Jump to content

Malwarebytes does not find Total Security


jimmyo

Recommended Posts

Malwarebytes scan does not detect any problems, even though I am infected with Total security. At first it found some files and I thought I was all good, but at reboot, Total security showed up again. Now, all scans in both safe and normal modes don't find anything wrong. My functionality is ok at the moment, although have to "kill" tsc.exe before doing anything.

I really appreciate any help you can give. I have even looked manually at all registries and disabled system restore prior to scanning. No luck :)

Here are the logs of HiJack followed by Malwarebytes:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:33:53 PM, on 9/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

D:\SqueezeCenter\SqueezeTray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

D:\SQUEEZ~1\server\SQUEEZ~1.EXE

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

D:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=A...00-01e&c=bb

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SqueezeCenter Tray Tool.lnk = D:\SqueezeCenter\SqueezeTray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SqueezeMySQL - Unknown owner - D:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

--

End of file - 8648 bytes

Malwarebytes' Anti-Malware 1.41

Database version: 2839

Windows 5.1.2600 Service Pack 3

9/21/2009 5:32:22 PM

mbam-log-2009-09-21 (17-32-22).txt

Scan type: Quick Scan

Objects scanned: 107320

Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks so much for your help once again!

Link to post
Share on other sites

Second time posting this as I had no replies after two days the first time......Please HELP!

Malwarebytes scan does not detect any problems, even though I am infected with Total security. At first it found some files and I thought I was all good, but at reboot, Total security showed up again. Now, all scans in both safe and normal modes don't find anything wrong. My functionality is ok at the moment, although have to "kill" tsc.exe before doing anything.

I really appreciate any help you can give. I have even looked manually at all registries and disabled system restore prior to scanning. No luck

Here are the logs of HiJack followed by Malwarebytes:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:33:53 PM, on 9/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

D:\SqueezeCenter\SqueezeTray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

D:\SQUEEZ~1\server\SQUEEZ~1.EXE

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

D:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=A...00-01e&c=bb

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SqueezeCenter Tray Tool.lnk = D:\SqueezeCenter\SqueezeTray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SqueezeMySQL - Unknown owner - D:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

--

End of file - 8648 bytes

Malwarebytes' Anti-Malware 1.41

Database version: 2839

Windows 5.1.2600 Service Pack 3

9/21/2009 5:32:22 PM

mbam-log-2009-09-21 (17-32-22).txt

Scan type: Quick Scan

Objects scanned: 107320

Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks so much for your help once again!

Link to post
Share on other sites

This is my THIRD time posting......I have had no replies. I really want to get rid of the total security malware. HELP!!!!

Malwarebytes scan does not detect any problems, even though I am infected with Total security. At first it found some files and I thought I was all good, but at reboot, Total security showed up again. Now, all scans in both safe and normal modes don't find anything wrong. My functionality is ok at the moment, although have to "kill" tsc.exe before doing anything.

I really appreciate any help you can give. I have even looked manually at all registries and disabled system restore prior to scanning. No luck

Here are the logs of HiJack followed by Malwarebytes:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:33:53 PM, on 9/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

D:\SqueezeCenter\SqueezeTray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

D:\SQUEEZ~1\server\SQUEEZ~1.EXE

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

D:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=A...00-01e&c=bb

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SqueezeCenter Tray Tool.lnk = D:\SqueezeCenter\SqueezeTray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SqueezeMySQL - Unknown owner - D:\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

--

End of file - 8648 bytes

Malwarebytes' Anti-Malware 1.41

Database version: 2839

Windows 5.1.2600 Service Pack 3

9/21/2009 5:32:22 PM

mbam-log-2009-09-21 (17-32-22).txt

Scan type: Quick Scan

Objects scanned: 107320

Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Combofix seems to have removed the malware. Log as follows. Will also post new hijack log in a little while. Thanks for your help. What recommendations do you have for an antivirus/malware program to prevent these infections. I was running the symantec that came with the computer, but that did not catch it.

ComboFix 09-09-27.04 - James 09/28/2009 8:43.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.260 [GMT -4:00]

