Jump to content


Photo

Desktop changed and locked, access to programs locked, false positives


  • This topic is locked This topic is locked
4 replies to this topic

#1 Octavarium

Octavarium

    Member

  • Full Member
  • Pip
  • 37 posts

Posted 02 July 2009 - 11:21 PM

Today, I was browsing the internet, when the browser I was using (Firefox) suddenly crashed. Shortly thereafter, my desktop picture was changed to an "error message" (in poor English) that was unchangeable. I have taken a screenshot of this message, if it is desired. The computer had also slowed down drastically at this point. When I tried to open the task manager, I found it had been "disabled by [my] administrator," although my account is an administrator account, and the only one on this computer. A Windows "message" also popped up, saying I should scan my computer. Although I did not click on it, a window eventually popped up anyways, and started scanning my computer, at which point I tried to restart it, however, Windows Explorer had ceased to function, so I pressed the hard reset button and rebooted. I tried to reboot in safe mode, but after several attempts, that did not work - I got a long series of "loading [x]" with x being a number of things, I recall most of them mentioned "partition," and then the computer would just automatically restart itself. Eventually, I disconnected from the internet and reloaded normally. The bogus scanner and its accompanying message have not appeared since. I use Trend Micro as an antivirus, so I first tried scanning with that. It would complete the scan to 100%, but then it would stick in the "cleaning up" phase eternally. Upon trying to scan with Malwarebytes' Anti-Malware, I found it would not boot at all, ditto with Spybot. HJT does work, however, and with the knowledge I have of that, I did delete some things I was able to confirm as malware when I reconnected to the internet. One last thing of note - I did the Panda ActiveScan successfully, and it said that I had Trend Micro but that it was "disabled."

In essence, my main symptoms are this: the desktop is changed to a bogus message, and it cannot be changed under the right-click desktop menu, Windows Explorer periodically stops working (this is sporadic, sometimes it works, sometimes it doesn't), performance is drastically reduced, and several programs, including the Trend Micro scanner, Windows Task Manager, Spybot and Malwarebytes' Anti-Malware are not able to be used.

My HJT log is below; thank you very much in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:24 PM, on 7/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\MSI\Live Update 3\LMonitor.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
E:\Program Files\DAEMON Tools Lite\daemon.exe
E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\Program Files\TrueSwitchComcast\TrueWizard.exe
E:\Program Files\OpenOffice.org 3\program\soffice.exe
E:\Program Files\OpenOffice.org 3\program\soffice.bin
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\Program Files\Trend Micro\BM\TMBMSRV.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
E:\Program Files\Trend Micro\Internet Security\TmProxy.exe
E:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
E:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
E:\WINDOWS\system32\svchost.exe
C:\HiJack This\HJT.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - E:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinSys2] E:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "E:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [LiveMonitor] E:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [net] "E:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [winupdate.exe] E:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "E:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] E:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [net] "E:\WINDOWS\system32\net.net"
O4 - Startup: OpenOffice.org 3.0.lnk = E:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: TrueAssistant.lnk = E:\Program Files\TrueSwitchComcast\TrueWizard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DualCoreCenter.lnk = E:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS3\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O20 - AppInit_DLLs: ,E:\DOCUME~1\ERIKDE~1\LOCALS~1\Temp\67888484225mxx.dll
O20 - Winlogon Notify: ddccawTM - E:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - E:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - E:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - E:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8284 bytes

#2 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 04 July 2009 - 07:27 AM

Hi Octavarium, and Welcome Back

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed. If there is something you cant do, just skip to the next step, and let me know what happened.

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Private Data).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • If you are unable to install MBAM, try renaming mbam-setup.exe to install.exe and double-click to install.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once installed, if you are unable to start MBAM, go to C:\Program Files\Malwarebytes' Anti-Malware and rename mbam.exe to myfile.exe and double-click the file to run it.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O4 - HKLM\..\Run: [WinSys2] E:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [net] "E:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [winupdate.exe] E:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [net] "E:\WINDOWS\system32\net.net"
O20 - AppInit_DLLs: ,E:\DOCUME~1\ERIKDE~1\LOCALS~1\Temp\67888484225mxx.dll
O20 - Winlogon Notify: ddccawTM - E:\WINDOWS\


