxe 1.0 FullDPAppQFolder GdiplusUpgrade Google Earth High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) HP Boot Optimizer HP Deskjet 5400 series HP Deskjet Printer Preload HP DigitalMedia Archive HP Document Viewer 5.3 HP DVD Play 1.0 HP Image Zone Express HP Imaging Device Functions 6.0 HP Multimedia Keyboard Software HP Photosmart 330,380,420,470,7800,8000,8200 Series HP Photosmart Cameras 5.0 HP Photosmart for Media Center PC HP Photosmart Premier Software 6.0 HP PSC & OfficeJet 5.3.A HP PSC & OfficeJet 5.3.B HP Software Update HP Solution Center & Imaging Support Tools 5.3 HPDeskjet5400Series HPProductAssistant HpSdpAppCoreApp ImageMixer for HDD Camcorder Insaniquarium Deluxe 1.1 InstantShareDevices InterActual Player iPod for Windows 2005-10-12 iTunes J2SE Runtime Environment 5.0 Update 5 J2SE Runtime Environment 5.0 Update 6 KODAK EASYSHARE Gallery Upload ActiveX Control LightScribe 1.4.62.1 Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Away Mode Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2003 Edition 60 Days Trial Welcome Tour Microsoft Office Standard Edition 2003 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Works Move Networks Media Player for Internet Explorer MSN MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 Parser and SDK Netscape Browser (remove only) NewCopy NewCopy_CDA NVIDIA Drivers Octoshape add-in for Adobe Flash Player OptionalContentQFolder Otto PanoStandAlone PhotoGallery Plants vs. Zombies PS2 PSPrinters08 PSTAPlugin QuickTime RandMap Readme RealPlayer Realtek High Definition Audio Driver Scan ScannerCopy Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) SkinsHP1 SolutionCenter Sonic_PrimoSDK Status The Sims
  10. Okay, when I get a minute I will do as you instructed. However, can I just unistall Spybot - would that take care of Step 1 in your instructions?
  11. Okay - I ran combofix - however, I accidentally ran it with the Firewall on, so I ran it again after I disabled the firewall - I'll post both entries. THIS IS THE ONE WITH SCANNING DISABLED AND FIREWALL ENABLED: ComboFix 09-06-26.02 - HP_Administrator 06/26/2009 16:44.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.504 [GMT -5:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\kb913800.exe c:\windows\MailSwitch.ocx c:\windows\system32\drivers\ati0qaxx.sys c:\windows\system32\drivers\ati2xhxx.sys c:\windows\system32\drivers\ati4irxx.sys c:\windows\system32\drivers\clbdriver.sys c:\windows\system32\drivers\ctl_w32.sys c:\windows\system32\drivers\grande48.sys c:\windows\system32\drivers\lojlig.sys c:\windows\system32\drivers\mgcscrd.sys c:\windows\system32\drivers\mrxdavv.sys c:\windows\system32\drivers\msliksurserv.sys c:\windows\system32\drivers\msvtch.sys c:\windows\system32\drivers\ntndis.sys c:\windows\system32\drivers\parport32.sys c:\windows\system32\drivers\qandr.sys c:\windows\system32\drivers\resdr32.sys c:\windows\system32\drivers\reveal32.sys c:\windows\system32\drivers\seneka.sys c:\windows\system32\drivers\SROUTE.SYS c:\windows\system32\drivers\ss.sys c:\windows\system32\drivers\str.sys c:\windows\system32\drivers\symavc32.sys c:\windows\system32\drivers\tdlserv.sys c:\windows\system32\drivers\TPLinks.sys c:\windows\system32\drivers\wsnpoem.sys D:\Autorun.inf D:\Desktop.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 ))))))))))))))))))))))))))))))) . 2009-06-26 21:17 . 2008-05-14 22:54 595208 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OE\oe_engine\01\tmaseng.dll 2009-05-28 01:33 . 2009-06-21 11:29 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-21 11:29 . 2009-05-25 05:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-17 16:27 . 2009-05-25 15:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 16:27 . 2009-05-25 15:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-28 23:48 . 2008-09-14 21:08 -------- d-----w- c:\program files\Microsoft Silverlight 2009-05-28 22:59 . 2007-08-13 16:51 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-28 22:59 . 2006-07-18 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-25 16:07 . 2008-07-31 09:36 -------- d-----w- c:\program files\Common 2009-05-25 15:43 . 2009-05-25 15:43 8 ----a-w- c:\documents and settings\HP_Administrator\settings.dat 2009-05-09 03:56 . 2009-05-08 20:43 49 ----a-w- c:\windows\popcinfot.dat 2009-05-09 03:31 . 2009-05-09 03:31 0 ----a-w- c:\windows\popcreg.dat 2009-05-09 03:31 . 2009-05-08 01:19 -------- d-----w- c:\program files\PopCap Games 2009-05-08 20:43 . 2009-05-08 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games 2009-05-07 15:51 . 2009-05-07 15:51 -------- d-----w- c:\program files\Coupons 2009-05-07 15:32 . 2004-08-09 21:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-08-09 21:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2004-08-09 21:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-09 21:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-02 21:00 . 2008-08-01 16:43 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2009-04-02 21:00 . 2008-08-01 16:43 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2009-04-02 21:00 . 2008-08-01 16:43 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-22 27136] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled ImageMixer for HDD Camcorder.lnk - c:\program files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe [2006-12-3 1871872] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"= "c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/1/2008 11:43 AM 52624] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [8/1/2008 11:43 AM 488768] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 11:39 PM 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/25/2007 1:06 PM 24652] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 11:39 PM 333328] R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/1/2008 11:43 AM 648456] S0 rkrs;rkrs;c:\windows\system32\drivers\vkfzyvj.sys --> c:\windows\system32\drivers\vkfzyvj.sys [?] . Contents of the 'Scheduled Tasks' folder 2009-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://search.msn.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://phototeklc.lifepics.com/net/Uploader/LPUploader45.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-26 16:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\arservice.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Trend Micro\Internet Security\SfCtlCom.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Trend Micro\BM\TMBMSRV.exe c:\windows\system32\dllhost.