Jump to content

HiJackThis - Browsers Crashing on New Page


Recommended Posts

This is actually for my brother's computer which is a basic Dell E510 with 1gb of RAM. I don't know the available hard drive space but it is more than enough. He has only used the smallest fraction of the available drive. The computer has an updated version of Windows XP Media Edition.

My brother started having problems with FoxFire crashing. So, he tried Internet Explorer and found the same problem

We've emptied all the Temp files for all profiles, we cleared the JAVA cache, we cleared Temporary internet files, and cleared the Recycle bin. He ran several Trend Micro virus scan, and he has a program to scan for Malware, which he ran several times without either finding anything significant.

He also ran an on-line scan from Trend Micro (HouseCall) that found nothing.

We also uninstalled and re-installed Mozilla FireFox several times. In addition, just to make sure, we uninstalled Google Toolbar and Yahoo toolbar from both the computer and the browsers.

Either browser would start and load the home page fine (yahoo.com), but when you tired to go to a new webpage the browser would have a critical error and usually shutdown asking if you wanted to send an error message to the browser maker and whether you wanted to try to reload the original page.

To see if he could get to Trend Micro, which was one of the pages that kept crashing, he changed his Home Page to the Trend Micro home page, and it loaded fine, but when you tried to open a new TAB or Browser Window, the page would crash.

I started the computer in Safe Mode with Networking, and we had a pop-up for PC Speed Maximizer, which was very suspicious especially in Safe Mode.

The computer seems to be working otherwise. The problem seems to be isolated to the FireFox and IE. Also, the Browsers seem to run fine in Safe Mode.

I checked the Start Up files (msconfig), and cleared anything that didn't appear necessary. I check Processes and Services to see if I saw anything unusual, which I didn't.

The most suspicious aspect so far has been the Pop-Up in Safe Mode.

I had my brother download HiJackThis and create a Log File, hopefully someone will see something in there that could be causing the problem.

Again, though admittedly low on RAM, the computer works find beyond the browser problem. It boots quickly considering the lack of RAM, and the computer itself never crashes (any more than any Windows computer).

If you need any other information or scans or Logs, just let me know and we will make it happen.

Thanks to all

Steve

- - - - - - - - - - - - - - - - - - - - - - - - - - - -

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:03:39 PM, on 2/8/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Trend Micro\Internet Security\TmPfw.exe

C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by132fd.bay132.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181187932843

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://207.177.24.26/activex/AMC.cab

O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--

End of file - 8987 bytes

Link to post
Share on other sites

Hello Steve! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

I need a new log file.

Download DDS and save it to your desktop from here or here .

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

Thanks, I'll get my brother to do that.

In the mean time, I have more news with more to follow.

My brother ran an AdAware scan, which found a TROJAN, though he didn't write down the full name of the Trojan virus. But he is running another scan and will get the name. Apparently AdAware couldn't remove the Trojan but offered to quarantine it.

The pop-up advertisements seem to run all the time now in Safe Mode and are serving up a variety of ads for what seem to be legitimate sites, though that doesn't mean you will get legitimate results if you click on them.

I'll have him down load this other program you suggested and give it a run, then repost the logs.

As to the DDS.scr, I assume that is run from Windows? As in [sTART]-> [RUN]-> DDS.scr?

Thanks for your help.

Steve

Link to post
Share on other sites

My brother ran an AdAware scan, which found a TROJAN, though he didn't write down the full name of the Trojan virus. But he is running another scan and will get the name. Apparently AdAware couldn't remove the Trojan but offered to quarantine it.

What is the name? Please don't run any scan while I work on your system.

As to the DDS.scr, I assume that is run from Windows? As in [sTART]-> [RUN]-> DDS.scr?

Yes, you can.

Link to post
Share on other sites

A couple of questions -

1.) The enabling and disabling of Script Blocking, where is that done? Is that part of the Operating System, or would it be part of the Anti-virus/Firewall program?

2.) My brother ran DDS, and it says that one of the files should be Zipped rather than embedded in a post, is that necessary, or can I just post both text file as embedded text?

My brother will send me the Text files later, and I will post them.

Steve

Link to post
Share on other sites

1.) The enabling and disabling of Script Blocking, where is that done? Is that part of the Operating System, or would it be part of the Anti-virus/Firewall program?

It's part of your security software such as antivirus, firewall and etc. I don't think you will have a problem with that, so don't worry! :)

2.) My brother ran DDS, and it says that one of the files should be Zipped rather than embedded in a post, is that necessary, or can I just post both text file as embedded text?

Please don't zip and attach them, use copy/paste will be more easily for you and me too.

Link to post
Share on other sites

Nothing new to add other than my brother's computer seems to be going down hill.

As previously mentioned Adaware found - TROJAN.Win32.Generic!BT

Below are the Log files -

= = = = = = = = = = = = =

DDS.TXT

- - - - - - - - - - - - - - - - - - -

DDS (Ver_10-12-12.02) - NTFSx86

Run by glen at 11:42:02.79 on Thu 02/10/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.516 [GMT -6:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Trend Micro Internet Security Pro *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: *Disabled*

FW: Trend Micro Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\ehome\ehtray .exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe

C:\Program Files\Common Files\Java\Java Update\jusched .exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe

C:\Program Files\Trend Micro\Internet Security\TmPfw.exe

J:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S

uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm .exe" -startup

mRun: [ufSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: musicmatch.com\online

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by132fd.bay132.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181187932843

DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.177.24.26/activex/AMC.cab

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\glen\applic~1\mozilla\firefox\profiles\bbpmati1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.startup.homepage - www.trendmicro.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll

FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\trend micro\trendsecure\tisprotoolbar\FirefoxExtension

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-8 64288]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1405384]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-7-29 36432]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-7-29 339984]

R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-5-23 497008]

R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-5-23 689416]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232]

S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-5-23 51792]

S4 gupdate1c985a2991e70f8;Google Update Service (gupdate1c985a2991e70f8);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]

=============== Created Last 30 ================

2011-02-09 01:22:54 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\Sunbelt Software

2011-02-09 00:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-08 23:44:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-08 23:44:26 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-08 23:37:19 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-02-08 12:22:47 388096 ----a-r- c:\docume~1\glen\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-02-07 02:38:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-07 02:38:13 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

==================== Find3M ====================

2011-02-07 23:17:28 56 --sh--r- c:\windows\system32\9E14A0CACB.sys

2011-02-07 23:17:28 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 22:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3808110AS rev.3.ADH -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8712185C]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87127a38]; MOV EAX, [0x87127ab4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8717DAB8]