Running from: c:\documents and settings\James\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\James\LOCALS~1\Temp\pdk-James\054a515a11c7920cfc4d7faea7af4932\XS.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\0fdf6651ec58af7738a5f192a16308f3\WinError.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\12913763d8b9f06d2ca82771fcb306f1\Parser.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\14f8cfecb15e1c87916789ed739489ff\Expat.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\1c4c331123ae5269fbd179de68e18722\Socket.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\37dbb36b1afb4153f311e1937d13beb9\Win32.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\4698d6dad1d9192f189448cd2250e41c\Registry.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\480ac5427cb6705921c199c825f6feda\File.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\531074183cd92c8ee6e38095fed64379\Detector.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\563d7ead40b59c49009856a0b10f2014\Array.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\5665e9d91ffd5329b4b069811edd98e1\XS.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\5f4010392d26de2972604a5df777f946\perl58.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\619eb23c53abde1a9d9d6b8d81ccd746\Util.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\6b58dab08175faa9470d9b8f08345f77\Byte.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\6ecc81286663495601d2499da7def595\Zlib.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\776043a051266bed6315875a8a879b49\GD.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\804a82b53759189a7786eee16508a628\Unicode.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\8715287e64467664fda73ee36a680ad6\ReadKey.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\899240261dde99660e14431e6d8d1fe9\DBI.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\8d9ba91df5b696882e70aa59f4766acb\Storable.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\8ee7a6c9ed2bc0f12b37cc777e09a537\File.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\93e8018418e0dd3aeabcea5210c424d9\IO.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\95e9a2327e375c6b6f41bca6adf49352\Registry.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\9e11e8cf40c66b8d30f95ce783f2ac0b\Hostname.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\a507fccf2be25b878761a66bf411c201\mysql.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\ad76515ff4d1de346e3888790190a3c0\API.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\b1ef31ab16378a4b392b3d07f25c074a\Service.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\b2a041897a5d2e9486f60c2f6017af23\Peek.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\b44b56de153a5879c1b84993c5cdadfa\Shortcut.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\b5ac0b87ff26ec339558537436e82acd\HiRes.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\bbd2dcfa51103025d57caa776bc1047b\B.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\c0bb48510a66e6fdcb5936be6801222d\MD5.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\c147fa650a1a0662dceef2f7ea370a7d\List.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\c537490a8d5597db7ef38c63a14dd378\Base64.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\cd6be9554293967a36ad1075b097a79b\OLE.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\e51718032942dd5fb4b1590be1ec8d83\Process.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\ea8f9cce13d067ab0d898ca399b403ed\Fcntl.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\f101a1002e0deeff9062f440b4956f0f\FastCalc.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\fa142febd5dc53f93f911452e1a99387\Hebrew.dll

c:\docume~1\James\LOCALS~1\Temp\pdk-James\fb2e449d6244301907de33f5adebdb35\POSIX.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\054a515a11c7920cfc4d7faea7af4932\XS.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\0fdf6651ec58af7738a5f192a16308f3\WinError.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\12913763d8b9f06d2ca82771fcb306f1\Parser.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\14f8cfecb15e1c87916789ed739489ff\Expat.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\1c4c331123ae5269fbd179de68e18722\Socket.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\37dbb36b1afb4153f311e1937d13beb9\Win32.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\4698d6dad1d9192f189448cd2250e41c\Registry.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\480ac5427cb6705921c199c825f6feda\File.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\531074183cd92c8ee6e38095fed64379\Detector.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\563d7ead40b59c49009856a0b10f2014\Array.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\5665e9d91ffd5329b4b069811edd98e1\XS.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\5f4010392d26de2972604a5df777f946\perl58.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\619eb23c53abde1a9d9d6b8d81ccd746\Util.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\6b58dab08175faa9470d9b8f08345f77\Byte.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\6ecc81286663495601d2499da7def595\Zlib.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\776043a051266bed6315875a8a879b49\GD.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\804a82b53759189a7786eee16508a628\Unicode.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\8715287e64467664fda73ee36a680ad6\ReadKey.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\899240261dde99660e14431e6d8d1fe9\DBI.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\8d9ba91df5b696882e70aa59f4766acb\Storable.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\8ee7a6c9ed2bc0f12b37cc777e09a537\File.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\93e8018418e0dd3aeabcea5210c424d9\IO.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\95e9a2327e375c6b6f41bca6adf49352\Registry.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\9e11e8cf40c66b8d30f95ce783f2ac0b\Hostname.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\a507fccf2be25b878761a66bf411c201\mysql.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\ad76515ff4d1de346e3888790190a3c0\API.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\b1ef31ab16378a4b392b3d07f25c074a\Service.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\b2a041897a5d2e9486f60c2f6017af23\Peek.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\b44b56de153a5879c1b84993c5cdadfa\Shortcut.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\b5ac0b87ff26ec339558537436e82acd\HiRes.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\bbd2dcfa51103025d57caa776bc1047b\B.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\c0bb48510a66e6fdcb5936be6801222d\MD5.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\c147fa650a1a0662dceef2f7ea370a7d\List.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\c537490a8d5597db7ef38c63a14dd378\Base64.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\cd6be9554293967a36ad1075b097a79b\OLE.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\e51718032942dd5fb4b1590be1ec8d83\Process.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\ea8f9cce13d067ab0d898ca399b403ed\Fcntl.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\f101a1002e0deeff9062f440b4956f0f\FastCalc.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\fa142febd5dc53f93f911452e1a99387\Hebrew.dll