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe . ************************************************************************** . Completion time: 2009-06-26 16:57 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-26 21:57 Pre-Run: 162,277,720,064 bytes free Post-Run: 162,343,137,280 bytes free 185 --- E O F --- 2009-06-12 08:04 THIS IS THE ONE WITH SCANNING AND FIREWALL DISABLED: ComboFix 09-06-26.02 - HP_Administrator 06/26/2009 17:04.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.515 [GMT -5:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} . ((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 ))))))))))))))))))))))))))))))) . 2009-06-26 21:17 . 2008-05-14 22:54 595208 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OE\oe_engine\01\tmaseng.dll 2009-05-28 01:33 . 2009-06-21 11:29 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-21 11:29 . 2009-05-25 05:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-17 16:27 . 2009-05-25 15:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 16:27 . 2009-05-25 15:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-28 23:48 . 2008-09-14 21:08 -------- d-----w- c:\program files\Microsoft Silverlight 2009-05-28 22:59 . 2007-08-13 16:51 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-28 22:59 . 2006-07-18 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-25 16:07 . 2008-07-31 09:36 -------- d-----w- c:\program files\Common 2009-05-25 15:43 . 2009-05-25 15:43 8 ----a-w- c:\documents and settings\HP_Administrator\settings.dat 2009-05-09 03:56 . 2009-05-08 20:43 49 ----a-w- c:\windows\popcinfot.dat 2009-05-09 03:31 . 2009-05-09 03:31 0 ----a-w- c:\windows\popcreg.dat 2009-05-09 03:31 . 2009-05-08 01:19 -------- d-----w- c:\program files\PopCap Games 2009-05-08 20:43 . 2009-05-08 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games 2009-05-07 15:51 . 2009-05-07 15:51 -------- d-----w- c:\program files\Coupons 2009-05-07 15:32 . 2004-08-09 21:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-08-09 21:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2004-08-09 21:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-09 21:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-02 21:00 . 2008-08-01 16:43 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2009-04-02 21:00 . 2008-08-01 16:43 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2009-04-02 21:00 . 2008-08-01 16:43 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys . ((((((((((((((((((((((((((((( SnapShot@2009-06-26_21.53.45 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-26 21:56 . 2008-10-16 20:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe + 2009-06-26 21:56 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll + 2009-06-26 21:56 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe + 2009-06-26 21:56 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe + 2009-06-26 21:56 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe + 2009-06-26 21:56 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll + 2009-06-26 21:56 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe + 2009-06-26 21:56 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys + 2009-06-26 21:56 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys + 2009-06-26 21:56 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe + 2009-06-26 21:56 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe + 2009-06-26 21:56 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\cache\wininet.dll + 2009-06-26 21:56 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll + 2009-06-26 21:56 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll + 2009-06-26 21:56 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys + 2009-06-26 21:56 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe + 2009-06-26 21:56 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys + 2009-06-26 21:56 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll + 2009-06-26 21:56 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll + 2009-06-26 21:56 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll + 2009-06-26 21:56 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll + 2009-06-26 21:56 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe + 2009-06-26 21:56 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe + 2009-06-26 21:56 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-22 27136] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled ImageMixer for HDD Camcorder.lnk - c:\program files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe [2006-12-3 1871872] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"= "c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [8/1/2008 11:43 AM 52624] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [8/1/2008 11:43 AM 488768] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 11:39 PM 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/25/2007 1:06 PM 24652] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 11:39 PM 333328] R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/1/2008 11:43 AM 648456] S0 rkrs;rkrs;c:\windows\system32\drivers\vkfzyvj.sys --> c:\windows\system32\drivers\vkfzyvj.sys [?] . Contents of the 'Scheduled Tasks' folder 2009-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://search.msn.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://phototeklc.lifepics.com/net/Uploader/LPUploader45.cab . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . Completion time: 2009-06-26 17:10 ComboFix-quarantined-files.txt 2009-06-26 22:10 ComboFix2.txt 2009-06-26 21:57 Pre-Run: 162,370,973,696 bytes free Post-Run: 162,350,186,496 bytes free 155 --- E O F --- 2009-06-12 08:04 HERE IS THE HIJACK LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:27:00 PM, on 6/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\explorer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: AutorunsDisabled O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://phototeklc.lifepics.com/net/Uploader/LPUploader45.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://games.myspace.com/gameshell/games/c...h2.1.0.0.68.cab O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/...tg.1.0.0.37.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9023 bytes Hope someone can figure out if I really have this trojan.agent that malwarebytes finds and why my trend micro keeps blocking different items while MBAM is scanning... Thanks to all for your hard work!