3 CLASSPNP[0xF7592FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x870AB030]

\Driver\atapi[0x8718B948] -> IRP_MJ_CREATE -> 0x8712185C

kernel: MBR read successfully

_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }

detected disk devices:

\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskST3808110AS_____________________________3.ADH___#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x871216A2

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 11:44:16.03 ===============

= = = = = = = = = = = = = =

ATTACH.TXT

- - - - - - - - - - - - - - - - - - - -

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 6/4/2006 5:33:36 PM

System Uptime: 2/10/2011 11:38:57 AM (0 hours ago)

Motherboard: Dell Inc. | | 0HJ054

Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 49.457 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP884: 11/12/2010 6:56:45 PM - System Checkpoint

RP885: 11/13/2010 7:09:17 PM - System Checkpoint

RP886: 11/14/2010 7:37:41 PM - System Checkpoint

RP887: 11/15/2010 7:42:13 PM - System Checkpoint

RP888: 11/16/2010 7:45:06 PM - System Checkpoint

RP889: 11/18/2010 5:20:52 PM - System Checkpoint

RP890: 11/19/2010 5:41:12 PM - System Checkpoint

RP891: 11/21/2010 2:56:25 PM - System Checkpoint

RP892: 11/22/2010 4:46:34 PM - System Checkpoint

RP893: 11/23/2010 4:50:51 PM - System Checkpoint

RP894: 11/24/2010 7:13:59 PM - System Checkpoint

RP895: 11/26/2010 2:44:12 PM - System Checkpoint

RP896: 11/28/2010 9:01:16 AM - System Checkpoint

RP897: 11/29/2010 5:09:03 PM - System Checkpoint

RP898: 11/30/2010 7:05:18 PM - System Checkpoint

RP899: 12/1/2010 7:49:39 PM - System Checkpoint

RP900: 12/3/2010 5:34:56 PM - System Checkpoint

RP901: 12/6/2010 4:08:32 PM - System Checkpoint

RP902: 12/8/2010 4:12:16 PM - System Checkpoint

RP903: 12/9/2010 6:27:23 PM - System Checkpoint

RP904: 12/10/2010 7:09:43 PM - System Checkpoint

RP905: 12/12/2010 6:44:00 AM - System Checkpoint

RP906: 12/13/2010 5:09:59 PM - System Checkpoint

RP907: 12/14/2010 5:28:49 PM - System Checkpoint

RP908: 12/15/2010 5:28:57 PM - System Checkpoint

RP909: 12/15/2010 9:44:51 PM - Software Distribution Service 3.0

RP910: 12/17/2010 5:55:19 PM - System Checkpoint

RP911: 12/18/2010 6:11:32 PM - System Checkpoint

RP912: 12/20/2010 5:57:08 PM - System Checkpoint

RP913: 12/21/2010 6:14:24 PM - System Checkpoint

RP914: 12/22/2010 6:49:55 PM - System Checkpoint

RP915: 12/25/2010 2:21:03 AM - System Checkpoint

RP916: 12/26/2010 7:54:44 AM - System Checkpoint

RP917: 12/27/2010 10:33:53 AM - System Checkpoint

RP918: 12/28/2010 4:43:03 PM - System Checkpoint

RP919: 12/29/2010 8:30:59 PM - System Checkpoint

RP920: 12/31/2010 11:57:47 AM - System Checkpoint

RP921: 1/1/2011 2:49:08 PM - System Checkpoint

RP922: 1/3/2011 5:10:21 PM - System Checkpoint

RP923: 1/4/2011 5:49:32 PM - System Checkpoint

RP924: 1/5/2011 6:03:47 PM - System Checkpoint

RP925: 1/7/2011 5:05:50 PM - System Checkpoint

RP926: 1/8/2011 8:33:07 PM - System Checkpoint

RP927: 1/9/2011 8:44:59 PM - System Checkpoint

RP928: 1/11/2011 4:27:49 PM - System Checkpoint

RP929: 1/12/2011 5:21:39 PM - System Checkpoint

RP930: 1/12/2011 7:30:48 PM - Software Distribution Service 3.0

RP931: 1/13/2011 7:51:59 PM - System Checkpoint

RP932: 1/15/2011 8:12:22 AM - System Checkpoint

RP933: 1/16/2011 10:18:37 AM - System Checkpoint

RP934: 1/17/2011 4:14:51 PM - System Checkpoint

RP935: 1/18/2011 5:12:43 PM - System Checkpoint

RP936: 1/19/2011 5:24:51 PM - System Checkpoint

RP937: 1/20/2011 11:39:09 PM - System Checkpoint

RP938: 1/22/2011 6:17:57 PM - System Checkpoint

RP939: 1/23/2011 6:35:40 PM - System Checkpoint

RP940: 1/24/2011 6:48:22 PM - System Checkpoint

RP941: 1/25/2011 6:52:06 PM - System Checkpoint

RP942: 1/27/2011 4:51:17 PM - System Checkpoint

RP943: 1/28/2011 5:21:42 PM - System Checkpoint

RP944: 1/29/2011 6:43:40 PM - System Checkpoint

RP945: 1/30/2011 7:36:10 PM - System Checkpoint

RP946: 1/31/2011 7:56:47 PM - System Checkpoint

RP947: 2/3/2011 4:54:52 PM - System Checkpoint

RP948: 2/4/2011 5:51:41 PM - System Checkpoint

RP949: 2/6/2011 8:37:31 PM - Installed Java 6 Update 23

RP950: 2/7/2011 11:47:49 AM - Restore Operation

RP951: 2/7/2011 4:57:57 PM - Removed NetZeroInstallers

RP952: 2/7/2011 5:03:01 PM - Removed URGE

RP953: 2/7/2011 5:04:50 PM - Removed Get High Speed Internet!

RP954: 2/7/2011 5:05:22 PM - Removed Internet Service Offers Launcher

RP955: 2/7/2011 5:19:53 PM - Removed NetWaiting

RP956: 2/8/2011 6:22:42 AM - Installed HiJackThis

RP957: 2/8/2011 7:33:05 PM - Restore Operation

RP958: 2/9/2011 8:07:46 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop Elements 2.0

Adobe Reader 8.1.4

Adobe Shockwave Player 11

Adobe

Link to post
Share on other sites

Good, now I know what is your problem. :)

Step 1

Disable Ad-Watch module, part of Ad-Aware:

http://www.bleepingcomputer.com/forums/top...post__p__649847

Step 2

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 3

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on -TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, choose it.
  • It may ask you to reboot the computer to complete the process. Click on [-b]Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
    .

Note:It will also create a log in the C:\ directory.

In your next reply, please post these log(s):

  1. TDSSKiller log
  2. a new fresh DDS log only

Link to post
Share on other sites

My brother ran the instruction you gave and here is the result. Onlyl one infection was found.

