Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser interference..

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

browser interference..

Unread postby maggieD » March 9th, 2009, 11:02 pm

hello there..could u please try and help me with this problem ..my computer makes a clinking sound and my browser has to be clicked 2 times b4 it gives me the right address i have micro trend security ..have sent log off to them also .but it seems days b4 i get an answer.. and still it keeps recurring..ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:13 PM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Quick Macros 2\qmserv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\PartyGaming\PartyGaming.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Extreme Eraser - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Extreme Eraser - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Quick Macros (quickmacros2) - Unknown owner - C:\Program Files\Quick Macros 2\qmserv.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6357 bytes
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm
Advertisement
Register to Remove

Re: browser interference..

Unread postby Bio-Hazard » March 29th, 2009, 11:24 am

Hello and Welcome to forums!

Sorry for the delay, forum is very busy.

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!


random's system information tool (RSIT)

  • Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby maggieD » April 2nd, 2009, 5:03 am

hello i know it is after 5 days ..but ive been trying to redown load the micro trend secruity which has taken all this time to do... and now that out of the way ..have another problem something seems to be slowing my comp down ..have followed ur instrustions and sending the file u requested..
ogfile of random's system information tool 1.06 (written by random/random)
Run by computer at 2009-04-02 19:53:32
Microsoft Windows XP Professional Service Pack 3
System drive C: has 61 GB (80%) free of 76 GB
Total RAM: 510 MB (14% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:45 PM, on 4/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Quick Macros 2\qmserv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PartyGaming\PartyGaming.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\SpeedSim\SpeedSim.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\computer\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\computer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Extreme Eraser - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Extreme Eraser - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Macros (quickmacros2) - Unknown owner - C:\Program Files\Quick Macros 2\qmserv.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6068 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\OGADaily.job
C:\WINDOWS\tasks\OGALogon.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43C6D902-A1C5-45c9-91F6-FD9E90337E18}]
TSToolbarBHO - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2009-02-12 144720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCAC5586-44D7-4c43-B64A-F042461A97D2} - Trend Micro Toolbar - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll [2009-02-12 144720]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-12-04 7340032]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2009-03-13 995528]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2009-03-23 497008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2005-12-04 7340032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
[]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll [2005-12-21 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau
"notification packages"=scecli
psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SoftwareDistribution32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"Wallpaper"=
"NoDispAppearancePage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktop"=0
"ForceActiveDesktopOn"=0
"NoWindowsUpdate"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Toshiba\ConfigFree\CFXFER.exe"="C:\Program Files\Toshiba\ConfigFree\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\WINDOWS\System32\SoftwareDistribution32\ctfmon.exe"="C:\WINDOWS\System32\SoftwareDistribution32\ctfmon.exe:*:Enabled:Microsoft Update Connector"
"C:\Program Files\SecondLife\SLVoice.exe"="C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice"
"C:\Program Files\Paltalk Messenger\paltalk.exe"="C:\Program Files\Paltalk Messenger\paltalk.exe:*:Enabled:PaltalkScene"
"C:\Documents and Settings\computer\Application Data\printer.exe"="C:\Documents and Settings\computer\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Program Files\IncrediMail\bin\IncMail.exe"="C:\Program Files\IncrediMail\bin\IncMail.exe:*:Disabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\ImpCnt.exe"="C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Disabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\IMApp.exe"="C:\Program Files\IncrediMail\bin\IMApp.exe:*:Disabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe"="C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe:*:Disabled:IncrediMail Installer"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\System32\SoftwareDistribution32\ctfmon.exe"="C:\WINDOWS\System32\SoftwareDistribution32\ctfmon.exe:*:Enabled:Microsoft Update Connector"
"C:\Documents and Settings\computer\Application Data\printer.exe"="C:\Documents and Settings\computer\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2009-04-02 19:53:32 ----D---- C:\rsit
2009-04-02 16:12:36 ----D---- C:\Documents and Settings\computer\Application Data\teamspeak2
2009-04-02 16:11:58 ----D---- C:\Program Files\Teamspeak2_RC2
2009-03-23 17:12:22 ----A---- C:\WINDOWS\system32\kdfvmgr.exe
2009-03-23 17:12:22 ----A---- C:\WINDOWS\system32\Kdfhok.dll
2009-03-23 17:12:22 ----A---- C:\WINDOWS\system32\kdfapi.dll
2009-03-23 17:12:21 ----D---- C:\WINDOWS\kdefense
2009-03-23 17:12:21 ----A---- C:\WINDOWS\system32\kdfmgr.exe
2009-03-23 17:12:21 ----A---- C:\WINDOWS\system32\kdfinj.dll
2009-03-23 16:58:15 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2009-03-23 14:59:33 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2009-03-20 18:26:11 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2009-03-20 18:22:54 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-03-20 00:48:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-03-20 00:47:54 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-03-20 00:47:49 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-03-20 00:47:44 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-03-20 00:47:26 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-03-20 00:47:12 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-03-20 00:46:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-03-20 00:46:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-03-20 00:46:36 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-20 00:46:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-03-20 00:45:47 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-03-20 00:45:38 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-03-20 00:45:32 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-03-20 00:45:25 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-20 00:45:20 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-03-20 00:45:13 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-03-20 00:45:04 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-20 00:44:45 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2009-03-20 00:44:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-03-20 00:44:33 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-20 00:44:23 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-20 00:44:19 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-03-20 00:43:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-03-20 00:43:07 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-03-20 00:43:01 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-03-20 00:42:54 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-03-20 00:42:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-03-20 00:41:51 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-03-16 14:14:03 ----A---- C:\WINDOWS\system32\exitwx.exe
2009-03-14 20:42:01 ----D---- C:\WINDOWS\LocalSSL
2009-03-05 19:50:24 ----D---- C:\Documents and Settings\computer\Application Data\skypePM
2009-03-05 19:46:27 ----D---- C:\Program Files\Common Files\Skype
2009-03-05 19:46:22 ----RD---- C:\Program Files\Skype