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Using Windows Explorer, locate the following files, and delete them if still there:
E:\WINDOWS\system32\winsys2.exe
E:\WINDOWS\system32\winupdate.exe
E:\Documents and Settings\ERIKDE~1\Local Settings\Temp\67888484225mxx.dll (ERIKDE~1 is the short name for your profile folder, it will start with ERIKDE and be followed by some additional characters)
C:\Windows\System32\net.net (be careful to NOT accidentally delete the legitimage net.exe)

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

Download ComboFix© by sUBs from one of these locations:

http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix

  • Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please post a new HijackThis log, the log from MBAM, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#3 Octavarium

Octavarium

    Member

  • Full Member
  • Pip
  • 37 posts

Posted 09 July 2009 - 09:31 PM

Alright here we go, sorry for responding a little late, as the internet connection in my area has been extremely spotty recently.

The only noticeable problem I had when following the steps was that MBAM's update was not working - it would say the files were downloaded and it was installing, but then it would load for a bit and nothing would happen. I updated it later however, and re-ran it to make sure it would work. I will use the log from the non-updated scan, however.

E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\Program Files\OpenOffice.org 3\program\soffice.exe
E:\Program Files\TrueSwitchComcast\TrueWizard.exe
E:\Program Files\OpenOffice.org 3\program\soffice.bin
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
E:\Program Files\Trend Micro\Internet Security\TmProxy.exe
E:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
E:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\uTorrent\uTorrent.exe
C:\HiJack This\HJT.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - E:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "E:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [LiveMonitor] E:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "E:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: OpenOffice.org 3.0.lnk = E:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: TrueAssistant.lnk = E:\Program Files\TrueSwitchComcast\TrueWizard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DualCoreCenter.lnk = E:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - E:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS3\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS4\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS5\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS6\Services\Tcpip\..\{6D43AD4F-E724-4FC2-B09D-E9F995C407AC}: NameServer = 68.87.77.130,68.87.72.130
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - E:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - E:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - E:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8115 bytes




Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

7/4/2009 7:43:18 PM
mbam-log-2009-07-04 (19-43-18).txt

Scan type: Quick Scan
Objects scanned: 47183
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Octavarium

Octavarium

    Member

  • Full Member
  • Pip
  • 37 posts

Posted 09 July 2009 - 09:33 PM

ComboFix 09-07-04.04 - Erik DeLarge 07/04/2009 20:32.2 - NTFSx86
Running from: e:\documents and settings\Erik DeLarge\Desktop\Cmb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
e:\documents and settings\All Users\Application Data\19130624
e:\documents and settings\All Users\Application Data\19130624\19130624.exe
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
e:\documents and settings\Erik DeLarge\Application Data\wiaservg.log
e:\windows\system32\AutoRun.inf
e:\windows\system32\AVR09.exe
e:\windows\system32\Drivers\kllad.sys
e:\windows\system32\kdfinj.dll
e:\windows\system32\msexpx.exe
e:\windows\system32\msisp.exe
e:\windows\system32\msmxmgz.exe
e:\windows\system32\msnksk.exe
e:\windows\system32\msoblhjg.exe
e:\windows\system32\msvopz.exe
e:\windows\system32\msyfw.exe
e:\windows\system32\pcmstub.sys
e:\windows\system32\uacinit.dll
e:\windows\system32\uactmp.db
e:\windows\system32\wbem\proquota.exe