Thanks for the help.

= = = = = = = = = = = = = = = = =

TDSS Killer Log file

- - - - - - - - - - - - - - - - -

2011/02/12 12:22:27.0484 2708 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20

2011/02/12 12:22:27.0515 2708 ================================================================================

2011/02/12 12:22:27.0515 2708 SystemInfo:

2011/02/12 12:22:27.0515 2708

2011/02/12 12:22:27.0515 2708 OS Version: 5.1.2600 ServicePack: 3.0

2011/02/12 12:22:27.0515 2708 Product type: Workstation

2011/02/12 12:22:27.0515 2708 ComputerName: D5C3H2B1

2011/02/12 12:22:27.0515 2708 UserName: glen

2011/02/12 12:22:27.0515 2708 Windows directory: C:\WINDOWS

2011/02/12 12:22:27.0515 2708 System windows directory: C:\WINDOWS

2011/02/12 12:22:27.0515 2708 Processor architecture: Intel x86

2011/02/12 12:22:27.0515 2708 Number of processors: 2

2011/02/12 12:22:27.0515 2708 Page size: 0x1000

2011/02/12 12:22:27.0515 2708 Boot type: Normal boot

2011/02/12 12:22:27.0515 2708 ================================================================================

2011/02/12 12:22:27.0765 2708 Initialize success

= = = = = = = = = = = = = = = = = =

= = = = = = = = = = = = = = = = = =

DDS-2.txt

- - - - - - - - - - - - - - - - - -

DDS (Ver_10-12-12.02) - NTFSx86

Run by glen at 12:24:37.09 on Sat 02/12/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.561 [GMT -6:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Trend Micro Internet Security Pro *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: *Disabled*

FW: Trend Micro Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray .exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\Java\Java Update\jusched .exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe

C:\Program Files\Trend Micro\Internet Security\TmPfw.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

J:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S

uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm .exe" -startup

mRun: [ufSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: musicmatch.com\online

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by132fd.bay132.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181187932843

DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.177.24.26/activex/AMC.cab

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\glen\applic~1\mozilla\firefox\profiles\bbpmati1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.startup.homepage - www.trendmicro.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll

FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\trend micro\trendsecure\tisprotoolbar\FirefoxExtension

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-8 64288]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-7-29 36432]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-7-29 339984]

R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-5-23 51792]

R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-5-23 497008]

R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-5-23 689416]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1405384]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232]

S4 gupdate1c985a2991e70f8;Google Update Service (gupdate1c985a2991e70f8);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]

=============== Created Last 30 ================

2011-02-09 01:22:54 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\Sunbelt Software

2011-02-09 00:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-08 23:44:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-08 23:44:26 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-08 23:37:19 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-02-08 12:22:47 388096 ----a-r- c:\docume~1\glen\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-02-07 02:38:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-07 02:38:13 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

==================== Find3M ====================

2011-02-07 23:17:28 56 --sh--r- c:\windows\system32\9E14A0CACB.sys

2011-02-07 23:17:28 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

============= FINISH: 12:28:15.34 ===============

= = = = = = = = = = = = = = = = = =

ATTACH-2.txt

- - - - - - - - - - - - - - - - - -

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 6/4/2006 5:33:36 PM

System Uptime: 2/12/2011 12:19:05 PM (0 hours ago)

Motherboard: Dell Inc. | | 0HJ054

Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 49.456 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP884: 11/12/2010 6:56:45 PM - System Checkpoint

