Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help pls

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help pls

Unread postby infinite_one » May 28th, 2009, 5:41 pm

Logfile of HijackThis v1.99.1
Scan saved at 7:37:33 AM, on 29/05/2009
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\schtasks.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\hp\kbd\kbd.exe
C:\Users\dimi\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -s
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\Windows\System32\d3dx9_3032.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm
Advertisement
Register to Remove

Re: help pls

Unread postby Shaba » May 31st, 2009, 7:33 am

Hi infinite_one

Your HijackThis is outdated.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

hi

Unread postby infinite_one » June 1st, 2009, 4:52 pm

hi Shaba, thank u for ur assistance.

i realized i posted my problem incorrectly after i had read the info properly, i do apologize.

My problem is this, alot of my security programs are being shut down by some malware/virus? , it blocks me from entering security websites, sometimes it blocks my internet. I think that it is messing with my wireless router too.

Here is my log,





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:09 AM, on 2/06/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\system32\schtasks.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\jusched.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\hp\kbd\kbd.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -s
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - AppInit_DLLs: C:\Windows\System32\d3dx9_3032.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 12608 bytes
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm

Re: help pls

Unread postby Shaba » June 2nd, 2009, 12:01 am

Please click this link-->Jotti

Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\Windows\System32\d3dx9_3032.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: help pls

Unread postby infinite_one » June 2nd, 2009, 3:28 am

hope this is what you wanted, the jotti site would not load



File has already been analysed:
MD5: 67eb875f4573cbf6b14e0811b619ea8e
First received: 2009.05.15 13:47:11 UTC
Date: 2009.05.15 13:47:11 UTC [>17D]
Results: 13/40
Permalink: analisis/8abb96f89e7f187de407c8dc324975a7e5d33e2c67cfa9e283d7a472db607c0a-1242395231