======List of files/folders modified in the last 1 months======

2009-04-02 19:53:34 ----D---- C:\WINDOWS\Prefetch
2009-04-02 17:19:48 ----D---- C:\WINDOWS\Temp
2009-04-02 16:12:17 ----D---- C:\WINDOWS\system32
2009-04-02 16:11:58 ----RD---- C:\Program Files
2009-04-02 14:25:42 ----D---- C:\Program Files\Mozilla Firefox
2009-04-02 14:15:07 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-02 14:15:04 ----D---- C:\WINDOWS
2009-04-02 14:01:45 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-02 14:00:32 ----SHD---- C:\RECYCLER
2009-03-29 23:42:48 ----D---- C:\Program Files\Full Tilt Poker
2009-03-29 07:02:42 ----D---- C:\WINDOWS\system32\Service
2009-03-27 12:06:21 ----SHD---- C:\WINDOWS\Installer
2009-03-24 18:11:17 ----D---- C:\WINDOWS\system32\drivers
2009-03-23 17:54:03 ----HD---- C:\WINDOWS\inf
2009-03-23 16:59:43 ----D---- C:\Program Files\Trend Micro
2009-03-23 16:58:21 ----HD---- C:\Config.Msi
2009-03-23 16:53:23 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-23 16:53:18 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 15:00:06 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-23 13:23:35 ----SD---- C:\WINDOWS\Tasks
2009-03-23 13:23:33 ----A---- C:\WINDOWS\wininit.ini
2009-03-21 01:32:15 ----D---- C:\WINDOWS\Debug
2009-03-20 18:26:03 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-20 00:47:59 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-20 00:47:51 ----D---- C:\Program Files\Messenger
2009-03-20 00:45:48 ----D---- C:\WINDOWS\WinSxS
2009-03-20 00:43:48 ----D---- C:\Program Files\Internet Explorer
2009-03-20 00:39:48 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-19 00:26:25 ----D---- C:\Program Files\Common Files
2009-03-14 20:41:44 ----D---- C:\WINDOWS\Registration
2009-03-12 22:17:11 ----D---- C:\Program Files\PartyGaming
2009-03-12 16:48:02 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-12 11:23:34 ----D---- C:\Program Files\EmpirePokerMaster
2009-03-10 14:27:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-10 11:41:02 ----D---- C:\Program Files\PartyGaming.Net
2009-03-09 16:25:23 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-03-07 20:20:52 ----D---- C:\WINDOWS\pss
2009-03-07 15:13:45 ----D---- C:\Documents and Settings\computer\Application Data\Skype
2009-03-05 19:46:27 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-03-05 12:16:42 ----D---- C:\Program Files\PKR
2009-03-03 17:15:50 ----D---- C:\WINDOWS\ie7updates