c:\documents and settings\James\Local Settings\Temp\pdk-James\fb2e449d6244301907de33f5adebdb35\POSIX.dll

c:\program files\TS\tsc.exe

c:\recycler\S-1-5-21-1314201555-3785290187-2462946864-1006

c:\windows\Installer\fa610.msp

c:\windows\system32\drivers\gasfkyqjwlhlqp.sys

c:\windows\system32\gasfkyfulnbmkf.dat

c:\windows\system32\gasfkytpdmwbyi.dll

c:\windows\system32\gasfkyvntfolwe.dat

c:\windows\system32\gasfkyxmwvbvma.dll

c:\windows\system32\uniq.tll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkyswqlrxmi

-------\Service_gasfkyswqlrxmi

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-22 15:21 . 2009-09-22 15:43 -------- d-----w- c:\documents and settings\James\Application Data\ICAClient

2009-09-22 15:21 . 2009-09-22 15:21 -------- d-----w- c:\program files\Citrix

2009-09-22 04:28 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-09-22 04:28 . 2009-09-22 04:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-22 04:28 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-09-22 04:28 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-09-22 04:27 . 2009-09-22 04:28 -------- d-----w- c:\program files\Common Files\PC Tools

2009-09-22 04:27 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-09-22 04:27 . 2009-09-22 04:28 -------- d-----w- c:\program files\Spyware Doctor

2009-09-22 04:27 . 2009-09-22 04:27 -------- d-----w- c:\documents and settings\James\Application Data\PC Tools

2009-09-22 04:27 . 2009-09-22 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-09-21 21:33 . 2009-09-21 21:33 -------- d-----w- c:\program files\Trend Micro

2009-09-21 21:24 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-21 21:24 . 2009-09-21 21:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-21 21:24 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-21 20:17 . 2009-09-21 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-09-21 20:17 . 2009-09-28 12:36 -------- d-----w- c:\documents and settings\James\Application Data\SUPERAntiSpyware.com

2009-09-21 20:17 . 2009-09-28 12:36 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-17 11:34 . 2009-09-17 11:34 -------- d-----w- C:\spoolerlogs

2009-09-17 08:27 . 2009-09-17 08:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-17 08:17 . 2009-09-17 08:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-13 23:41 . 2009-09-28 12:46 -------- d-----w- c:\program files\TS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-13 23:41 . 2008-11-16 06:18 61440 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 07:03 . 2009-08-15 07:03 -------- d-----w- c:\program files\MSBuild

2009-08-15 07:03 . 2009-08-15 07:03 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 16:02 . 2009-08-01 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-08-05 16:02 . 2009-08-01 21:01 -------- d-----w- c:\program files\NOS

2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 16:21 . 2008-04-14 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-07 22:50 . 2008-12-03 01:37 506 ----a-w- c:\documents and settings\James\Application Data\wklnhst.dat

2009-07-03 17:09 . 2007-08-14 01:54 915456 ----a-w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 68856]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]

"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-22 24064]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-25 1626112]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

SqueezeCenter Tray Tool.lnk - d:\squeezecenter\SqueezeTray.exe [2008-11-29 1728601]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=

"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=

"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp

"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp

"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/22/2009 12:28 AM 130936]

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 4:11 PM 16384]

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 1:42 AM 50424]

S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 6:03 AM 131072]

S2 SqueezeMySQL;SqueezeMySQL;d:\squeez~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> d:\squeez~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/22/2008 6:12 PM 24064]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/22/2009 12:27 AM 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UBHELPER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=EL1200-01e&c=bb

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-TS - c:\program files\TS\tsc.exe

AddRemove-TS - c:\program files\TS\tsc.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 08:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\James\LOCALS~1\Temp\pdk-James\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll 28779 bytes executable

c:\docume~1\James\LOCALS~1\Temp\pdk-James\5f4010392d26de2972604a5df777f946\perl58.dll 802902 bytes executable

c:\docume~1\James\LOCALS~1\Temp\pdk-James\b1ef31ab16378a4b392b3d07f25c074a\Service.dll 24710 bytes executable

scan completed successfully

hidden files: 3

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2568)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\wscntfy.exe

d:\squeez~1\server\SQUEEZ~1.EXE

.

**************************************************************************

.

Completion time: 2009-09-28 8:51 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 12:51

Pre-Run: 62,818,930,688 bytes free

Post-Run: 62,873,833,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

280 --- E O F --- 2009-09-26 07:00

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.