----- BITS: Possible infected sites -----

hxxp://download.xbox.com
e:\windows\system32\proquota.exe was missing
Restored copy from - e:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_pcmstub
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_pcmstub
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-05 01:35 . 2008-04-14 00:12 50176 -c--a-w- e:\windows\system32\dllcache\proquota.exe
2009-07-05 00:39 . 2009-07-05 01:00 3561743 ----a-w- e:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-03 17:23 . 2009-07-03 17:43 -------- d-----w- e:\documents and settings\Erik DeLarge\.housecall6.6
2009-07-03 16:58 . 2009-07-03 16:58 0 ----a-w- E:\backup.reg
2009-07-03 00:15 . 2008-06-19 22:24 28544 ----a-w- e:\windows\system32\drivers\pavboot.sys
2009-07-03 00:14 . 2009-07-03 00:14 -------- d-----w- e:\program files\Panda Security
2009-07-02 21:09 . 2009-07-03 17:03 0 ----a-w- e:\windows\system32\drivers\c9debb3d.sys
2009-07-02 21:09 . 2009-07-02 21:09 -------- d-sh--w- e:\windows\System Volume Information
2009-06-11 20:26 . 2009-06-11 20:26 8854 ----a-r- e:\documents and settings\Erik DeLarge\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-06-11 20:26 . 2009-06-11 20:26 40960 ----a-r- e:\documents and settings\Erik DeLarge\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-06-11 20:26 . 2009-06-11 20:26 40960 ----a-r- e:\documents and settings\Erik DeLarge\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-06-11 20:26 . 2009-06-11 20:27 -------- d-----w- e:\program files\Project64 1.6
2009-06-11 01:30 . 2009-06-11 01:38 -------- d-----w- e:\program files\Black Isle
2009-06-08 02:08 . 2009-06-08 02:08 -------- d-----w- e:\documents and settings\Erik DeLarge\.phet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 01:36 . 2008-09-05 22:28 -------- d-----w- e:\program files\TrueSwitchComcast
2009-07-05 00:21 . 2009-01-01 23:15 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-07-03 17:28 . 2008-12-29 03:57 1 ----a-w- e:\documents and settings\Erik DeLarge\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-03 17:23 . 2008-08-14 06:12 102664 ----a-w- e:\windows\system32\drivers\tmcomm.sys
2009-07-03 17:20 . 2008-08-16 18:38 77824 ----a-w- e:\windows\system32\kdfapi.dll
2009-07-03 17:20 . 2008-08-16 18:38 53248 ----a-w- e:\windows\system32\Kdfhok.dll
2009-07-03 17:20 . 2008-08-16 18:38 192512 ----a-w- e:\windows\system32\kdfvmgr.exe
2009-07-03 17:20 . 2008-08-16 18:38 722472 ----a-w- e:\windows\system32\kdfmgr.exe
2009-07-03 01:20 . 2008-08-27 05:22 10752 ----a-w- e:\windows\DCEBoot.exe
2009-07-02 23:44 . 2008-08-06 07:28 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-02 21:09 . 2008-08-06 07:32 -------- d-----w- e:\documents and settings\Erik DeLarge\Application Data\uTorrent
2009-06-25 06:50 . 2008-10-30 19:48 326688 ----a-w- e:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-11 03:05 . 2008-08-06 07:19 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-06-03 19:52 . 2009-06-03 19:47 -------- d-----w- e:\program files\Aracnum
2009-06-02 23:16 . 2009-06-02 23:16 -------- d-----w- e:\program files\Atari
2009-06-01 22:24 . 2009-06-01 22:24 -------- d-----w- e:\documents and settings\Erik DeLarge\Application Data\Leadertech
2009-05-31 23:02 . 2009-05-31 23:02 -------- d-----w- e:\program files\directx
2009-05-30 22:07 . 2009-05-30 22:07 390664 ----a-w- e:\documents and settings\Erik DeLarge\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-04-22 19:40 . 2009-04-22 19:40 152576 ----a-w- e:\documents and settings\Erik DeLarge\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w- e:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w- e:\windows\system32\xlivefnt.dll
2009-04-08 02:36 . 2009-04-08 02:36 75048 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="e:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-07 4608]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"OE"="e:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808]
"DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"UfSeAgnt.exe"="e:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"WinampAgent"="e:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"TkBellExe"="e:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"LiveMonitor"="e:\program files\MSI\Live Update 3\LMonitor.exe" [2008-04-30 498176]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.exe [2007-11-30 16858624]

e:\documents and settings\Erik DeLarge\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - e:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
TrueAssistant.lnk - e:\program files\TrueSwitchComcast\TrueWizard.exe [2008-9-1 1060864]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DualCoreCenter.lnk - e:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2008-8-14 192512]
HP Digital Imaging Monitor.lnk - e:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"e:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"e:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"e:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

R0 pavboot;pavboot;e:\windows\system32\drivers\pavboot.sys [7/2/2009 7:15 PM 28544]
R2 tmpreflt;tmpreflt;e:\windows\system32\drivers\tmpreflt.sys [2/16/2008 4:00 AM 36368]
R3 DualCoreCenter;DualCoreCenter;e:\program files\MSI\DualCoreCenter\NTGLM7X.sys [8/14/2008 12:29 AM 28160]
R3 FStarForce;FStarForce;e:\windows\system32\drivers\FStarForce.sys [7/2/2009 4:14 PM 9216]
R3 RushTopDevice2;RushTopDevice2;e:\program files\MSI\DualCoreCenter\RushTop.sys [8/14/2008 12:29 AM 52736]
R3 tmcfw;Trend Micro Common Firewall Service;e:\windows\system32\drivers\TM_CFW.sys [7/2/2009 4:14 PM 333328]
R3 tmproxy;Trend Micro Proxy Service;e:\program files\Trend Micro\Internet Security\TmProxy.exe [8/14/2008 1:12 AM 648456]
S1 c9debb3d;c9debb3d;e:\windows\system32\drivers\c9debb3d.sys [7/2/2009 4:09 PM 0]
S2 tmevtmgr;tmevtmgr;e:\windows\system32\drivers\tmevtmgr.sys [8/14/2008 1:12 AM 52624]
S3 cpuz130;cpuz130;\??\e:\docume~1\ERIKDE~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> e:\docume~1\ERIKDE~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 TmPfw;Trend Micro Personal Firewall;e:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/14/2008 1:12 AM 488768]
S4 lich;lich; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - NVR0Dev

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - e:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: {6D43AD4F-E724-4FC2-B09D-E9F995C407AC} = 68.87.77.130,68.87.72.130
FF - ProfilePath - e:\documents and settings\Erik DeLarge\Application Data\Mozilla\Firefox\Profiles\5ot3pzxw.default\
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 20:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\lich]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1972579041-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,bc,8f,0c,39,86,6f,85,91,f8,c8,8d,b8,8b,87,de,65,ab,a3,f6,56,14,da,
8b,c2,a6,53,0b,ca,66,be,6e,4a,20,cf,7b,d4,4e,df,05,58,1f,bd,1a,4e,a7,fe,9b,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1004336348-1972579041-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:ce,ab,19,e6,35,eb,f7,07,76,bb,f0,61,b4,13,b1,d2,94,8a,f3,c0,8b,
aa,29,11,e0,b3,6c,2e,4a,7a,99,1f,68,25,74,a7,62,0b,fe,fb,e1,56,8d,9d,f6,6a,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(480)
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\windows\system32\rundll32.exe
e:\program files\OpenOffice.org 3\program\soffice.exe
e:\program files\OpenOffice.org 3\program\soffice.bin
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\system32\nvsvc32.exe
e:\program files\Trend Micro\Internet Security\SfCtlCom.exe
e:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
e:\program files\iPod\bin\iPodService.exe
e:\program files\HP\Digital Imaging\bin\hpqste08.exe
e:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
e:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
.
**************************************************************************
.
Completion time: 2009-07-05 20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 01:42

Pre-Run: 383,281,156,096 bytes free
Post-Run: 383,427,014,656 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
222 --- E O F --- 2008-11-13 01:47

#5 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 10 July 2009 - 05:07 AM

When you post a HijackThis log, be certian you include the full header, it contains important information.

Using Windows Explorer, delete the following file:
e:\windows\DCEBoot.exe

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Please go to VirusTotal and submit the following files for a scan and post the detection results (I don't need the "additional information") in your next reply:
e:\windows\system32\drivers\c9debb3d.sys
e:\windows\system32\dllcache\proquota.exe

Now use Windows Search (Start > Search > For Files or Folders), to search for the following file:
proquota.exe

If there are any additional instances of proquota.exe found in addition to the above copy, scan them also and post the results. Be certain you include the full path to each copy scanned so we can tell which is which.

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

In Internet Explorer, please run the BitDefender online scan at BitDefender.com
You will need to allow an ActiveX control to install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Please post the results in your next reply.

Please post a new HijackThis log, the results from scanning the files at VirusTotal, and in a seperate reply (so nothing is cut off by the maximum post length), the log from BitDefender's online scan.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button