RP885: 11/13/2010 7:09:17 PM - System Checkpoint

RP886: 11/14/2010 7:37:41 PM - System Checkpoint

RP887: 11/15/2010 7:42:13 PM - System Checkpoint

RP888: 11/16/2010 7:45:06 PM - System Checkpoint

RP889: 11/18/2010 5:20:52 PM - System Checkpoint

RP890: 11/19/2010 5:41:12 PM - System Checkpoint

RP891: 11/21/2010 2:56:25 PM - System Checkpoint

RP892: 11/22/2010 4:46:34 PM - System Checkpoint

RP893: 11/23/2010 4:50:51 PM - System Checkpoint

RP894: 11/24/2010 7:13:59 PM - System Checkpoint

RP895: 11/26/2010 2:44:12 PM - System Checkpoint

RP896: 11/28/2010 9:01:16 AM - System Checkpoint

RP897: 11/29/2010 5:09:03 PM - System Checkpoint

RP898: 11/30/2010 7:05:18 PM - System Checkpoint

RP899: 12/1/2010 7:49:39 PM - System Checkpoint

RP900: 12/3/2010 5:34:56 PM - System Checkpoint

RP901: 12/6/2010 4:08:32 PM - System Checkpoint

RP902: 12/8/2010 4:12:16 PM - System Checkpoint

RP903: 12/9/2010 6:27:23 PM - System Checkpoint

RP904: 12/10/2010 7:09:43 PM - System Checkpoint

RP905: 12/12/2010 6:44:00 AM - System Checkpoint

RP906: 12/13/2010 5:09:59 PM - System Checkpoint

RP907: 12/14/2010 5:28:49 PM - System Checkpoint

RP908: 12/15/2010 5:28:57 PM - System Checkpoint

RP909: 12/15/2010 9:44:51 PM - Software Distribution Service 3.0

RP910: 12/17/2010 5:55:19 PM - System Checkpoint

RP911: 12/18/2010 6:11:32 PM - System Checkpoint

RP912: 12/20/2010 5:57:08 PM - System Checkpoint

RP913: 12/21/2010 6:14:24 PM - System Checkpoint

RP914: 12/22/2010 6:49:55 PM - System Checkpoint

RP915: 12/25/2010 2:21:03 AM - System Checkpoint

RP916: 12/26/2010 7:54:44 AM - System Checkpoint

RP917: 12/27/2010 10:33:53 AM - System Checkpoint

RP918: 12/28/2010 4:43:03 PM - System Checkpoint

RP919: 12/29/2010 8:30:59 PM - System Checkpoint

RP920: 12/31/2010 11:57:47 AM - System Checkpoint

RP921: 1/1/2011 2:49:08 PM - System Checkpoint

RP922: 1/3/2011 5:10:21 PM - System Checkpoint

RP923: 1/4/2011 5:49:32 PM - System Checkpoint

RP924: 1/5/2011 6:03:47 PM - System Checkpoint

RP925: 1/7/2011 5:05:50 PM - System Checkpoint

RP926: 1/8/2011 8:33:07 PM - System Checkpoint

RP927: 1/9/2011 8:44:59 PM - System Checkpoint

RP928: 1/11/2011 4:27:49 PM - System Checkpoint

RP929: 1/12/2011 5:21:39 PM - System Checkpoint

RP930: 1/12/2011 7:30:48 PM - Software Distribution Service 3.0

RP931: 1/13/2011 7:51:59 PM - System Checkpoint

RP932: 1/15/2011 8:12:22 AM - System Checkpoint

RP933: 1/16/2011 10:18:37 AM - System Checkpoint

RP934: 1/17/2011 4:14:51 PM - System Checkpoint

RP935: 1/18/2011 5:12:43 PM - System Checkpoint

RP936: 1/19/2011 5:24:51 PM - System Checkpoint

RP937: 1/20/2011 11:39:09 PM - System Checkpoint

RP938: 1/22/2011 6:17:57 PM - System Checkpoint

RP939: 1/23/2011 6:35:40 PM - System Checkpoint

RP940: 1/24/2011 6:48:22 PM - System Checkpoint

RP941: 1/25/2011 6:52:06 PM - System Checkpoint

RP942: 1/27/2011 4:51:17 PM - System Checkpoint

RP943: 1/28/2011 5:21:42 PM - System Checkpoint

RP944: 1/29/2011 6:43:40 PM - System Checkpoint

RP945: 1/30/2011 7:36:10 PM - System Checkpoint

RP946: 1/31/2011 7:56:47 PM - System Checkpoint

RP947: 2/3/2011 4:54:52 PM - System Checkpoint

RP948: 2/4/2011 5:51:41 PM - System Checkpoint

RP949: 2/6/2011 8:37:31 PM - Installed Java 6 Update 23

RP950: 2/7/2011 11:47:49 AM - Restore Operation

RP951: 2/7/2011 4:57:57 PM - Removed NetZeroInstallers

RP952: 2/7/2011 5:03:01 PM - Removed URGE

RP953: 2/7/2011 5:04:50 PM - Removed Get High Speed Internet!

RP954: 2/7/2011 5:05:22 PM - Removed Internet Service Offers Launcher

RP955: 2/7/2011 5:19:53 PM - Removed NetWaiting

RP956: 2/8/2011 6:22:42 AM - Installed HiJackThis

RP957: 2/8/2011 7:33:05 PM - Restore Operation

RP958: 2/9/2011 8:07:46 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop Elements 2.0

Adobe Reader 8.1.4

Adobe Shockwave Player 11

Adobe

Link to post
Share on other sites

My brother ran the instruction you gave and here is the result. Onlyl one infection was found.

One, but just what we need. :) Steve, I need DDS log file only, I don't need Attach.txt anymore, thanks!

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, please post the following logs:

  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log only

Link to post
Share on other sites

Here are the latest MalwareBytes Anti-Malware and DDS logs

Thanks for you help.

Steve

= = = = = = = = = = = = = = = = = = = =

MalwareBytes LOG

- - - - - - - - - - - - - - - - - - - -

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5750

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/12/2011 5:32:01 PM

mbam-log-2011-02-12 (17-32-01).txt

Scan type: Quick scan

Objects scanned: 163685

Time elapsed: 13 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

= = = = = = = = = = = = = = = = = = = =

= = = = = = = = = = = = = = = = = = = =

DDS.txt LOG

- - - - - - - - - - - - - - - - - - - -

DDS (Ver_10-12-12.02) - NTFSx86

Run by glen at 17:40:15.11 on Sat 02/12/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.547 [GMT -6:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Trend Micro Internet Security Pro *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: *Disabled*

FW: Trend Micro Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

svchost.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray .exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe

C:\Program Files\Trend Micro\Internet Security\TmPfw.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

J:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S

uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm .exe" -startup

mRun: [ufSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: musicmatch.com\online

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by132fd.bay132.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181187932843

DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.177.24.26/activex/AMC.cab

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\glen\applic~1\mozilla\firefox\profiles\bbpmati1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.startup.homepage - www.trendmicro.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll

FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\trend micro\trendsecure\tisprotoolbar\FirefoxExtension

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-8 64288]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-7-29 36432]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-7-29 339984]

R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-5-23 51792]

R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-5-23 497008]

R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-5-23 689416]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1405384]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232]

S4 gupdate1c985a2991e70f8;Google Update Service (gupdate1c985a2991e70f8);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]

=============== Created Last 30 ================

2011-02-09 01:22:54 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\Sunbelt Software

2011-02-09 00:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-08 23:44:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-08 23:44:26 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-08 23:37:19 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-02-08 12:22:47 388096 ----a-r- c:\docume~1\glen\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-02-07 02:38:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-07 02:38:13 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

==================== Find3M ====================

2011-02-07 23:17:28 56 --sh--r- c:\windows\system32\9E14A0CACB.sys

2011-02-07 23:17:28 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

============= FINISH: 17:43:56.98 ===============

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    ----------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Thanks again for all the help. I think/hope we are getting close to a resolution.

Here are the latest logs from my brother.

Thanks again.

Steve

= = = = = = = = = = = = = = = = = = = =

ComboFix Log

- - - - - - - - - - - - - - - - - - - -

ComboFix 11-02-13.03 - glen 02/14/2011 15:45:22.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -6:00]

Running from: J:\Combo-Fix.exe

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Trend Micro Internet Security Pro *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\glen\Local Settings\Temporary Internet Files\B05nK6k3.jpg

c:\documents and settings\glen\Local Settings\Temporary Internet Files\L0KY86.jpg

c:\documents and settings\glen\Local Settings\Temporary Internet Files\qm6g124e.jpg