  12. I followed your link on the instructions on how to get Trend Micro to allow updates from MBAM - however, when I get to step 8 - "Chose mbam.exe and click open ....." that is not a choice - the only thing that is showing up with a .exe - is my name - daphne.exe - but it has a malwarebytes logo on side of my name, they also have several other malwarebyte files but none have .exe by them. Please instruct on what to do at this point.
  13. I first posted my message under this general forum several days ago. It's about my malwarebytes finding trojan.agent but not deleting it upon reboot. My Trend Micro keeps blocking different suspicious activity from Malwarebytes while MBAM is scanning. Trend Micro does not find this trojan, only my malwarebytes. After posting my initial message here, I was instructed to post my Hijack log to that forum. I have done that but have still not received a reply to my posting under the Hijack this forum. I really need for someone to help me out here. By the way, I called a support person at Trend Micro and she tells me that the trojan.agent that malwarebytes is finding is not anything malcious, that malwarebytes needs to be uninstalled from my computer or my computer could crash, what's up with that? I don't know much about all this techinical stuff, but I need HELP figuring out if I have some sort of trojan or virus that is collecting all my personal information while I'm waiting for malwarebytes support people to help me! Thanks in advance to whoever is so kind to look at my case!
  14. I am still waiting on a response from an Administrator! Below is my Hijack this log as requested.
  15. I had a topic on the general forum and was requested by administrators to post my Hijack log: My malwarebytes keeps finding Trojan.Agent and won't delete it upon re-boot. Thanks in advance for any help getting rid of that nasty bug. Let me add again, that during the malwarebytes scan, my trend micro pops up several times saying it's blocking mbam.exe for suspicious activity. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:17:26 AM, on 6/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OE.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Global Startup: AutorunsDisabled O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://phototeklc.lifepics.com/net/Uploader/LPUploader45.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://games.myspace.com/gameshell/games/c...h2.1.0.0.68.cab O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://myspace.oberon-media.com/gameshell/...tg.1.0.0.37.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab O18 - Filter hijack: text/html - {b981d0a2-4055-4699-b5ad-a568f3ef5b2c} - (no file) O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9177 bytes
  16. Thanks yardbird for your speedy reply... Here is my quick scan for the administrators to review. Please note that the registry data item infected says delete on reboot. However, after rebooting, it's still there. As I mentioned in my previous post, as malwarebytes is scanning, I get several security pop-ups from my Trend Micro saying that Malwarebytes is trying to change registry files. One of the items from Trend Micro said it was trying to change file C:\Program Files\Trend Micro\Internet Security\USFeAgnt.exe, I'm not sure if that helps or if it's even relevant. Thanks in advance to anyone who can provide help getting rid of Trojan.Agent. Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 3 6/22/2009 4:16:16 AM mbam-log-2009-06-22 (04-16-16).txt Scan type: Quick Scan Objects scanned: 106379 Time elapsed: 9 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  17. Hi, this is my first time using this site, so please be patient with me! After running a quick scan on malwarebytes it showed that I had a registry key infected. It was named Trojan.Agent. However, something kind of suspicious showed up while I was running the scan. My Trend Micro kept popping up saying it was blocking high risk changes trying to be made by malwarebytes. So, I'm not sure what that is all about. Anyway, malwarebytes said to reboot the computer to rid the trojan. I did that and it is still there. I need step by step directions on how to get rid of this trojan. Also, my trendmicro log shows numerous denied actions and they are all from malwarebytes -- trend micro is reporting them as suspicious. Any help is greatly appreciated.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.