INSIDE THIS LINK^^^^^^^ WAS VVVVVVV

File old_dimap32.dll received on 2009.05.15 13:47:11 (UTC)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.15 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.166 2009.05.15 TR/Hijacker.Gen
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.14 W32/Heuristic-KPP!Eldorado
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.15 -
CAT-QuickHeal 10.00 2009.05.15 I-Worm.Nugg.bb
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.15 DLOADER.Trojan
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6507 2009.05.15 Win32/Benload!generic
F-Prot 4.4.4.56 2009.05.14 W32/Heuristic-KPP!Eldorado
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.15 -
GData 19 2009.05.15 -
Ikarus T3.1.1.49.0 2009.05.15 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.15 -
McAfee 5615 2009.05.14 -
McAfee+Artemis 5615 2009.05.14 -
McAfee-GW-Edition 6.7.6 2009.05.15 Trojan.Hijacker.Gen
Microsoft 1.4602 2009.05.15 TrojanDownloader:Win32/Tracur.B
NOD32 4079 2009.05.15 a variant of Win32/Agent.OAF
Norman 6.01.05 2009.05.14 -
nProtect 2009.1.8.0 2009.05.15 -
Panda 10.0.0.14 2009.05.15 Suspicious file
PCTools 4.4.2.0 2009.05.15 -
Prevx 3.0 2009.05.15 High Risk Cloaked Malware
Rising 21.29.44.00 2009.05.15 Trojan.DL.Win32.Undef.ekc
Sophos 4.41.0 2009.05.15 Troj/Agent-INP
Sunbelt 3.2.1858.2 2009.05.15 -
Symantec 1.4.4.12 2009.05.15 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.15 -
ViRobot 2009.5.15.1736 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.14 -
Additional information
File size: 143360 bytes
MD5   : 67eb875f4573cbf6b14e0811b619ea8e
SHA1  : 790a372951a3d70d1410cbe3b5ad84b1da2c177e
SHA256: 8abb96f89e7f187de407c8dc324975a7e5d33e2c67cfa9e283d7a472db607c0a
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x212D<br> timedatestamp.....: 0x4A0C13B0 (Thu May 14 14:50:56 2009)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 4 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x17620 0x18000 6.52 69114ea5ab87ea198705a45b93fbb902<br>.rdata 0x19000 0x66D9 0x7000 6.45 28f4d74ce27f0b4ae4b946075bf9cd40<br>.data 0x20000 0x18D8 0x1000 3.16 264a5036feadeeb2dfaad651112020c9<br>.reloc 0x22000 0x1C72 0x2000 6.13 0af55592a1e8bf8b9ab68f6941192a50<br> <br> ( 11 imports )<br> <br>&gt; advapi32.dll: RegCreateKeyExA, RegSetValueExA, RegDeleteKeyA, RegQueryInfoKeyA, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey<br>&gt; kernel32.dll: TerminateThread, GetVolumeInformationA, GetWindowsDirectoryA, GetFileTime, HeapAlloc, FindClose, RemoveDirectoryA, TransactNamedPipe, HeapCreate, HeapSetInformation, HeapDestroy, FindFirstFileA, HeapFree, WaitNamedPipeA, FindNextFileA, SetNamedPipeHandleState, FreeLibrary, OpenFileMappingA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, ExitProcess, GetFileAttributesExA, SetFileAttributesA, CreateDirectoryA, InterlockedExchange, CreateEventA, TlsSetValue, TlsGetValue, TlsAlloc, ProcessIdToSessionId, Process32Next, Process32First, WriteProcessMemory, VirtualAllocEx, VirtualFreeEx, OpenProcess, Thread32Next, GetModuleHandleA, Thread32First, CreateToolhelp32Snapshot, InterlockedIncrement, InterlockedDecrement, GetCurrentThreadId, GetProcAddress, CloseHandle, OpenThread, GetCurrentProcessId, OutputDebugStringA, DuplicateHandle, GetExitCodeThread, SetUnhandledExceptionFilter, GetTickCount, FlushFileBuffers, OpenEventA, ReleaseMutex, GetCurrentThread, LeaveCriticalSection, VirtualFree, SystemTimeToFileTime, GetVersionExA, GetLastError, lstrcmpiA, CreateFileA, GetCurrentProcess, GetFileInformationByHandle, GetFileSize, WriteFile, EnterCriticalSection, GetSystemTime, ReadFile, WaitForMultipleObjects, GetModuleFileNameW, CreateThread, lstrcpyA, GetModuleFileNameA, InitializeCriticalSection, WaitForSingleObject, lstrlenA, lstrcatA, ResetEvent, InterlockedCompareExchange, GetLocalTime, SetEvent, OpenMutexA, CreateRemoteThread, CreateMutexA, Sleep, ConnectNamedPipe, PeekNamedPipe, DisconnectNamedPipe, CreateNamedPipeA, GetSystemDefaultLangID, GetTempFileNameA, DeleteCriticalSection, GetTempPathA, lstrcmpA, SetFilePointer, SetEndOfFile, GetThreadContext, SetThreadContext, VirtualProtect, FlushInstructionCache, VirtualQuery, VirtualAlloc, SuspendThread, ResumeThread, SetLastError, lstrcmpW, MultiByteToWideChar, DeleteFileA, CreateProcessA, GetFileAttributesA, LoadLibraryA, GetSystemDirectoryA<br>&gt; msvcrt.dll: strtok<br>&gt; ntdll.dll: strlen, _strnicmp, strstr, tolower, _stricmp, _snprintf, atoi, _itoa, memset, _ultoa, memcmp, memcpy, _chkstk, _allmul, _alldiv<br>&gt; ole32.dll: CoInitializeEx, CoUninitialize, CoCreateInstance<br>&gt; oleaut32.dll: -, -<br>&gt; shell32.dll: ShellExecuteA, SHGetFolderPathA<br>&gt; shlwapi.dll: PathFileExistsA<br>&gt; user32.dll: SetForegroundWindow, ShowWindow, PeekMessageA, WaitForInputIdle, MsgWaitForMultipleObjects, GetSystemMetrics, wsprintfA, DispatchMessageA<br>&gt; wininet.dll: InternetOpenUrlA, InternetReadFile, InternetConnectA, InternetSetOptionA, InternetCloseHandle, HttpAddRequestHeadersA, HttpQueryInfoA, HttpOpenRequestA, HttpSendRequestA, InternetOpenA<br>&gt; ws2_32.dll: WSASocketW, -, WSASend, -, WSAWaitForMultipleEvents, WSAIoctl, -, -, -, WSARecv, WSACreateEvent, WSAGetOverlappedResult, -, -, -, -, -, -<br> <br> ( 1 exports )<br> <br>&gt; DllGetClassObject, EventStartup
TrID&nbsp;&nbsp;: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 3072:MeAyMq5CKPFoHDoaidmfVBg0bGtUx+JNTBf+XatqCBN:MyQKPWjsdmfV3bGtjJNTBmqtqCb
PEiD&nbsp;&nbsp;: -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<br>-
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm

Re: help pls

Unread postby Shaba » June 2nd, 2009, 3:57 am

Yes it is.

Please download GMER by GMER. An alternate download site.
  1. Unzip it to a folder on your desktop.
  2. Double click on gmer.exe to execute.
    If asked, allow the gmer.sys driver load.
  3. If you get a warning prompt about rootkit activity ... asking if you want to run Scan, click OK.
  4. If you don't get a warning then...
    • Click the Rootkit/Malware tab at the top of the GMER window.
    • Click the Scan button.
  5. Once the scan has finished... click Copy. ... Do not close the GMER window yet...
  6. Open Notepad and paste what you copied. Ctrl+V
  7. Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.
  8. Copy and paste the contents of gmerroot.txt in you next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: help pls

Unread postby infinite_one » June 2nd, 2009, 5:06 am

I downloaded the app and ran the scan, it failed and i restarted the app then i got the blue screen of death. i done this twice to make sure it was not some error the first time but still came out with the same result.
I can not complete a full scan to give you a log file.

thanks
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm

Re: help pls

Unread postby Shaba » June 2nd, 2009, 5:19 am

Please rename gmer.exe and let me know if it helped.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: help pls

Unread postby infinite_one » June 2nd, 2009, 5:48 am

I tried what you said .. it made no difference from the first time,
I did get some info for you tho