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-08 35840]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-26 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-26 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-03-04 80400]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-10-07 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-10-07 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-10-07 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-10-07 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-10-07 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-10-07 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-10-07 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-13 40544]
R2 FdRedir;FdRedir; \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys []
R2 FileDisk2;FileDisk Protector Kernel Driver; \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys []
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 smihlp;SMI helper driver; \??\C:\Program Files\Protector Suite QL\smihlp.sys []
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2009-03-06 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2009-03-06 1195512]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-11-15 1122656]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-09-14 179200]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-12-09 4123136]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-12-04 3605664]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2008-04-14 163584]
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-14 79232]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-12-16 191936]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2005-12-21 28800]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-11-30 162560]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
R3 tosrfec;Bluetooth ACPI from TOSHIBA; C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-10 9344]
R3 TVALD;Toshiba Mobile PC Service; C:\WINDOWS\system32\DRIVERS\NBSMI.sys [2005-10-21 6144]
R3 Tvs;TOSHIBA Virtual Sound with SRS technologies; C:\WINDOWS\system32\DRIVERS\Tvs.sys [2005-12-01 43392]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2005-12-05 1428096]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2002-11-27 50960]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2002-11-27 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2002-11-27 22384]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\lvusbsta.sys [2005-05-27 22016]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 neokdss;neokdss; C:\WINDOWS\system32\Drivers\neokdss.sys []
S3 pepifilter;Volume Adapter; C:\WINDOWS\system32\DRIVERS\lv302af.sys [2005-05-27 7136]
S3 PID_08A0;QuickCam IM(PID_08A0); C:\WINDOWS\system32\DRIVERS\LV302AV.SYS [2005-05-27 913280]
S3 qmphook;QM process triggers; \??\C:\Program Files\Quick Macros 2\qmphook.sys []
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-14 11904]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-14 11008]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SoftwareDistributionDrv32;SoftwareDistributionDrv32; C:\WINDOWS\system32\drivers\SoftwareDistributionDrv32.sys []
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\drivers\WudfRd.sys []
S3 ZTEusbmdm6k;ZTE Proprietary USB Driver; C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys [2007-04-12 99584]
S3 ZTEusbnmea;ZTE NMEA Port; C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys [2007-04-12 99584]
S3 ZTEusbser6k;ZTE Diagnostic Port; C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys [2007-04-12 99584]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [2008-04-14 5504]
S4 s24trans;WLAN Transport; C:\WINDOWS\system32\drivers\s24trans.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-12-04 143426]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 quickmacros2;Quick Macros; C:\Program Files\Quick Macros 2\qmserv.exe [2007-08-31 9728]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service; C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-03-13 711248]
R2 TAPPSRV;TOSHIBA Application Service; C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe [2005-12-21 35328]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2009-03-03 341256]
R2 TmPfw;Trend Micro Personal Firewall; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [2009-03-13 497008]
R2 TmProxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-03-13 677128]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-29 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-11-27 65536]

-----------------EOF-----------------
You do not have the required permissions to view the files attached to this post.
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby Bio-Hazard » April 3rd, 2009, 5:23 pm

Hello!

Could you post this log info.txt from this folder C:/rsit.


Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Image

  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • RSIT info.txt log
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby maggieD » April 4th, 2009, 12:24 am

ive done what you have instrusted ..here is the report from combofixComboFix 09-04-03.01 - computer 2009-04-04 15:09:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.250 [GMT 11:00]
Running from: c:\documents and settings\computer\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\computer\Application Data\install.dat
c:\documents and settings\computer\err.log
c:\documents and settings\computer\ResErrors.log
c:\windows\system32\146955
c:\windows\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WASFSD


((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-02 19:53 . 2009-04-02 19:53 <DIR> d-------- C:\rsit
2009-04-02 16:12 . 2009-04-02 16:12 <DIR> d-------- c:\documents and settings\computer\Application Data\teamspeak2
2009-04-02 16:12 . 2009-04-02 16:12 34,064 --a------ c:\windows\system32\lhacm.acm
2009-04-02 16:11 . 2009-04-02 16:12 <DIR> d-------- c:\program files\Teamspeak2_RC2
2009-03-23 17:12 . 2009-03-23 17:12 <DIR> d-------- c:\windows\kdefense
2009-03-23 17:12 . 2009-03-23 18:13 475,872 --a------ c:\windows\system32\kdfinj.dll
2009-03-23 17:12 . 2009-03-24 18:11 387,288 --a------ c:\windows\system32\kdfmgr.exe
2009-03-23 17:12 . 2009-03-24 18:11 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-03-23 17:12 . 2009-03-24 18:11 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-03-23 17:12 . 2009-03-24 18:11 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-03-23 16:59 . 2009-03-03 19:34 50,192 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-03-23 16:59 . 2009-03-03 19:34 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-03-23 16:58 . 2009-03-23 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-03-23 16:47 . 2009-03-06 13:17 1,195,512 --a------ c:\windows\system32\drivers\vsapint.sys
2009-03-23 16:47 . 2009-03-23 16:47 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-03-23 16:47 . 2009-03-03 20:08 335,376 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-03-23 16:47 . 2009-03-06 13:17 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-03-23 16:47 . 2009-03-04 10:12 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-03-23 16:47 . 2009-03-06 13:17 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-03-20 18:26 . 2009-03-20 18:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-19 23:01 . 2008-06-13 22:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-19 22:57 . 2008-08-14 21:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-19 22:57 . 2008-08-14 21:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-19 22:57 . 2008-08-14 20:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-19 22:57 . 2008-08-14 20:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-19 22:47 . 2008-05-09 01:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-19 22:46 . 2008-10-24 22:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-19 22:45 . 2008-12-11 21:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-19 22:45 . 2008-05-02 01:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-19 22:43 . 2008-04-12 06:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-19 22:41 . 2008-10-16 03:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-19 22:40 . 2008-09-05 04:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-19 18:44 . 2009-03-03 19:34 150,032 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-16 14:15 . 2009-03-16 14:15 <DIR> d-------- c:\documents and settings\computer\log
2009-03-16 14:14 . 2007-08-30 20:03 46,456 --a------ c:\windows\system32\exitwx.exe
2009-03-14 20:42 . 2009-03-14 20:42 <DIR> d-------- c:\windows\LocalSSL
2009-03-05 19:50 . 2009-03-07 10:31 <DIR> d-------- c:\documents and settings\computer\Application Data\skypePM
2009-03-05 19:50 . 2009-03-05 19:50 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-05 19:46 . 2009-03-05 19:46 <DIR> dr------- c:\program files\Skype
2009-03-05 19:46 . 2009-03-05 19:46 <DIR> d-------- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 12:42 --------- d-----w c:\program files\Full Tilt Poker
2009-03-23 05:59 --------- d-----w c:\program files\Trend Micro
2009-03-23 05:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-23 05:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 11:17 --------- d-----w c:\program files\PartyGaming
2009-03-12 05:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 00:23 --------- d-----w c:\program files\EmpirePokerMaster
2009-03-10 03:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-10 00:41 --------- d-----w c:\program files\PartyGaming.Net
2009-03-09 05:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-07 04:13 --------- d-----w c:\documents and settings\computer\Application Data\Skype
2009-03-05 08:46 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-05 01:16 --------- d-----w c:\program files\PKR
2009-03-02 11:14 --------- d-----w c:\program files\PokerStars
2009-02-13 13:40 --------- d-----w c:\program files\Smart Protector
2009-01-27 03:42 73,216 ----a-w c:\windows\ST6UNST.EXE
2009-01-27 03:42 249,856 ------w c:\windows\Setup1.exe
2008-05-11 07:51 514 ----a-w c:\program files\Shortcut to Quick Macros 2.lnk
2007-12-26 00:48 0 -c-ha-w c:\documents and settings\Administrator\hpothb07.dat
2007-08-29 09:39 0 -c-ha-w c:\documents and settings\Administrator\Application Data\hpothb07.dat
2007-08-29 09:33 329 -c-ha-w c:\documents and settings\computer\hpothb07.dat
2006-11-10 06:27 0 -c--a-w c:\program files\Common Files\err.log
2006-10-23 03:55 0 -c-ha-w c:\documents and settings\NetworkService\hpothb07.dat
2006-10-23 03:55 0 -c-ha-w c:\documents and settings\LocalService\hpothb07.dat
2006-10-23 03:55 0 -c-ha-w c:\documents and settings\Default User\hpothb07.dat
2006-10-23 03:54 0 -c-ha-w c:\documents and settings\computer\Application Data\hpothb07.dat
2006-10-23 03:46 164 -c-ha-w c:\documents and settings\All Users\hpothb07.dat
2006-08-06 05:36 373 -c-ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat
2004-04-27 21:57 61,440 -c--a-w c:\program files\msado20.tlb
1998-05-14 13:00 73,184 -c--a-w c:\program files\DAO2535.TLB
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-23 497008]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-04 7340032]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-13 995528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-21 22:42 40448 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux6"= c:\windows\system32\..\hvaoeea.aqc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]
@="Service"
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\computer\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 11:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-04 20:33 7340032 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-02-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-29 51440]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-21 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-21 33024]
R2 quickmacros2;Quick Macros;c:\program files\Quick Macros 2\qmserv.exe [2008-10-07 9728]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-23 181584]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2005-12-21 3456]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-03-23 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-03-23 335376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-23 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-23 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-23 677128]
S3 qmphook;QM process triggers;c:\program files\Quick Macros 2\qmphook.sys [2008-10-07 4096]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SoftwareDistributionDrv32;SoftwareDistributionDrv32; [x]
S4 SoftwareDistribution32;Software Distribution; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-04-03 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-04-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-04-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-06-26 05:08]

2008-04-23 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-06-26 05:08]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B}
FF - ProfilePath - c:\documents and settings\computer\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 15:12:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-705905809-2044161966-2069392770-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{49CA7AF4-83C8-C2FF-511B-8E40EA3F90F1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iakbcgpeenddknadfn"=hex:6a,61,6c,65,66,62,67,66,6f,6b,63,70,70,70,6a,6b,6f,69,
6c,63,00,00
"haaceejpaemlcapg"=hex:69,61,65,65,6f,68,69,67,6f,67,70,70,70,63,63,70,6e,65,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1416)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll

- - - - - - - > 'lsass.exe'(1472)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-04 15:15:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-04 04:15:35

Pre-Run: 63,564,226,560 bytes free
Post-Run: 63,500,996,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

246 --- E O F --- 2009-03-21 14:37:32
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby Bio-Hazard » April 4th, 2009, 7:35 am

BACKDOOR TROJAN

I'm afraid I have some bad news for you. Your computer is infected with BACKDOOR TROJAN. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so. As long as you remember this: I can offer no assurances that the system will be secure afterwards.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.

Please let me know what you have decided to do in your next post.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby maggieD » April 6th, 2009, 6:57 am

Yes Id be grateful to allow you to try..how you do it from a distance I dont know.. I only use the computer for games..dont use it for internet banking or anything..tell me what I need to do and how do we communicate while your attempting to clean the computer... and ive read the links you provided..Ill buy a flash drive tomorrow.. in case we cant use my back up tool which i think i have if im professional xp windows...and I have the satellite toshiba recovery disk that came with the computer.. just let me know what time suits you ..and how long it takes... so we can arrange a meeting ..or add me on messenger...
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby Bio-Hazard » April 6th, 2009, 1:12 pm

Hello!

We can communicate like we have already done, through this forum. Unfortunately thats the only way we can do this. All i need from you is a decision what you want to do with this computer. If you wanted to be cleaned, we can continue with the tools we already have on your computer. If you want to reinstall windows then i can give you links to guides how to do that.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby maggieD » April 7th, 2009, 8:15 am

Yes I would be grateful if you could try and clean my computer with the tools i already have thank you..just let me know when we can start..
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby Bio-Hazard » April 7th, 2009, 11:40 am

Hello!

Ok as long as you understand that this: I can offer no assurances that the system will be secure afterwards.

Could you post this log info.txt from this folder C:/rsit.



Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
File::
c:\windows\system32\exitwx.exe
c:\windows\system32\ezsidmv.dat
c:\program files\Common Files\err.log
C:\WINDOWS\system32\drivers\SoftwareDistributionDrv32.sys

Folder::
c:\program files\Smart Protector

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux6"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]

Driver::
SoftwareDistributionDrv3


Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.




Panda Online Scan

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply



Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • Panda Online scan
  • RSIT info.txt log
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby maggieD » April 8th, 2009, 5:23 pm

Hello.. sorry I cant get past the first stage of what I need to do...
run cf.script from this folder C:/rsit

dont know where that folder is ..or how to find it...or what program is cf.script..
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby Bio-Hazard » April 9th, 2009, 10:11 am

Hello!

Lets forget that C:/rsit folder for now. Lets concentrate on doing this Combofix Script. You need to make this script according my instructions below. So first you need to open notepad. When notepad is open you have to copy the whole content of the code box into the notepad and then then you need to save it as CFScript.txt. This script and Combofix need to be on your desktop. Then you drag and drop that CFScript.txt into the Combofix.exe like the picture shows. Combofix will now run.


Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
File::
c:\windows\system32\exitwx.exe
c:\windows\system32\ezsidmv.dat
c:\program files\Common Files\err.log
C:\WINDOWS\system32\drivers\SoftwareDistributionDrv32.sys

Folder::
c:\program files\Smart Protector

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux6"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]


Driver::
SoftwareDistributionDrv3



Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.




Panda Online Scan

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply



Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • Panda Online scan
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby maggieD » April 11th, 2009, 6:42 am

Hello..I have done everything you have asked..I did enable my microtrend antivirus while downloading ..hope that was ok to do..

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-11 20:35:22
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Trend Micro Internet Security Pro 17.1.1171 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00047292 JS/Psyme.gen Virus/Trojan No 0 Yes No C:\WINDOWS\Fonts\FontsInst.vbs
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\computer\Cookies\computer@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\computer\Cookies\computer@atdmt[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\computer\Cookies\computer@ad.yieldmanager[1].txt
00620852 Adware/Antivirus360 Adware No 0 Yes No C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP243\A0019726.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP275\A0027814.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\Fonts\mmc.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby Bio-Hazard » April 11th, 2009, 12:01 pm

Hello!

Did you manage to run Combofix Script? You can find the log here C:\ComboFix.txt. I need to see that before we can continue further.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby maggieD » April 13th, 2009, 5:26 am

Hello thankyou for your patience I hope i have done it right..
here is the combo report it says combofix log can be located at c:\COMBOFIX.TXT..

ComboFix 09-04-13.A2 - computer 2009-04-13 19:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.302 [GMT 10:00]
Running from: c:\documents and settings\computer\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-11 05:36 . 2008-06-19 06:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-08 18:22 . 2009-04-08 18:22 -------- d-----w c:\windows\system32\KB905474
2009-04-08 18:22 . 2009-03-10 12:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-08 18:22 . 2009-03-10 12:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-08 18:22 . 2009-02-09 08:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-04 07:08 . 2009-04-04 07:08 16172 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-04 07:06 . 2009-04-04 07:06 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-02 08:53 . 2009-04-02 08:53 -------- d-----w C:\rsit
2009-04-02 05:12 . 2009-04-02 05:12 -------- d-----w c:\documents and settings\computer\Application Data\teamspeak2
2009-04-02 05:12 . 2009-04-02 05:12 34064 ----a-w c:\windows\system32\lhacm.acm
2009-03-23 06:12 . 2009-03-24 07:11 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-03-23 06:12 . 2009-03-24 07:11 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-03-23 06:12 . 2009-03-24 07:11 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-03-23 06:12 . 2009-03-24 07:11 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-03-23 06:12 . 2009-03-23 07:13 475872 ----a-w c:\windows\system32\kdfinj.dll
2009-03-23 06:12 . 2009-03-23 06:12 -------- d-----w c:\windows\kdefense
2009-03-23 05:59 . 2009-03-03 08:34 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-03-23 05:59 . 2009-03-03 08:34 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-03-23 05:58 . 2009-03-23 10:05 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-03-23 05:47 . 2009-03-23 05:47 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-03-23 05:47 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-23 05:47 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-23 05:47 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-23 05:47 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-23 05:47 . 2009-03-03 09:08 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-03-20 07:26 . 2009-03-20 07:26 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-19 12:01 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-03-19 11:57 . 2008-08-14 10:11 2189184 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-19 11:57 . 2008-08-14 10:09 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-19 11:57 . 2008-08-14 09:33 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-19 11:57 . 2008-08-14 09:33 2066048 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-19 11:47 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-03-19 11:46 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-03-19 11:45 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-03-19 11:45 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-03-19 11:43 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-03-19 11:41 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-03-19 11:40 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-03-19 07:44 . 2009-03-03 08:34 150032 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-16 03:15 . 2009-03-16 03:15 -------- d-----w c:\documents and settings\computer\log
2009-03-16 03:14 . 2007-08-30 09:03 46456 ----a-w c:\windows\system32\exitwx.exe
2009-03-14 09:42 . 2009-03-14 09:42 -------- d-----w c:\windows\LocalSSL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 05:36 . 2009-04-11 05:36 -------- d-----w c:\program files\Panda Security
2009-04-06 13:08 . 2009-04-06 13:07 -------- d-----w c:\program files\Teamspeak2_RC2
2009-04-06 08:48 . 2009-04-06 08:48 4002 ----a-w C:\taskList.txt
2009-04-04 07:08 . 2006-07-18 13:15 -------- d-----w c:\documents and settings\computer\Application Data\Apple Computer
2009-04-04 07:06 . 2007-03-04 04:03 -------- d-----w c:\program files\Apple Software Update
2009-03-29 12:42 . 2006-12-09 10:27 -------- d-----w c:\program files\Full Tilt Poker
2009-03-23 05:59 . 2007-12-22 03:23 -------- d-----w c:\program files\Trend Micro
2009-03-23 05:53 . 2008-06-06 03:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-23 05:53 . 2008-02-10 06:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 23:19 . 2006-07-29 04:43 522 ----a-w C:\hpfr3420.xml
2009-03-12 22:48 . 2006-07-29 04:43 81255 ----a-w C:\hpfr3425.log
2009-03-12 11:17 . 2006-07-15 09:28 -------- d-----w c:\program files\PartyGaming
2009-03-12 05:48 . 2007-06-20 14:53 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 00:23 . 2006-10-10 23:32 -------- d-----w c:\program files\EmpirePokerMaster
2009-03-10 03:27 . 2006-07-10 21:53 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-10 00:41 . 2007-09-16 04:43 -------- d-----w c:\program files\PartyGaming.Net
2009-03-09 05:25 . 2006-07-14 19:54 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-07 04:13 . 2006-07-20 02:15 -------- d-----w c:\documents and settings\computer\Application Data\Skype
2009-03-06 23:31 . 2009-03-05 08:50 -------- d-----w c:\documents and settings\computer\Application Data\skypePM
2009-03-05 08:46 . 2009-03-05 08:46 -------- d-----r c:\program files\Skype
2009-03-05 08:46 . 2009-03-05 08:46 -------- d-----w c:\program files\Common Files\Skype
2009-03-05 08:46 . 2006-07-20 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-05 01:16 . 2007-08-04 23:32 -------- d-----w c:\program files\PKR
2009-03-02 11:14 . 2006-09-13 08:15 -------- d-----w c:\program files\PokerStars
2009-02-19 00:58 . 2006-07-18 06:33 268 ---ha-w C:\sqmdata06.sqm
2009-02-19 00:58 . 2006-07-18 03:07 244 ---ha-w C:\sqmnoopt05.sqm
2009-02-18 13:53 . 2006-07-18 03:07 232 ---ha-w C:\sqmdata05.sqm
2009-02-18 13:53 . 2006-07-18 02:56 244 ---ha-w C:\sqmnoopt04.sqm
2009-02-13 13:40 . 2009-01-27 14:11 -------- d-----w c:\program files\Smart Protector
2009-02-09 11:13 . 2005-12-21 21:15 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-27 06:42 . 2006-07-10 21:55 18960 -c--a-w c:\documents and settings\computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-27 06:41 . 2009-01-27 06:41 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009012720090128\index.dat
2009-01-27 06:24 . 2005-12-21 22:31 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-27 06:06 . 2005-12-21 21:15 250048 --sha-r C:\ntldr
2009-01-27 03:42 . 2009-01-27 03:41 249856 ------w c:\windows\Setup1.exe
2009-01-27 03:42 . 2009-01-27 03:41 73216 ----a-w c:\windows\ST6UNST.EXE
2008-05-11 07:51 . 2008-05-11 07:51 514 ----a-w c:\program files\Shortcut to Quick Macros 2.lnk
2007-12-26 00:48 . 2006-08-02 22:45 0 -c-ha-w c:\documents and settings\Administrator\hpothb07.dat
2007-08-29 09:46 . 2006-08-04 14:04 0 -c-ha-w c:\documents and settings\Administrator\Local Settings\Application Data\hpothb07.dat
2007-08-29 09:39 . 2006-08-04 14:03 0 -c-ha-w c:\documents and settings\Administrator\Application Data\hpothb07.dat
2007-08-29 09:33 . 2006-08-02 22:45 329 -c-ha-w c:\documents and settings\computer\hpothb07.dat
2006-11-10 06:27 . 2006-11-10 06:27 0 -c--a-w c:\program files\Common Files\err.log
2006-10-23 03:55 . 2006-08-02 22:53 0 -c-ha-w c:\documents and settings\NetworkService\hpothb07.dat
2006-10-23 03:55 . 2006-08-02 22:53 0 -c-ha-w c:\documents and settings\LocalService\hpothb07.dat
2006-10-23 03:55 . 2006-08-02 22:53 0 -c-ha-w c:\documents and settings\Default User\hpothb07.dat
2006-10-23 03:54 . 2006-08-03 00:11 0 -c-ha-w c:\documents and settings\computer\Application Data\hpothb07.dat
2006-10-23 03:46 . 2006-08-02 22:45 164 -c-ha-w c:\documents and settings\All Users\hpothb07.dat
2006-08-06 05:36 . 2006-08-06 05:36 373 -c-ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat
2004-04-27 21:57 . 2008-03-18 20:03 61440 -c--a-w c:\program files\msado20.tlb
1998-05-14 13:00 . 2008-03-18 20:03 73184 -c--a-w c:\program files\DAO2535.TLB
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-23 497008]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-04 7340032]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-21 21:42 40448 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]
@="Service"
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\computer\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 10:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-04 19:33 7340032 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-03 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R3 qmphook;QM process triggers;c:\program files\Quick Macros 2\qmphook.sys [2007-05-25 4096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 SoftwareDistributionDrv32;SoftwareDistributionDrv32; [x]
R4 SoftwareDistribution32;Software Distribution; [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-02-29 51440]
S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-21 13568]
S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-21 33024]
S2 quickmacros2;Quick Macros;c:\program files\Quick Macros 2\qmserv.exe [2007-08-31 9728]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2005-12-21 3456]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2009-04-13 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2009-04-13 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-06-26 04:08]

2009-04-08 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-06-26 04:08]

2009-04-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B}
FF - ProfilePath - c:\documents and settings\computer\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 19:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-705905809-2044161966-2069392770-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{49CA7AF4-83C8-C2FF-511B-8E40EA3F90F1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iakbcgpeenddknadfn"=hex:6a,61,6c,65,66,62,67,66,6f,6b,63,70,70,70,6a,6b,6f,69,
6c,63,00,00
"haaceejpaemlcapg"=hex:69,61,65,65,6f,68,69,67,6f,67,70,70,70,63,63,70,6e,65,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1416)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll

- - - - - - - > 'lsass.exe'(1476)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-13 19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 09:17
ComboFix2.txt 2009-04-04 04:15

Pre-Run: 63,162,060,800 bytes free
Post-Run: 63,151,226,880 bytes free

252 --- E O F --- 2009-04-08 18:22
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware