Jump to content

Recommended Posts

The story so far:

One of my home desktops (windows XP home) caught windows restore yesterday. Today my current antivirus software recognised it, deleted one file but then cheekily told me that I had chosen to ignore another file & suggested I delete or quarantine this file.

I used the dos prompt to go to the appropriate folder, & manually del'd three files with names varying on 18013988 & a 4th file DQM (long string) .exe.

I came across this forum, & followed an earlier post here:

I have downloaded unhide & run it.

I then downloaded roguekiller and ran that, to scan & then delete (I spotted a registry key listed for the DQM file I'd deleted earlier)

I then downloaded OTL, ran in scan mode, minimal output, with LOP & purity checks ticked. In my case the output looks like this:

OTL logfile created on: 21/05/2011 18:34:43 - Run 2

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Admin\My Documents\Downloads

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 548.00 Mb Available Physical Memory | 54.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 56.37 Gb Free Space | 75.65% Space Free | Partition Type: NTFS

Computer Name: LAWSON1 | User Name: Admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Admin\My Documents\Downloads\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

PRC - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

PRC - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\platformdependent\ProToolbarComm.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe (Trend Micro Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Admin\My Documents\Downloads\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (Imapi Helper) -- File not found

SRV - (AppMgmt) -- File not found

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)

SRV - (SfCtlCom) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)

SRV - (TmProxy) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)

SRV - (TmPfw) -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe (Trend Micro Inc.)

SRV - (TMBMServer) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)

SRV - (nosGetPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll (NOS Microsystems Ltd.)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

========== Driver Services (SafeList) ==========

DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)

DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)

DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)

DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)

DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.)

DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.)

DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.)

DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)

DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)

DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)

DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (SiSide) -- C:\WINDOWS\System32\DRIVERS\siside.sys (Silicon Integrated Systems Corp.)

DRV - (sisidex) -- C:\WINDOWS\system32\drivers\sisidex.sys (Windows ® 2000 DDK provider)

DRV - (sisperf) -- C:\WINDOWS\system32\drivers\sisperf.sys (Silicon Integrated Systems Corp.)

DRV - (SISNIC) -- C:\WINDOWS\system32\drivers\sisnic.sys (SiS Corporation)

DRV - (cmpci) C-Media PCI Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\cmaudio.sys (C-Media Inc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"

FF - prefs.js..extensions.enabledItems: {22181a4d-af90-4ca3-a569-faed9118d6bc}:1.6.0.1161

FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.90

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - HKLM\software\mozilla\Firefox\extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension [2011/03/19 09:48:17 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/18 10:40:21 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/18 23:18:16 | 000,000,000 | ---D | M]

[2010/10/09 12:05:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions

[2011/05/21 18:09:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\hq2qx8l9.default\extensions

[2010/10/22 11:08:55 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\hq2qx8l9.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

[2011/05/21 18:09:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/11/28 19:42:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2011/01/03 13:16:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

[2011/05/18 23:17:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

[2010/11/28 19:42:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2011/03/19 09:48:17 | 000,000,000 | ---D | M] (Trend Micro Toolbar) -- C:\PROGRAM FILES\TREND MICRO\TRENDSECURE\TISPROTOOLBAR\FIREFOXEXTENSION

[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2010/09/14 22:09:10 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/09/14 22:09:10 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/09/14 22:09:10 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/09/14 22:09:10 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2001/08/23 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)

O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)

O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))

O4 - HKLM..\Run: [C-Media Speaker Configuration] File not found

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ufSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)

O4 - Startup: C:\Documents and Settings\Admin\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286621451156 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/10/07 04:40:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/18 23:17:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2011/05/18 23:17:38 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2011/05/18 23:17:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2011/05/18 23:17:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/21 17:32:57 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/05/21 16:08:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/05/20 12:05:35 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2011/05/18 23:18:17 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/18 23:18:17 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk

[2011/05/18 23:18:17 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/11/20 17:26:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\prestopm.INI

[2010/11/20 17:17:33 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\PF1800LC.Dll

[2010/11/20 17:17:33 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\PWiaExt.dll

[2010/11/20 17:17:32 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\daspi32u.dll

[2010/11/20 17:17:32 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\IO_PORT.DLL

[2010/11/20 17:17:32 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\FVC.DLL

[2010/11/20 17:17:32 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\SQ1394.DLL

[2010/11/20 17:17:32 | 000,010,624 | ---- | C] () -- C:\WINDOWS\System32\GENEUSB.SYS

[2010/11/20 17:12:09 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI

[2010/11/20 17:07:16 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll

[2010/11/20 17:07:16 | 000,000,410 | ---- | C] () -- C:\WINDOWS\umxaddin.ini

[2010/11/20 17:03:58 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\faspi32u.dll

[2010/11/20 17:03:58 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\fCommstr.dll

[2010/11/20 17:03:58 | 000,010,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\Geneusb.sys

[2010/11/20 17:03:57 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\Fmuscrl32.dll

[2010/11/20 17:03:57 | 000,031,232 | ---- | C] () -- C:\WINDOWS\System32\FSCMD32u.dll

[2010/11/20 17:03:57 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Scanner.ini

[2010/10/16 10:34:45 | 000,112,421 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat

[2010/10/10 18:47:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2010/10/09 12:40:54 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2010/10/09 12:05:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010/10/09 11:38:03 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2010/10/08 04:49:21 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini

[2010/10/08 04:47:56 | 000,122,880 | R--- | C] () -- C:\WINDOWS\cmuninst.exe

[2010/10/08 04:47:56 | 000,122,880 | R--- | C] () -- C:\WINDOWS\cmuninst.dat

[2010/10/08 04:47:24 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI

[2010/10/08 04:47:24 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI

[2010/10/08 04:29:19 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL

[2010/10/07 04:41:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2010/10/07 04:38:17 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2003/08/21 01:29:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2003/08/21 01:28:08 | 002,016,512 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2001/08/23 13:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2001/08/23 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2001/08/23 13:00:00 | 000,314,508 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2001/08/23 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2001/08/23 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2001/08/23 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2001/08/23 13:00:00 | 000,040,836 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2001/08/23 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2001/08/23 13:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2001/08/23 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/12/05 17:56:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\OpenOffice.org

[2011/01/23 15:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\PIE

[2010/10/22 12:03:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Softland

[2010/10/22 12:02:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Calico Pie

[2010/11/11 22:05:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

[2010/10/22 12:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/11/18 12:56:53 | 000,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\expressburnShakeIcon.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 179 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0FD841FF

< End of report >

Hopefully, one of you fine people will now tell me what I have to paste back into OTL to make everything well, for which I thank you profusely in advance!

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

(Sigh! User error: replace user. Try again)

Ok I ran a full scan with MBAM & it found another copy of the trojan. Now running clean.

Downloaded & ran DDS. DDS.txt as requested:

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24

Run by Admin at 14:23:56 on 2011-05-28

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.398 [GMT 1:00]

.

AV: Trend Micro Internet Security Pro *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Trend Micro\Internet Security\TmPfw.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe

C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Admin\My Documents\Downloads\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [C-Media Mixer] Mixer.exe /startup

mRun: [C-Media Speaker Configuration] d:\cmi8738\Setup.exe /SPEAKER

mRun: [ufSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [soundMan] SOUNDMAN.EXE

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\admin\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286621451156

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

Notify: AtiExtEvent - Ati2evxx.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\hq2qx8l9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll

FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\hq2qx8l9.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - c:\program files\trend micro\trendsecure\tisprotoolbar\FirefoxExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

============= SERVICES / DRIVERS ===============

.

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-10-10 36432]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-10-10 339984]

R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-10-10 51792]

R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-10-10 497008]

R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-10-10 689416]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 PIEUsb;Pacific Image Electronics USB Scanner;c:\windows\system32\drivers\usbscan.sys [2010-11-20 15104]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2001-8-23 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-05-26 20:12:53 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes

2011-05-26 20:12:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-26 20:12:45 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-26 20:12:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-26 19:56:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-22 13:39:47 -------- d-----w- c:\documents and settings\admin\application data\Microsoft Corporation

2011-05-22 12:51:03 -------- d-----w- c:\documents and settings\admin\local settings\application data\Microsoft Help

2011-05-22 12:49:35 -------- d-----w- c:\program files\MSECache

2011-05-22 11:43:49 -------- d-----w- c:\documents and settings\admin\application data\NUnit

2011-05-22 11:07:25 5632 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{879f64a7-7ec6-4281-90db-c720de11d79c}\nunit_icon.exe

2011-05-22 10:53:49 -------- d-----w- c:\windows\system32\XPSViewer

2011-05-22 10:53:14 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-05-22 10:52:56 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-05-22 10:52:56 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-05-22 10:52:56 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-05-22 10:52:56 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-05-22 10:52:56 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-05-22 10:52:56 117760 ------w- c:\windows\system32\prntvpt.dll

2011-05-22 10:52:55 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2011-05-22 10:52:55 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-05-22 10:52:55 -------- d-----w- C:\ca653e06e0df65340e31a5

2011-05-22 10:25:26 -------- d-----w- c:\program files\NUnit 2.5.10

2011-05-22 09:22:41 -------- d-----w- c:\program files\Microsoft SQL Server

2011-05-22 09:22:16 -------- d-----w- c:\program files\Microsoft Synchronization Services

2011-05-22 09:22:14 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-05-22 09:21:40 205984 ----a-w- c:\documents and settings\all users\application data\microsoft\vbexpress\10.0\1033\ResourceCache.dll

2011-05-22 09:18:53 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0

2011-05-22 09:18:53 -------- d-----w- c:\program files\Microsoft Help Viewer

2011-05-15 19:55:30 221184 ----a-w- c:\windows\system32\wmpns.dll

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 14:24:55.70 ===============

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.