This is what it said in status bar as it failed :
Device/HarddiskShadowCopy1


This is what i captured before the gmer.exe app failed


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-02 19:36:24
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT 8845E0A0 ZwCreateKey
SSDT 8845D2E0 ZwCreateProcess
SSDT 8845D5A0 ZwCreateProcessEx
SSDT 8845EF00 ZwCreateThread
SSDT 8845E620 ZwDeleteKey
SSDT 8845E8E0 ZwDeleteValueKey
SSDT 8845F240 ZwLoadDriver
SSDT 8845DB20 ZwOpenProcess
SSDT 8845E360 ZwSetValueKey
SSDT 8845DDE0 ZwTerminateProcess
SSDT 8845ED60 ZwWriteVirtualMemory
SSDT 8845F0A0 ZwCreateThreadEx
SSDT 8845D860 ZwCreateUserProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 41C 81EBE9E0 4 Bytes [A0, E0, 45, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 43C 81EBEA00 8 Bytes [E0, D2, 45, 88, A0, D5, 45, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 454 81EBEA18 4 Bytes [00, EF, 45, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 508 81EBEACC 4 Bytes [20, E6, 45, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 514 81EBEAD8 4 Bytes CALL 4C1F7322
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[320] kernel32.dll!CreateProcessW 76331C01 5 Bytes JMP 1000E98F C:\Windows\System32\d3dx9_3032.dll
.text C:\Windows\Explorer.EXE[320] kernel32.dll!CreateProcessA 76331C36 5 Bytes JMP 1000E937 C:\Windows\System32\d3dx9_3032.dll
.text C:\Windows\Explorer.EXE[320] ADVAPI32.dll!CreateProcessAsUserW 7669A8F5 5 Bytes JMP 1000EA76 C:\Windows\System32\d3dx9_3032.dll
.text C:\Windows\Explorer.EXE[320] ADVAPI32.dll!CreateProcessAsUserA 766E48A6 5 Bytes JMP 1000EA01 C:\Windows\System32\d3dx9_3032.dll
.text C:\Windows\Explorer.EXE[320] ADVAPI32.dll!CreateProcessWithLogonW 766E86A9 5 Bytes JMP 1000EAEB C:\Windows\System32\d3dx9_3032.dll
.text C:\Windows\Explorer.EXE[320] ADVAPI32.dll!CreateProcessWithTokenW 766E86DF 5 Bytes JMP 1000EB60 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] kernel32.dll!CreateProcessW 76331C01 5 Bytes JMP 1000E98F C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] kernel32.dll!CreateProcessA 76331C36 5 Bytes JMP 1000E937 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] ADVAPI32.dll!CreateProcessAsUserW 7669A8F5 5 Bytes JMP 1000EA76 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] ADVAPI32.dll!CreateProcessAsUserA 766E48A6 5 Bytes JMP 1000EA01 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] ADVAPI32.dll!CreateProcessWithLogonW 766E86A9 5 Bytes JMP 1000EAEB C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] ADVAPI32.dll!CreateProcessWithTokenW 766E86DF 5 Bytes JMP 1000EB60 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] WS2_32.dll!closesocket 76B5330C 5 Bytes JMP 100126DF C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] WS2_32.dll!WSASocketW 76B534EB 7 Bytes JMP 10012606 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] WS2_32.dll!connect 76B540D9 5 Bytes JMP 10012669 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] WS2_32.dll!bind 76B5652F 5 Bytes JMP 10012590 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4528] WS2_32.dll!WSAConnect 76B5D7B0 5 Bytes JMP 1001269E C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] ADVAPI32.dll!CreateProcessAsUserW 7669A8F5 5 Bytes JMP 1000EA76 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] ADVAPI32.dll!CreateProcessAsUserA 766E48A6 5 Bytes JMP 1000EA01 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] ADVAPI32.dll!CreateProcessWithLogonW 766E86A9 5 Bytes JMP 1000EAEB C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] ADVAPI32.dll!CreateProcessWithTokenW 766E86DF 5 Bytes JMP 1000EB60 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!DialogBoxIndirectParamW 76F0BD25 5 Bytes JMP 71F15B3B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!DialogBoxParamW 76F21FD5 5 Bytes JMP 71F15AC5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!DialogBoxParamA 76F480B2 5 Bytes JMP 71F15B00 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!DialogBoxIndirectParamA 76F483DD 5 Bytes JMP 71F15B76 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!MessageBoxIndirectA 76F5D471 5 Bytes JMP 71F15A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!MessageBoxIndirectW 76F5D56B 5 Bytes JMP 71F15A3D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!MessageBoxExA 76F5D5D1 5 Bytes JMP 71F15A03 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] USER32.dll!MessageBoxExW 76F5D5F5 5 Bytes JMP 71F159C9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] WS2_32.dll!closesocket 76B5330C 5 Bytes JMP 100126DF C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] WS2_32.dll!WSASocketW 76B534EB 7 Bytes JMP 10012606 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] WS2_32.dll!connect 76B540D9 5 Bytes JMP 10012669 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] WS2_32.dll!bind 76B5652F 5 Bytes JMP 10012590 C:\Windows\System32\d3dx9_3032.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5412] WS2_32.dll!WSAConnect 76B5D7B0 5 Bytes JMP 1001269E C:\Windows\System32\d3dx9_3032.dll
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm

Re: help pls

Unread postby infinite_one » June 2nd, 2009, 5:51 am

I also have this page trying to open itself all the time too.