c:\documents and settings\glen\Local Settings\Temporary Internet Files\WsPT7.jpg

c:\program files\QuickTime\qttask.exe

c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

c:\windows\system32\service

c:\windows\system32\service\01042009_TIS17_SfFniAU.log

c:\windows\system32\service\01052009_TIS17_SfFniAU.log

c:\windows\system32\service\01062010_TIS17_SfFniAU.log

c:\windows\system32\service\01112010_TIS17_SfFniAU.log

c:\windows\system32\service\02012011_TIS17_SfFniAU.log

c:\windows\system32\service\02022011_TIS17_SfFniAU.log

c:\windows\system32\service\02042010_TIS17_SfFniAU.log

c:\windows\system32\service\02062010_TIS17_SfFniAU.log

c:\windows\system32\service\03032009_TIS17_SfFniAU.log

c:\windows\system32\service\03082010_TIS17_SfFniAU.log

c:\windows\system32\service\03092010_TIS17_SfFniAU.log

c:\windows\system32\service\03112010_TIS17_SfFniAU.log

c:\windows\system32\service\04062009_TIS17_SfFniAU.log

c:\windows\system32\service\05022009_TIS17_SfFniAU.log

c:\windows\system32\service\05062010_TIS17_SfFniAU.log

c:\windows\system32\service\05092010_TIS17_SfFniAU.log

c:\windows\system32\service\05102009_TIS17_SfFniAU.log

c:\windows\system32\service\05112010_TIS17_SfFniAU.log

c:\windows\system32\service\06012010_TIS17_SfFniAU.log

c:\windows\system32\service\06022011_TIS17_SfFniAU.log

c:\windows\system32\service\06032010_TIS17_SfFniAU.log

c:\windows\system32\service\06062010_TIS17_SfFniAU.log

c:\windows\system32\service\06092010_TIS17_SfFniAU.log

c:\windows\system32\service\06102010_TIS17_SfFniAU.log

c:\windows\system32\service\06112009_TIS17_SfFniAU.log

c:\windows\system32\service\06112010_TIS17_SfFniAU.log

c:\windows\system32\service\07022011_TIS17_SfFniAU.log

c:\windows\system32\service\07032009_TIS17_SfFniAU.log

c:\windows\system32\service\07042010_TIS17_SfFniAU.log

c:\windows\system32\service\08042009_TIS17_SfFniAU.log

c:\windows\system32\service\08052009_TIS17_SfFniAU.log

c:\windows\system32\service\08062009_TIS17_SfFniAU.log

c:\windows\system32\service\08092010_TIS17_SfFniAU.log

c:\windows\system32\service\08102009_TIS17_SfFniAU.log

c:\windows\system32\service\08122009_TIS17_SfFniAU.log

c:\windows\system32\service\09042009_TIS17_SfFniAU.log

c:\windows\system32\service\09072010_TIS17_SfFniAU.log

c:\windows\system32\service\09112010_TIS17_SfFniAU.log

c:\windows\system32\service\10092010_TIS17_SfFniAU.log

c:\windows\system32\service\10112010_TIS17_SfFniAU.log

c:\windows\system32\service\10122009_TIS17_SfFniAU.log

c:\windows\system32\service\11052010_TIS17_SfFniAU.log

c:\windows\system32\service\11062010_TIS17_SfFniAU.log

c:\windows\system32\service\12032009_TIS17_SfFniAU.log

c:\windows\system32\service\12062010_TIS17_SfFniAU.log

c:\windows\system32\service\12082010_TIS17_SfFniAU.log

c:\windows\system32\service\12092010_TIS17_SfFniAU.log

c:\windows\system32\service\13052010_TIS17_SfFniAU.log

c:\windows\system32\service\13072009_TIS17_SfFniAU.log

c:\windows\system32\service\14012010_TIS17_SfFniAU.log

c:\windows\system32\service\14062010_TIS17_SfFniAU.log

c:\windows\system32\service\14102010_TIS17_SfFniAU.log

c:\windows\system32\service\15062010_TIS17_SfFniAU.log

c:\windows\system32\service\15072010_TIS17_SfFniAU.log

c:\windows\system32\service\15102009_TIS17_SfFniAU.log

c:\windows\system32\service\16072009_TIS17_SfFniAU.log

c:\windows\system32\service\16092009_TIS17_SfFniAU.log

c:\windows\system32\service\17012011_TIS17_SfFniAU.log

c:\windows\system32\service\17042009_TIS17_SfFniAU.log

c:\windows\system32\service\17042010_TIS17_SfFniAU.log

c:\windows\system32\service\17072010_TIS17_SfFniAU.log

c:\windows\system32\service\17112010_TIS17_SfFniAU.log

c:\windows\system32\service\18072009_TIS17_SfFniAU.log

c:\windows\system32\service\18082010_TIS17_SfFniAU.log

c:\windows\system32\service\18092010_TIS17_SfFniAU.log

c:\windows\system32\service\18102010_TIS17_SfFniAU.log

c:\windows\system32\service\19032009_TIS17_SfFniAU.log

c:\windows\system32\service\19052010_TIS17_SfFniAU.log

c:\windows\system32\service\19082010_TIS17_SfFniAU.log

c:\windows\system32\service\19122010_TIS17_SfFniAU.log

c:\windows\system32\service\20092009_TIS17_SfFniAU.log

c:\windows\system32\service\20102010_TIS17_SfFniAU.log

c:\windows\system32\service\21042009_TIS17_SfFniAU.log

c:\windows\system32\service\21062010_TIS17_SfFniAU.log

c:\windows\system32\service\21072010_TIS17_SfFniAU.log

c:\windows\system32\service\21092010_TIS17_SfFniAU.log

c:\windows\system32\service\21112009_TIS17_SfFniAU.log

c:\windows\system32\service\21112010_TIS17_SfFniAU.log

c:\windows\system32\service\22012011_TIS17_SfFniAU.log

c:\windows\system32\service\22072010_TIS17_SfFniAU.log

c:\windows\system32\service\22082010_TIS17_SfFniAU.log

c:\windows\system32\service\22122010_TIS17_SfFniAU.log

c:\windows\system32\service\23012009_TIS17_SfFniAU.log

c:\windows\system32\service\23062010_TIS17_SfFniAU.log

c:\windows\system32\service\23072010_TIS17_SfFniAU.log

c:\windows\system32\service\23082010_TIS17_SfFniAU.log

c:\windows\system32\service\23092010_TIS17_SfFniAU.log

c:\windows\system32\service\23122010_TIS17_SfFniAU.log

c:\windows\system32\service\24032010_TIS17_SfFniAU.log

c:\windows\system32\service\24052009_TIS17_SfFniAU.log

c:\windows\system32\service\24052010_TIS17_SfFniAU.log

c:\windows\system32\service\24112009_TIS17_SfFniAU.log

c:\windows\system32\service\24112010_TIS17_SfFniAU.log

c:\windows\system32\service\24122008_TIS17_SfFniAU.log

c:\windows\system32\service\25042009_TIS17_SfFniAU.log

c:\windows\system32\service\25112009_TIS17_SfFniAU.log

c:\windows\system32\service\25112010_TIS17_SfFniAU.log

c:\windows\system32\service\25122009_TIS17_SfFniAU.log

c:\windows\system32\service\25122010_TIS17_SfFniAU.log

c:\windows\system32\service\26012009_TIS17_SfFniAU.log

c:\windows\system32\service\26032009_TIS17_SfFniAU.log

c:\windows\system32\service\27022009_TIS17_SfFniAU.log

c:\windows\system32\service\27032009_TIS17_SfFniAU.log

c:\windows\system32\service\27052010_TIS17_SfFniAU.log

c:\windows\system32\service\27072010_TIS17_SfFniAU.log

c:\windows\system32\service\27082010_TIS17_SfFniAU.log

c:\windows\system32\service\27092009_TIS17_SfFniAU.log

c:\windows\system32\service\27102009_TIS17_SfFniAU.log

c:\windows\system32\service\27122010_TIS17_SfFniAU.log

c:\windows\system32\service\28012009_TIS17_SfFniAU.log

c:\windows\system32\service\28012011_TIS17_SfFniAU.log

c:\windows\system32\service\28052010_TIS17_SfFniAU.log

c:\windows\system32\service\28092009_TIS17_SfFniAU.log

c:\windows\system32\service\28092010_TIS17_SfFniAU.log

c:\windows\system32\service\29012011_TIS17_SfFniAU.log

c:\windows\system32\service\29062010_TIS17_SfFniAU.log

c:\windows\system32\service\29112009_TIS17_SfFniAU.log

c:\windows\system32\service\29122010_TIS17_SfFniAU.log

c:\windows\system32\service\30032009_TIS17_SfFniAU.log

c:\windows\system32\service\30042009_TIS17_SfFniAU.log

c:\windows\system32\service\30042010_TIS17_SfFniAU.log

c:\windows\system32\service\30102010_TIS17_SfFniAU.log

c:\windows\system32\service\30112010_TIS17_SfFniAU.log

c:\windows\system32\service\31012011_TIS17_SfFniAU.log

c:\windows\system32\service\31052010_TIS17_SfFniAU.log

c:\windows\system32\service\31082010_TIS17_SfFniAU.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))

.

2011-02-09 01:22 . 2011-02-09 01:22 -------- d-----w- c:\documents and settings\glen\Local Settings\Application Data\Sunbelt Software

2011-02-09 00:01 . 2011-02-08 12:55 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-08 23:44 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-08 23:44 . 2011-02-08 23:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-08 23:37 . 2011-02-09 01:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-02-08 12:22 . 2011-02-08 12:22 388096 ----a-r- c:\documents and settings\glen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-02-08 02:00 . 2011-02-09 01:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-02-08 01:28 . 2011-02-08 01:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-02-08 01:28 . 2011-02-08 01:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Trend Micro

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-02-07 02:38 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-07 02:38 . 2010-11-13 00:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 00:09 . 2010-04-03 22:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2010-04-03 22:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2005-08-16 09:40 81920 ----a-w- c:\windows\system32\isign32.dll

.

<pre>
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Trend Micro\Internet Security\UfSeAgnt .exe
c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
c:\windows\ehome\ehtray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [N/A]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup" [X]

"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2011-02-09 94212]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2011-02-09 94212]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-09 94212]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [N/A]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-02-09 94212]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-30 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]

2011-02-08 12:55 939848 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2007-03-09 16:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2006-05-31 02:12 169472 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-03-30 15:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-03-19 22:27 5248312 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

c:\program files\QuickTime\qttask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-06-25 11:00 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"Lavasoft Ad-Aware Service"=2 (0x2)

"gusvc"=2 (0x2)

"gupdate1c985a2991e70f8"=2 (0x2)

"YahooAUService"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"CCALib8"=2 (0x2)

"Apple Mobile Device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/8/2011 5:44 PM 64288]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/29/2009 11:06 AM 36432]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [7/29/2009 11:07 AM 339984]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 3:05 AM 1405384]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 3:05 AM 15232]

S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/23/2010 4:48 PM 51792]

S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/23/2010 4:48 PM 497008]

S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/23/2010 4:48 PM 689416]

S4 gupdate1c985a2991e70f8;Google Update Service (gupdate1c985a2991e70f8);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:56 PM 133104]

.

Contents of the 'Scheduled Tasks' folder

2011-02-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 12:55]

2011-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2011-02-14 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 16:58]

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 01:56]

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 01:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

Trusted Zone: musicmatch.com\online

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.177.24.26/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\glen\Application Data\Mozilla\Firefox\Profiles\bbpmati1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.startup.homepage - www.trendmicro.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-14 16:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7308)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\stsystra.exe

c:\windows\ehome\ehtray .exe

c:\windows\eHome\ehmsas.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Common Files\Java\Java Update\jusched .exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2011-02-14 16:12:17 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-14 22:12

Pre-Run: 53,030,678,528 bytes free

Post-Run: 53,389,164,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 53B1DB4591F4F6E188FEB06ECA128B55

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

RenV::
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Trend Micro\Internet Security\UfSeAgnt .exe
c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
c:\windows\ehome\ehtray .exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

A couple of things are happening now -

1.) When the CFScript.txt is dropped on ComboFix, it seems to run, and runs for about 2 minutes then quits, and doesn't generate a Log file. Just to be sure, DOES HE NEED TO DISABLE the Anti-Virus? I don't think my brother did that when he ran CombFix. I think he is going to try again with the AV off.

2.) When the computer shuts down, a program called Hello4 stalls during the Shutdown process. It usually takes an END TASK to get it to finally shut down.

Again, my brother will try dropping the ComboFix Script on ComboFix.exe program with the Anti-virus turned off and see if that works better.

3.) Revise - My brother ran the ComboFix with the Anti-Virus Off, and it started up, ran about two minutes then quit and shut down the ComboFix program. It doesn't seem to be doing a scan. That is, it says it is starting a scan, but doesn't actually do it.

4.) Though Ad-Aware was shut off in the program, the Ad-aware Service was still running. We disabled that in Services, rebooted, confirmed it was NOT running, shut down the Anti-Virus, and ran the Combofix script again, and the programs seems to start normally, but it can't seem to start its scan, and eventually just shuts itself down.

Any thoughts?

Steve

Link to post
Share on other sites

This is the new ComboFix Log file WITHOUT the SCRIPT. Just a standard Scan.

Thanks again for all your help.

Steve

= = = = = = = = = = = =

LOGTHUS.txt

- - - - - - - - - - - -

ComboFix 11-02-16.05 - glen 02/17/2011 13:01:13.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.528 [GMT -6:00]

Running from: c:\documents and settings\glen\Desktop\Combo-Fix.exe

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Trend Micro Internet Security Pro *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((( Files Created from 2011-01-17 to 2011-02-17 )))))))))))))))))))))))))))))))

.

2011-02-09 01:22 . 2011-02-09 01:22 -------- d-----w- c:\documents and settings\glen\Local Settings\Application Data\Sunbelt Software

2011-02-09 00:01 . 2011-02-08 12:55 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-08 23:44 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-08 23:44 . 2011-02-08 23:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-08 23:37 . 2011-02-09 01:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-02-08 12:22 . 2011-02-08 12:22 388096 ----a-r- c:\documents and settings\glen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-02-08 02:00 . 2011-02-09 01:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-02-08 01:28 . 2011-02-08 01:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-02-08 01:28 . 2011-02-08 01:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Trend Micro

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-02-07 02:38 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-07 02:38 . 2010-11-13 00:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 00:09 . 2010-04-03 22:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2010-04-03 22:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

<pre>
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Trend Micro\Internet Security\UfSeAgnt .exe
c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
c:\windows\ehome\ehtray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [N/A]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup" [X]

"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2011-02-09 94212]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2011-02-09 94212]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-09 94212]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [N/A]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-02-09 94212]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-30 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]

2011-02-08 12:55 939848 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2007-03-09 16:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2006-05-31 02:12 169472 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-03-30 15:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-03-19 22:27 5248312 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

c:\program files\QuickTime\qttask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-06-25 11:00 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"Lavasoft Ad-Aware Service"=2 (0x2)

"gusvc"=2 (0x2)

"gupdate1c985a2991e70f8"=2 (0x2)

"YahooAUService"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"CCALib8"=2 (0x2)

"Apple Mobile Device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/8/2011 5:44 PM 64288]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/29/2009 11:06 AM 36432]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [7/29/2009 11:07 AM 339984]

R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/23/2010 4:48 PM 51792]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 3:05 AM 15232]

S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/23/2010 4:48 PM 497008]

S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/23/2010 4:48 PM 689416]

S4 gupdate1c985a2991e70f8;Google Update Service (gupdate1c985a2991e70f8);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:56 PM 133104]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 3:05 AM 1405384]

.

Contents of the 'Scheduled Tasks' folder

2011-02-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 12:55]

2011-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2011-02-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 16:58]

2011-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 01:56]

2011-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 01:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

Trusted Zone: musicmatch.com\online

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.177.24.26/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\glen\Application Data\Mozilla\Firefox\Profiles\bbpmati1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.startup.homepage - www.trendmicro.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension

FF - user.js: yahoo.homepage.dontask - true

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-17 13:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(15484)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-02-17 14:08:19

ComboFix-quarantined-files.txt 2011-02-17 20:07

ComboFix2.txt 2011-02-14 22:12

Pre-Run: 53,313,937,408 bytes free

Post-Run: 53,291,692,032 bytes free

- - End Of File - - 099B0F758592B64ED8832A64D4B45783

Link to post
Share on other sites

Okay, let's try again:

Open Notepad and copy and paste the text in the code box below into it:

SecCenter::
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

RenV::
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Trend Micro\Internet Security\UfSeAgnt .exe
c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
c:\windows\ehome\ehtray .exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

The ComboFix worked this time, scanned and generated a log.

However, during the scan, Windows popped up a window saying protected files were being changed or deleted, and did I want to restore those files. If my brother wanted to restore them, he needed to put in his Windows disk and click OK. The problem is, my brother doesn't have a Windows disk, he has a bundled Dell computer that likely has a copy of the Windows disk on the computer itself. So, we weren't sure what to do. Eventually we decided that ComboFix knew what it was doing and we just let it go ahead and make the fixed without restoring the files.

My brother rebooted and his computer seems to work, but it is running very slow. Especially on the Internet.

Hopefully this takes us closer to resolution.

Thanks again for you patient help.

Here is the log file -

= = = = = = = = = = = = = = = = =

Combofix Log file

- - - - - - - - - - - - - - - - - - - - - -

ComboFix 11-02-16.05 - glen 02/18/2011 18:01:00.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.561 [GMT -6:00]

Running from: c:\documents and settings\glen\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\glen\Desktop\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Trend Micro Internet Security Pro *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((( Files Created from 2011-01-19 to 2011-02-19 )))))))))))))))))))))))))))))))

.

2011-02-09 01:22 . 2011-02-09 01:22 -------- d-----w- c:\documents and settings\glen\Local Settings\Application Data\Sunbelt Software

2011-02-09 00:01 . 2011-02-08 12:55 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-08 23:44 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-02-08 23:44 . 2011-02-08 23:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-02-08 23:37 . 2011-02-09 01:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-02-08 12:22 . 2011-02-08 12:22 388096 ----a-r- c:\documents and settings\glen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-02-08 02:00 . 2011-02-09 01:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-02-08 01:28 . 2011-02-08 01:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-02-08 01:28 . 2011-02-08 01:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Trend Micro

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-02-07 22:20 . 2011-02-07 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-02-07 02:38 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-07 02:38 . 2010-11-13 00:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2005-08-16 09:18 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2005-08-16 09:18 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2005-08-16 09:18 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-21 00:09 . 2010-04-03 22:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2010-04-03 22:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-20 23:59 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2005-08-16 09:18 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2005-08-16 09:18 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2005-08-16 09:18 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2005-08-16 09:18 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2005-08-16 09:18 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 2005-08-16 09:18 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-02-17_19.44.22 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-08-16 09:18 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll

+ 2005-08-16 09:18 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll

- 2006-11-08 03:03 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll

+ 2006-11-08 03:03 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll

+ 2005-08-16 09:18 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll

- 2005-08-16 09:18 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll

- 2009-07-03 01:12 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2009-07-03 01:12 . 2010-12-20 23:59 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2006-05-10 05:25 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll

- 2006-05-10 05:25 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll

- 2007-05-09 22:18 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2007-05-09 22:18 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2006-10-17 18:05 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll

- 2006-10-17 18:05 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll

- 2006-05-10 05:25 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2006-05-10 05:25 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll

- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll

- 2010-06-04 11:24 . 2010-12-16 03:47 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

+ 2010-06-04 11:24 . 2011-02-18 00:53 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll

+ 2005-08-16 09:37 . 2005-09-29 19:01 67584 c:\windows\ehome\ehtray.exe

+ 2005-08-16 09:18 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll

- 2005-08-16 09:18 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll

- 2005-08-16 09:18 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll

+ 2005-08-16 09:18 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll

- 2006-11-08 03:03 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll

+ 2006-11-08 03:03 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll

- 2005-08-16 09:18 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll

+ 2005-08-16 09:18 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll

+ 2005-08-16 09:18 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll

- 2005-08-16 09:18 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll

- 2005-08-16 09:18 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe

+ 2005-08-16 09:18 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe

- 2005-08-16 09:27 . 2010-12-16 11:54 191384 c:\windows\system32\FNTCACHE.DAT

+ 2005-08-16 09:27 . 2011-02-18 02:21 191384 c:\windows\system32\FNTCACHE.DAT

- 2006-05-10 05:25 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll

+ 2006-05-10 05:25 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll

- 2006-10-17 18:04 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll

+ 2006-10-17 18:04 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll

+ 2009-04-17 11:02 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll

- 2006-05-10 05:25 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll

+ 2006-05-10 05:25 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll

+ 2007-05-09 22:18 . 2010-12-20 23:59 602112 c:\windows\system32\dllcache\msfeeds.dll

- 2007-05-09 22:18 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll

- 2009-04-17 11:02 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll

+ 2009-04-17 11:02 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll

- 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll

- 2009-07-03 01:12 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll

+ 2009-07-03 01:12 . 2010-12-20 23:59 247808 c:\windows\system32\dllcache\ieproxy.dll

- 2006-05-10 05:25 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2006-05-10 05:25 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2010-06-10 00:48 . 2010-12-20 23:59 743424 c:\windows\system32\dllcache\iedvtool.dll

- 2010-06-10 00:48 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll

+ 2006-11-07 09:27 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll

- 2006-11-07 09:27 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2006-11-07 09:26 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe

- 2006-11-07 09:26 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe

- 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll

+ 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2482017-IE8\wininet.dll

+ 2011-02-18 00:49 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll

+ 2011-02-18 00:49 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe

+ 2011-02-18 00:49 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2482017-IE8\occache.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll

+ 2011-02-18 00:49 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe

- 2005-08-16 09:18 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll

+ 2005-08-16 09:18 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll

+ 2005-08-16 09:18 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll

- 2005-08-16 09:18 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll

+ 2005-08-16 09:18 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll

+ 2006-10-17 17:57 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll

- 2006-10-17 17:57 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll

+ 2008-10-15 22:28 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys

- 2006-05-10 05:25 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll

+ 2006-05-10 05:25 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll

+ 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll

- 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll

+ 2008-10-15 22:28 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe

+ 2008-10-15 22:28 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe

+ 2008-10-15 22:28 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe

+ 2008-10-15 22:28 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe

+ 2006-05-19 15:06 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll

- 2007-05-09 22:18 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll

+ 2007-05-09 22:18 . 2010-12-20 23:59 1991680 c:\windows\system32\dllcache\iertutil.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll

+ 2011-02-18 00:49 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll

+ 2008-10-15 22:28 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2008-10-15 22:28 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe

+ 2008-10-15 22:28 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe

+ 2008-10-15 22:28 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe

+ 2006-06-05 23:21 . 2011-02-18 00:50 37443528 c:\windows\system32\MRT.exe

- 2006-11-08 03:03 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll

+ 2006-11-08 03:03 . 2010-12-21 11:29 11080704 c:\windows\system32\ieframe.dll

- 2007-05-09 22:18 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll

+ 2007-05-09 22:18 . 2010-12-21 11:29 11080704 c:\windows\system32\dllcache\ieframe.dll

+ 2011-02-18 00:52 . 2011-02-18 00:52 20308992 c:\windows\Installer\2b9310.msp

+ 2011-02-18 00:49 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup" [X]

"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-30 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]

2011-02-08 12:55 939848 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2007-03-09 16:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2006-05-31 02:12 169472 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-03-30 15:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-03-19 22:27 5248312 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-03-29 04:37 413696 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-06-25 11:00 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"Lavasoft Ad-Aware Service"=2 (0x2)

"gusvc"=2 (0x2)

"gupdate1c985a2991e70f8"=2 (0x2)

"YahooAUService"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"CCALib8"=2 (0x2)

"Apple Mobile Device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/8/2011 5:44 PM 64288]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/29/2009 11:06 AM 36432]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [7/29/2009 11:07 AM 339984]

R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/23/2010 4:48 PM 51792]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 3:05 AM 15232]

S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/23/2010 4:48 PM 497008]

S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/23/2010 4:48 PM 689416]

S4 gupdate1c985a2991e70f8;Google Update Service (gupdate1c985a2991e70f8);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:56 PM 133104]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 3:05 AM 1405384]

.

Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 12:55]

2011-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2011-02-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 16:58]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 01:56]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 01:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

Trusted Zone: musicmatch.com\online

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.177.24.26/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\glen\Application Data\Mozilla\Firefox\Profiles\bbpmati1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.startup.homepage - www.trendmicro.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-18 18:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(14808)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-02-18 18:41:54

ComboFix-quarantined-files.txt 2011-02-19 00:41

ComboFix2.txt 2011-02-17 20:08

ComboFix3.txt 2011-02-14 22:12

Pre-Run: 52,866,641,920 bytes free

Post-Run: 52,836,548,608 bytes free

- - End Of File - - 900C005877BD010147E9223D205B816A

Link to post
Share on other sites

Don't worry, everything seems to be okay. Let's make additional scan:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
      Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Here is the latest ESET Log file.

The computer speed seems to be fine now.

My anti virus says that is has found something on the C drive and prompted me to run a scan which I haven't done since the malware dude wanted to wait until he was done working on my computer before I did any scans. So, I didn't scan.

Thanks again for your help.

Steve

= = = = = = = = = = = = = = = = = = =

ESET log.txt

- - - - - - - - - - - - - - - - - - - - - - - - -

ESETSmartInstaller@High as downloader log:

all ok

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=6e72334079e7ba40a4b6497b2485b0e8

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-02-19 03:04:10

# local_time=2011-02-19 09:04:10 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=516 16774821 100 100 0 57861318 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=500

# found=0

# cleaned=0

# scan_time=56

ESETSmartInstaller@High as downloader log:

all ok

esets_scanner_update returned -1 esets_gle=53251

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=6e72334079e7ba40a4b6497b2485b0e8

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-02-19 04:09:09

# local_time=2011-02-19 10:09:09 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=516 16774821 100 100 0 57861420 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=48758

# found=4

# cleaned=4

# scan_time=3853

C:\Documents and Settings\glen\Application Data\Sun\Java\Deployment\cache\6.0\30\16295f9e-2c5a48c6 a variant of OSX/Exploit.Smid.B trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\glen\Application Data\Sun\Java\Deployment\cache\6.0\41\b023ae9-44e30e8f a variant of OSX/Exploit.Smid.B trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe.vir a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=6e72334079e7ba40a4b6497b2485b0e8

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-02-19 05:54:14

# local_time=2011-02-19 11:54:14 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=516 16774821 100 100 0 57865419 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=82282

# found=8

# cleaned=8

# scan_time=6160

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960\A0150421.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960\A0150422.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0151410.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0151411.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0151412.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0151413.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0151414.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP962\A0151415.exe a variant of Win32/Kryptik.KKD trojan (cleaned by deleting - quarantined) 000000

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.