Opening this website may put your security at risk

--------------------------------------------------------------------------------

Trend Micro Internet Security Pro has identified this page as Dangerous. Opening this website may put your security at risk.
Address: http://sameshitasiteverwas.com/traf/tds/in.cgi?5
Page rating: Dangerous

What you can do:
> Try visiting another site to find the information you want.
> Notify Trend Micro to review this page if you consider it safe.
Note: If you still want to visit this site despite the risk, click here to open it.
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm

Re: help pls

Unread postby Shaba » June 2nd, 2009, 6:31 am

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: help pls

Unread postby infinite_one » June 2nd, 2009, 8:33 am

ComboFix 09-05-31.06 - dimi 02/06/2009 22:18.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3326.2271 [GMT 10:00]
Running from: c:\users\dimi\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\dimi\AppData\Local\Temp\ppcrlui_5520_2
c:\users\dimi\AppData\Roaming\020000004125faca565C.manifest
c:\users\dimi\AppData\Roaming\020000004125faca565O.manifest
c:\users\dimi\AppData\Roaming\020000004125faca565P.manifest
c:\users\dimi\AppData\Roaming\020000004125faca565S.manifest
c:\users\dimi\AppData\Roaming\020000004125faca598C.manifest
c:\users\dimi\AppData\Roaming\020000004125faca598O.manifest
c:\users\dimi\AppData\Roaming\020000004125faca598P.manifest
c:\users\dimi\AppData\Roaming\020000004125faca598S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\d3dx9_3032.dll
c:\windows\system32\DMUSIC32.DLL
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\SystemService32
c:\windows\system32\SystemService32\157.crack.zip
c:\windows\system32\SystemService32\157.crack.zip.kwd
c:\windows\system32\SystemService32\158.keygen.zip
c:\windows\system32\SystemService32\158.keygen.zip.kwd
c:\windows\system32\SystemService32\159.serial.zip
c:\windows\system32\SystemService32\159.serial.zip.kwd
c:\windows\system32\SystemService32\160.setup.zip
c:\windows\system32\SystemService32\160.setup.zip.kwd
c:\windows\system32\SystemService32\161.music.au
c:\windows\system32\SystemService32\161.music.au.kwd
c:\windows\system32\SystemService32\162.music.mp3
c:\windows\system32\SystemService32\162.music.mp3.kwd
c:\windows\system32\SystemService32\163.music.wma
c:\windows\system32\SystemService32\163.music.wma.kwd
c:\windows\system32\SystemService32\164.music.snd
c:\windows\system32\SystemService32\164.music.snd.kwd
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-02 08:00 . 2009-06-02 08:00 -------- d-----w- c:\users\dimi\AppData\Roaming\WinPatrol
2009-06-02 08:00 . 2008-03-11 20:59 74 ----a-w- c:\users\dimi\AppData\Roaming\WinPatrol\Autoexec.bat
2009-06-02 08:00 . 2006-09-18 21:43 10 ----a-w- c:\users\dimi\AppData\Roaming\WinPatrol\Config.sys
2009-06-02 07:59 . 2009-06-02 07:59 -------- d-----w- c:\program files\BillP Studios
2009-05-30 05:37 . 2009-06-02 12:00 -------- d-----w- c:\users\dimi\AppData\Local\Microsoft Games
2009-05-28 23:34 . 2009-05-28 23:34 -------- d-----w- c:\users\dimi\Logitech
2009-05-28 23:33 . 2009-05-28 23:33 -------- d-----w- c:\program files\Common Files\Remote Control Software Common
2009-05-28 23:32 . 2009-05-28 23:32 -------- d-----w- c:\program files\Common Files\Remote Control USB Driver
2009-05-28 14:23 . 2009-05-28 21:25 -------- d-----w- C:\SysClean-WORM_DOWNAD
2009-05-28 13:23 . 2009-05-28 13:29 77824 ----a-w- c:\windows\system32\kdfapi.dll
2009-05-28 13:23 . 2009-05-28 13:29 53248 ----a-w- c:\windows\system32\Kdfhok.dll
2009-05-28 13:23 . 2009-05-28 13:29 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2009-05-28 13:23 . 2009-05-28 13:29 387288 ----a-w- c:\windows\system32\kdfmgr.exe
2009-05-27 10:30 . 2009-05-27 12:26 10752 ----a-w- c:\windows\DCEBoot.exe
2009-05-25 03:56 . 2009-05-25 03:56 529224 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-05-24 11:17 . 2009-05-24 11:17 2855 ----a-w- c:\users\dimi\AppData\Roaming\Microsoft\Windows\Recent\[SUMOTorrent.com]_The_Total_Transformation_Program.pif
2009-05-24 11:17 . 2009-05-24 11:17 -------- d--h--w- c:\windows\PIF
2009-05-23 11:30 . 2009-05-23 11:30 -------- d-----w- c:\users\dimi\AppData\Roaming\CopyTransPhoto
2009-05-23 11:26 . 2009-05-23 11:26 -------- d-----w- c:\users\dimi\AppData\Roaming\iCloner
2009-05-23 11:11 . 2009-05-23 11:11 -------- d-----w- c:\program files\WindSolutions
2009-05-23 11:11 . 2009-05-23 11:11 -------- d-----w- c:\programdata\WindSolutions
2009-05-23 10:55 . 2009-05-23 11:11 -------- d-----w- c:\users\dimi\AppData\Roaming\WindSolutions
2009-05-21 10:32 . 2009-05-21 10:32 -------- d-----w- c:\users\dimi\AppData\Roaming\Canon
2009-05-21 10:30 . 2009-05-21 10:30 -------- d-----w- c:\users\dimi\AppData\Roaming\muvee Technologies
2009-05-20 14:07 . 2009-03-06 02:17 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-20 14:07 . 2009-03-06 02:17 205328 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-20 14:07 . 2009-03-06 02:17 1195512 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-05-20 13:05 . 2009-05-20 13:05 -------- d-----w- c:\windows\LocalSSL
2009-05-20 13:03 . 2009-05-20 13:33 -------- d-----w- c:\programdata\Trend Micro
2009-05-20 13:02 . 2009-06-01 20:43 -------- d-----w- c:\program files\Trend Micro
2009-05-20 13:01 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-05-20 13:01 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-05-20 13:01 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-20 13:01 . 2009-03-03 23:12 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-05-20 13:01 . 2009-03-03 23:12 256528 ----a-w- c:\windows\system32\drivers\tmwfp.sys
2009-05-20 13:01 . 2009-03-03 23:12 145424 ----a-w- c:\windows\system32\drivers\tmlwf.sys
2009-05-20 10:52 . 2009-05-20 12:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-19 13:03 . 2009-05-19 13:03 1372 ----a-w- c:\windows\system32\UMIqsc8.vbs
2009-05-19 13:02 . 2009-05-19 13:02 1372 ----a-w- c:\windows\system32\TU4Zq.vbs
2009-05-16 02:02 . 2009-05-16 02:30 -------- d-----w- c:\users\dimi\AppData\Roaming\FileZilla
2009-05-16 02:02 . 2009-05-16 02:02 -------- d-----w- c:\program files\FileZilla FTP Client
2009-05-15 14:38 . 2009-05-15 14:38 -------- d-----w- c:\users\dimi\AppData\Local\Cranium
2009-05-15 13:56 . 2009-05-15 13:56 -------- d-----w- c:\users\dimi\AppData\Local\Cranium_Consulting_and_Cu
2009-05-15 13:54 . 2009-05-15 13:54 25214 ----a-r- c:\users\dimi\AppData\Roaming\Microsoft\Installer\{E33EAB77-A36A-4FBF-BB15-2BBF74C7A796}\_EF17D54428325E9F699E95.exe
2009-05-15 13:54 . 2009-05-15 13:54 10398 ----a-r- c:\users\dimi\AppData\Roaming\Microsoft\Installer\{E33EAB77-A36A-4FBF-BB15-2BBF74C7A796}\_86ADF835B1C689592C69DA.exe
2009-05-15 13:54 . 2009-05-15 13:54 -------- d-----w- c:\program files\iPhoneBrowser
2009-05-15 04:08 . 2009-05-15 04:13 -------- d-----w- c:\programdata\GlobalSCAPE
2009-05-15 03:47 . 2009-05-15 03:47 -------- d-----w- c:\users\dimi\AppData\Local\GlobalSCAPE
2009-05-15 03:47 . 2009-05-15 03:47 -------- d-----w- c:\users\dimi\AppData\Roaming\GlobalSCAPE
2009-05-15 03:47 . 2009-05-15 03:47 -------- d-----w- c:\program files\GlobalSCAPE
2009-05-14 19:09 . 2009-05-14 19:09 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-05-14 19:09 . 2009-05-14 19:09 286720 ------w- c:\windows\Setup1.exe
2009-05-09 13:03 . 2009-05-09 13:03 -------- d-----w- c:\users\dimi\AppData\Roaming\ImTOO Software Studio
2009-05-09 07:15 . 2009-05-09 07:15 -------- d-----w- c:\users\dimi\AppData\Roaming\Computer Aces
2009-05-08 04:48 . 2009-05-08 05:34 -------- d-----w- c:\users\dimi\AppData\Roaming\Apple Computer
2009-05-08 04:48 . 2009-05-08 04:48 -------- d-----w- c:\users\dimi\AppData\Local\Apple Computer
2009-05-08 04:47 . 2009-05-23 11:04 -------- dc----w- c:\windows\system32\DRVSTORE
2009-05-08 04:47 . 2009-05-08 04:47 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-08 04:47 . 2009-05-08 04:47 -------- d-----w- c:\program files\Bonjour
2009-05-08 04:46 . 2009-05-08 04:47 -------- d-----w- c:\programdata\Apple Computer
2009-05-08 04:46 . 2009-05-08 04:47 -------- d-----w- c:\program files\QuickTime
2009-05-08 04:46 . 2009-05-08 04:46 -------- d-----w- c:\users\dimi\AppData\Local\Apple
2009-05-08 04:46 . 2009-05-08 04:46 -------- d-----w- c:\program files\Apple Software Update
2009-05-08 04:45 . 2009-05-23 11:04 -------- d-----w- c:\program files\Common Files\Apple
2009-05-08 04:45 . 2009-05-08 04:45 -------- d-----w- c:\programdata\Apple
2009-05-05 10:05 . 2009-05-05 10:05 -------- d-----w- c:\users\dimi\AppData\Local\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 12:22 . 2009-04-02 22:39 2855 ----a-w- c:\windows\bthservsdp.dat
2009-05-30 07:54 . 2009-05-30 07:54 5844 --sha-w- c:\windows\system32\BE10.tmp
2009-05-28 23:33 . 2009-04-02 22:38 -------- d-----w- c:\program files\Logitech
2009-05-28 23:33 . 2008-03-11 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 13:24 . 2009-04-21 08:41 -------- d-----w- c:\program files\TomTom HOME 2
2009-05-27 12:53 . 2009-04-03 01:25 -------- d-----w- c:\users\dimi\AppData\Roaming\Azureus
2009-05-25 07:57 . 2009-04-15 13:00 848 --sha-w- c:\programdata\KGyGaAvL.sys
2009-05-25 07:57 . 2009-04-15 13:00 848 --sha-w- c:\programdata\KGyGaAvL.sys
2009-05-24 11:10 . 2009-05-24 11:10 5844 --sha-w- c:\windows\system32\566E.tmp
2009-05-24 10:46 . 2009-05-24 10:46 0 ----a-w- c:\windows\system32\2E0C.tmp
2009-05-22 06:16 . 2009-05-22 06:16 5844 --sha-w- c:\windows\system32\A2D3.tmp
2009-05-20 15:25 . 2009-05-20 13:25 139 ----a-w- c:\windows\udpcrawl.tmp
2009-05-20 13:00 . 2009-04-02 22:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-05-19 11:19 . 2009-04-03 02:27 -------- d-----w- c:\programdata\Corel
2009-05-17 04:52 . 2008-03-11 21:02 -------- d-----w- c:\programdata\Microsoft Help
2009-05-15 14:14 . 2009-04-02 22:55 -------- d-----w- c:\program files\Acro Software
2009-05-13 12:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-04-24 09:52 . 2009-04-03 01:24 -------- d-----w- c:\program files\Vuze
2009-04-22 23:01 . 2009-04-02 22:38 -------- d-----w- c:\programdata\Logitech
2009-04-21 08:41 . 2009-04-21 08:41 -------- d-----w- c:\programdata\TomTom
2009-04-21 08:41 . 2009-04-21 08:41 -------- d-----w- c:\users\dimi\AppData\Roaming\TomTom
2009-04-21 08:41 . 2009-04-21 08:41 -------- d-----w- c:\program files\TomTom International B.V
2009-04-21 08:40 . 2009-04-21 08:40 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-04-21 00:18 . 2009-04-21 00:18 10684866 ----a-w- c:\users\dimi\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2009-04-17 10:36 . 2009-04-17 10:36 -------- d-----w- c:\programdata\WindowsSearch
2009-04-17 06:46 . 2009-04-02 23:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-17 05:26 . 2009-04-17 05:26 -------- d-----w- c:\programdata\Redfield
2009-04-17 01:40 . 2009-04-17 01:40 -------- d-----w- c:\program files\Universe Plugins
2009-04-17 01:12 . 2009-04-17 01:12 27136 ----a-w- c:\windows\~GLH0000.TMP
2009-04-17 01:12 . 2009-04-17 01:12 155136 ----a-w- c:\windows\~GLC0000.TMP
2009-04-15 12:54 . 2009-04-03 02:28 5846 ----a-w- c:\windows\system32\KGyGaAvL.sys
2009-04-15 12:53 . 2009-04-02 11:51 254216 ----a-w- c:\users\dimi\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-15 12:53 . 2009-04-03 02:28 -------- d-----w- c:\users\dimi\AppData\Roaming\Corel
2009-04-15 12:44 . 2009-04-04 03:44 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-04-15 12:44 . 2009-04-15 12:35 -------- d-----w- c:\program files\Corel
2009-04-15 12:44 . 2009-04-15 12:35 -------- d-----w- c:\program files\Common Files\Corel
2009-04-15 12:35 . 2009-04-15 12:35 -------- d-----w- c:\program files\Common Files\Protexis
2009-04-15 12:32 . 2009-04-15 12:32 -------- d-----w- c:\program files\ImageSkill
2009-04-15 10:05 . 2009-04-15 10:05 0 ------w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-11 08:34 . 2009-04-11 08:34 0 ------w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-08 11:32 . 2009-04-08 11:31 -------- d-----w- c:\program files\Windows Live
2009-04-08 11:31 . 2009-04-08 11:31 -------- d-----w- c:\program files\Microsoft
2009-04-08 11:31 . 2009-04-08 11:31 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-04-08 11:26 . 2009-04-08 11:26 -------- d-----w- c:\program files\Common Files\Windows Live
2009-04-06 12:43 . 2009-04-05 00:32 88 ------w- c:\windows\system32\86AE9AE73D.sys
2009-04-05 10:53 . 2009-04-05 10:53 -------- d-----w- c:\programdata\FLEXnet
2009-04-05 10:34 . 2008-03-11 20:53 -------- d-----w- c:\programdata\NVIDIA
2009-04-05 10:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-04-05 10:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-04-05 10:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-04-05 10:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-04-05 10:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-04-05 10:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-04-05 10:25 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-04-05 10:03 . 2006-11-02 10:32 101888 ------w- c:\windows\system32\ifxcardm.dll
2009-04-05 10:03 . 2006-11-02 10:32 82432 ------w- c:\windows\system32\axaltocm.dll
2009-04-05 01:20 . 2009-04-05 00:33 88 ------w- c:\windows\system32\959FF83584.sys
2009-04-04 13:34 . 2009-04-04 13:34 -------- d-----w- c:\program files\MSXML 4.0
2009-04-04 07:17 . 2009-04-03 02:28 88 ------w- c:\windows\system32\B51B91AEB8.sys
2009-04-04 04:17 . 2009-04-04 04:17 -------- d-----w- c:\users\dimi\AppData\Roaming\DivX
2009-04-04 03:45 . 2009-04-04 03:44 -------- d-----w- c:\program files\DivX
2009-04-04 03:44 . 2009-04-02 12:55 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-04-04 03:44 . 2009-04-04 03:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-04-04 02:36 . 2009-04-04 02:36 -------- d-----w- c:\users\dimi\AppData\Roaming\vlc
2009-04-04 02:34 . 2009-04-04 02:34 -------- d-----w- c:\program files\VideoLAN
2009-04-04 02:20 . 2009-04-04 02:20 18816 ------w- c:\windows\system32\drivers\dvd43llh.sys
2009-04-04 02:20 . 2009-04-04 02:20 -------- d-----w- c:\program files\dvd43
2009-04-03 23:59 . 2009-04-03 23:59 -------- d-----w- c:\programdata\LightScribe
2009-04-03 23:16 . 2009-04-03 23:16 -------- d-----w- c:\users\dimi\AppData\Roaming\Nero
2009-04-03 23:15 . 2009-04-03 23:13 -------- d-----w- c:\program files\Common Files\Nero
2009-04-03 23:13 . 2009-04-03 23:13 -------- d-----w- c:\programdata\Nero
2009-04-03 23:13 . 2009-04-03 23:13 -------- d-----w- c:\program files\Nero
2009-04-03 23:06 . 2009-04-03 23:06 -------- d-----w- c:\users\dimi\AppData\Roaming\CyberLink
2009-04-03 23:06 . 2009-04-03 23:06 -------- d-----w- c:\programdata\CyberLink
2009-04-03 14:11 . 2008-03-11 20:53 -------- d-----w- c:\program files\HP
2009-04-03 13:45 . 2009-04-03 13:45 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-04-03 13:45 . 2009-04-03 13:45 315392 ----a-w- c:\windows\HideWin.exe
2009-04-03 13:45 . 2009-04-03 13:45 -------- d-----w- c:\program files\Realtek
2009-04-03 13:27 . 2009-04-03 13:27 -------- d-----w- c:\program files\Intel
2009-04-03 13:27 . 2009-04-03 13:27 -------- d-----w- c:\users\dimi\AppData\Roaming\WinBatch
2009-04-03 11:53 . 2009-04-03 11:53 167376 ----a-w- c:\users\dimi\AppData\Roaming\Mozilla\Firefox\Profiles\qpc85q0w.default\FlashGot.exe
2009-04-02 18:52 . 2009-04-02 18:52 269312 ----a-w- c:\windows\system32\es.dll
2009-04-02 18:46 . 2009-04-02 18:46 1965056 ----a-w- c:\windows\system32\NlsData001a.dll
2009-04-02 18:45 . 2009-04-02 18:45 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-04-02 18:45 . 2009-04-02 18:45 988216 ----a-w- c:\windows\system32\winload.exe
2009-04-02 18:45 . 2009-04-02 18:45 927288 ----a-w- c:\windows\system32\winresume.exe
2009-04-02 18:45 . 2009-04-02 18:45 40960 ----a-w- c:\windows\system32\srclient.dll
2009-04-02 18:45 . 2009-04-02 18:45 378368 ----a-w- c:\windows\system32\srcore.dll
2009-04-02 18:45 . 2009-04-02 18:45 318464 ----a-w- c:\windows\system32\rstrui.exe
2009-04-02 18:45 . 2009-04-02 18:45 14848 ----a-w- c:\windows\system32\srdelayed.exe
2009-04-02 18:45 . 2009-04-02 18:45 46592 ----a-w- c:\windows\system32\setbcdlocale.dll
2009-04-02 18:45 . 2009-04-02 18:45 19000 ----a-w- c:\windows\system32\kd1394.dll
2009-04-02 18:45 . 2009-04-02 18:45 615992 ----a-w- c:\windows\system32\ci.dll
2009-04-02 18:34 . 2009-04-02 18:34 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-04-02 18:34 . 2009-04-02 18:34 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-04-02 18:34 . 2009-04-02 18:34 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-04-02 18:34 . 2009-04-02 18:34 83968 ----a-w- c:\windows\system32\mscories.dll
2009-04-02 18:34 . 2009-04-02 18:34 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-04-02 12:56 . 2009-04-02 12:56 0 ----a-w- c:\windows\nsreg.dat
2009-04-02 12:40 . 2009-04-02 12:40 680 ----a-w- c:\users\dimi\AppData\Local\d3d9caps.dat
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-07-10 00:04 . 2009-04-03 06:29 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2008-03-11 20:25 . 2008-03-11 20:11 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-05-20 497008]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-07 1828136]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2005-12-05 691200]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-07-03 6266880]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-05-20 497008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-3 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-694825972-2939018928-1126776167-1000]
"EnableNotificationsRef"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7974E05B-14C3-494E-9916-C6F37A639725}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8623164F-C1EF-4140-8E9A-296A56A75D38}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{AF5375E5-B574-4B3E-9CB3-AA87E4FEB809}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{05F9EC07-641D-4346-AF2B-929979AE6F15}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6056547B-E44D-422F-98AC-746170618AB6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7CDD1C14-9911-4E0C-BFE6-6BD2115EFE75}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4C89D741-1B90-4210-B755-BC383498C46A}"= UDP:5353:Adobe CSI CS4
"{641ABE9A-0A28-43A7-8848-CD6E0A84C9F7}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{5AEF7CD3-E728-41D4-889E-BE685DD2FAE3}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{4FE22A03-5A87-4522-A3F5-33AC5D8684AE}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.5
"{0FF220C4-78B8-464B-88AC-B46D7A782736}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.5
"{1E3EC219-89C8-4CFE-9F3B-34914212F690}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.5
"{21C48E96-9B2E-4B95-A815-F07208018FB2}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.5
"TCP Query User{43B8CBEB-B78F-48D0-9A51-D1127780A7E7}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{56E2CED2-E18F-433B-A961-74B697544815}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{6E010190-9DDB-4E2D-AEC2-7C98E4459502}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{494724F2-066C-4DB8-8FA5-6D48F00BBA96}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [20/05/2009 11:01 PM 145424]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [20/05/2009 11:05 PM 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [20/05/2009 11:01 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [20/05/2009 11:04 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [21/05/2009 12:07 AM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [20/05/2009 11:04 PM 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [20/05/2009 11:01 PM 256528]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/04/2009 8:38 PM 92008]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\System32\drivers\3xHybrid.sys [12/03/2008 6:26 AM 2831232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\dimi\AppData\Roaming\Mozilla\Firefox\Profiles\qpc85q0w.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 22:26
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3276)
c:\program files\Logitech\SetPoint\IMHook.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Logishrd\Bluetooth\LBTServ.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\System32\schtasks.exe
c:\program files\Logitech\SetPoint\LBTWiz.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\jusched.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Windows Mail\WinMail.exe
c:\hp\KBD\kbd.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\ehome\ehrecvr.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2009-06-02 22:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 12:30

Pre-Run: 343,129,800,704 bytes free
Post-Run: 347,470,639,104 bytes free

381 --- E O F --- 2009-05-21 09:07









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:07 PM, on 2/06/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\System32\mobsync.exe
C:\WINDOWS\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Mail\WinMail.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -s
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 9465 bytes
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm

Re: help pls

Unread postby Shaba » June 2nd, 2009, 8:56 am

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: help pls

Unread postby infinite_one » June 2nd, 2009, 9:04 am

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office system
Acrobat.com
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1.1
Apple Mobile Device Support
Apple Software Update
Bonjour
CDDRV_Installer
Choice Guard
Compatibility Pack for the 2007 Office system
CopyTrans Suite Remove Only
Corel MediaOne
Corel Paint Shop Pro Photo X2
Corel Painter Photo Essentials 4
Corel Painter Photo Essentials 4
CyberLink DVD Suite Deluxe
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD43 v3.7.0
Enhanced Multimedia Keyboard Solution
Eye Candy 4000
FileZilla Client 3.2.4.1
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
ImageSkill Background Remover 3
ImTOO MPEG Encoder Ultimate
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
iPhoneBrowser
Java(TM) SE Runtime Environment 6 Update 1
Junk Mail filter update
KhalInstallWrapper
LabelPrint
LightScribe System Software 1.10.23.1
Logitech Harmony Remote Software 7
Logitech SetPoint
MainConcept for Software Encoder
MediaRing Talk
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mouse Driver
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.21)
MSVCRT
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.1
My HP Games
Nero 8
NVIDIA Drivers
OGA Notifier 1.7.0105.35.0
Power2Go
PowerDirector
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Remote Control USB Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Microsoft Office Word 2007 (KB956358)
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Trend Micro Internet Security Pro
Trend Micro Internet Security Pro
Universe Plugins
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Outlook 2007 Junk Email Filter (kb968503)
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.9
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinPatrol 2009
WinRAR archiver
Xenofex 1.0
infinite_one
Active Member
 
Posts: 12
Joined: May 28th, 2009, 5:24 pm

Re: help pls

Unread postby Shaba » June 5th, 2009, 12:12 am

Sorry for delay, I have missed your reply.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    c:\users\dimi\AppData\Roaming\Azureus
    c:\program files\vuze
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "TCP Query User{43B8CBEB-B78F-48D0-9A51-D1127780A7E7}c:\\program files\\vuze\\azureus.exe"=-
    "UDP Query User{56E2CED2-E18F-433B-A961-74B697544815}c:\\program files\\vuze\\azureus.exe"=-
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware