Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP..i think my computer is infected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP..i think my computer is infected

Unread postby robo122 » July 21st, 2009, 12:38 pm

hi,

i have been having problems lately on my work computer. attached is the hijackthsi log. i know something is workng with my computer, i downloaded trend micro internet pro, and it has removed several viruses. 2 files i know it removed were brastia.exe & legupd32.exe. but i am still having problems. after a few minutes of being online, i lose my internet connectivity. but my computer is still connected to the network. adn other computers on the network retain connectivity. my computer is hard wired to the router (not wireless). i have also a few times lost the ability to use the keyboard, don't now if this is related. i have also removed anti-virus agent pro from my computer, which i know is a virus/trojan

please help, rob

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:26 PM, on 7/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6080205
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/index.jsp?c_id=nyy
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6080205
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)" -"http://www.nabiscoworld.com/Games/game_large.aspx?gameid=10098"
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2750017656
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - http://radaol-prod-web-rr.streamops.aol ... 0.84.2.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/Game ... meHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: C-DillaSrv (uuyju4i27tvuecaq) - Unknown owner - C:\WINDOWS\system32\winy.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14001 bytes
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm
Advertisement
Register to Remove

Re: HELP..i think my computer is infected

Unread postby Bio-Hazard » July 24th, 2009, 9:00 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 3 Days Will Result In Your Topic Being Closed!!





STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

Image
Download DDS and save it to your desktop from:

Link 1
Link 2

Please disable any anti-malware program that will block scripts from running before running DDS.

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


STEP 2


RootRepeal - Rootkit Detector

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Clickthe Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program


Next Reply

Please reply with:
  • DDS.txt
  • Attach.txt
  • RootRepeal.txt
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HELP..i think my computer is infected

Unread postby robo122 » July 25th, 2009, 6:42 am

please don't close my thread, i am going to be away, untils wednesday (more than 72 hours) i will post the information as soon as i can on wednesday.

thank you
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm

Re: HELP..i think my computer is infected

Unread postby Bio-Hazard » July 25th, 2009, 7:57 am

Thank you for letting me know.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HELP..i think my computer is infected

Unread postby robo122 » July 29th, 2009, 12:31 pm

dds.txt


DDS (Ver_09-06-26.01) - NTFSx86
Run by COMPUTER E at 12:15:20.12 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2450 [GMT -4:00]

AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\COMPUTER E\Desktop\Rob's Stuff\rob\fix it\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://newyork.yankees.mlb.com/index.jsp?c_id=nyy
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/ ... channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6080205
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/ ... channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/ ... channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)" -"http://www.nabiscoworld.com/Games/game_large.aspx?gameid=10098"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\comput~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/Fac ... oader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resour ... se5483.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 2750017656
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol ... 0.84.2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/A ... tPkMSN.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/Me ... b56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/Game ... meHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-7-16 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-16 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-7-16 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-7-16 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-7-16 677128]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-13 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-2-4 84992]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-7-16 335376]
S2 uuyju4i27tvuecaq;C-DillaSrv;c:\windows\system32\winy.exe --> c:\windows\system32\winy.exe [?]

=============== Created Last 30 ================

2009-07-20 08:12 <DIR> --d----- c:\windows\system32\Service
2009-07-16 10:56 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-07-16 10:56 77,824 a------- c:\windows\system32\kdfapi.dll
2009-07-16 10:56 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-07-16 10:56 475,872 a------- c:\windows\system32\kdfinj.dll
2009-07-16 10:56 387,288 a------- c:\windows\system32\kdfmgr.exe
2009-07-16 10:56 <DIR> --d----- c:\windows\kdefense
2009-07-16 10:37 <DIR> --d----- c:\windows\LocalSSL
2009-07-16 08:46 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-07-16 08:46 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-07-16 08:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-07-16 08:45 <DIR> --d----- c:\program files\Trend Micro
2009-07-16 08:41 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-07-16 08:41 1,220,120 a------- c:\windows\system32\drivers\vsapint.sys
2009-07-16 08:41 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-07-16 08:41 225,296 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-07-16 08:41 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-07-16 08:41 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-07-15 16:01 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-15 14:08 28,672 a------- c:\windows\system32\winarps32.exe
2009-07-15 14:06 4,224 a------- c:\windows\system32\dllcache\beep.sys

==================== Find3M ====================

2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2008-10-28 08:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 12:15:55.48 ===============


attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/11/2008 8:45:50 AM
System Uptime: 7/29/2009 12:11:34 PM (0 hours ago)

Motherboard: Dell Inc. | | 0FM586
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 295 GiB total, 272.558 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP184: 4/8/2009 3:30:59 PM - System Checkpoint
RP185: 4/9/2009 11:12:13 AM - Installed Windows Internet Explorer 8.
RP186: 4/9/2009 11:12:46 AM - Software Distribution Service 3.0
RP187: 4/13/2009 10:48:06 AM - System Checkpoint
RP188: 4/13/2009 2:23:20 PM - Installed Windows XP KB942288-v3.
RP189: 4/13/2009 2:25:49 PM - Installed DirectX
RP190: 4/15/2009 9:41:31 AM - System Checkpoint
RP191: 4/15/2009 9:42:31 AM - Software Distribution Service 3.0
RP192: 4/16/2009 2:41:18 PM - System Checkpoint
RP193: 4/21/2009 2:27:58 PM - System Checkpoint
RP194: 4/23/2009 9:52:56 AM - System Checkpoint
RP195: 4/24/2009 12:45:43 PM - System Checkpoint
RP196: 4/29/2009 10:00:15 AM - Software Distribution Service 3.0
RP197: 4/30/2009 1:32:04 PM - System Checkpoint
RP198: 5/5/2009 4:08:53 PM - System Checkpoint
RP199: 5/7/2009 2:37:42 PM - System Checkpoint
RP200: 5/11/2009 10:39:27 AM - System Checkpoint
RP201: 5/13/2009 10:00:15 AM - Software Distribution Service 3.0
RP202: 5/18/2009 11:38:00 AM - System Checkpoint
RP203: 5/21/2009 8:31:48 AM - System Checkpoint
RP204: 5/28/2009 2:54:39 PM - System Checkpoint
RP205: 6/4/2009 7:55:53 AM - System Checkpoint
RP206: 6/8/2009 10:52:12 AM - System Checkpoint
RP207: 6/10/2009 10:46:52 AM - System Checkpoint
RP208: 6/11/2009 10:00:17 AM - Software Distribution Service 3.0
RP209: 6/15/2009 1:52:27 PM - System Checkpoint
RP210: 6/22/2009 10:46:52 AM - System Checkpoint
RP211: 6/29/2009 9:23:17 AM - System Checkpoint
RP212: 7/6/2009 10:29:24 AM - System Checkpoint
RP213: 7/9/2009 12:51:01 PM - System Checkpoint
RP214: 7/13/2009 9:05:43 AM - System Checkpoint
RP215: 7/14/2009 12:09:47 PM - System Checkpoint
RP216: 7/15/2009 10:00:15 AM - Software Distribution Service 3.0
RP217: 7/16/2009 8:45:20 AM - Installed Trend Micro Internet Security
RP218: 7/20/2009 1:10:44 PM - System Checkpoint
RP219: 7/23/2009 1:28:11 PM - System Checkpoint
RP220: 7/29/2009 10:00:16 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Ad-Aware
Address Book 5.0 for Windows
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player 11
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
AutoCAD 2008 - English
AutoCAD 2010 - English
AutoCAD 2010 Language Pack - English
Autodesk DWF Viewer 7
Browser Address Error Redirector
BT-PlotAssistant
Camfrog Video Chat 5.1 (remove only)
Choice Guard
COMcheck 3.5.2
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell DataSafe Online
Dell Driver Reset Tool
Dell Support Center (Support Software)
Dell System Restore
Digital Line Detect
DING!
DivX Web Player
Documentation & Support Launcher
ffdshow [rev 1900] [2008-03-15]
FLV Player 2.0, build 24
Games, Music, & Photos Launcher
Google Earth
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) PRO Network Connections Drivers
Internet Service Offers Launcher
J2SE Runtime Environment 5.0 Update 6
Labels Express 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Modem Diagnostic Tool
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Netflix Movie Viewer
NetWaiting
PowerDVD
QualxServ Service Agreement
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 7.0
REScheck 4.2.2
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
SearchAssist
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
Snood for Windows version 3.52-W
Sonic Activation Module
StoneCAD 5
Trend Micro Internet Security Pro
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VBA (2627.01)
Viewpoint Media Player
WebFldrs XP
Wide Format Network TWAIN Source
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Xerox Corporation Wide Format Scan Service
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

7/23/2009 12:41:24 PM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


rootrepeal.txt


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/07/29 12:19
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xACC9B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: neokdss.sys
Image Path: C:\WINDOWS\system32\Drivers\neokdss.sys
Address: 0xA922C000 Size: 57344 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA92DC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\computer e\local settings\temp\~df6f7d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\computer e\local settings\temp\~dfe2b4.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x89e26dc0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x89e262c0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x89e26580

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89e27c20

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x89e27340

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x89e27600

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x89e27dc0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89e26840

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x89e27080

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89e26b00

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89e27a80

Stealth Objects
-------------------
Object: Hidden Module [Name: shell32.dll]
Process: Explorer.EXE (PID: 400) Address: 0x024a0000 Size: 16384

Object: Hidden Module [Name: shell32.dll]
Process: IEXPLORE.EXE (PID: 1004) Address: 0x02980000 Size: 16384

Object: Hidden Code [ETHREAD: 0x89eed3b0]
Process: System Address: 0x8a5de1a0 Size: 2246

Object: Hidden Code [ETHREAD: 0x8a6f4990]
Process: System Address: 0x8a5c8f9f Size: 100

Object: Hidden Code [ETHREAD: 0x8a6f4718]
Process: System Address: 0x8a5fc517 Size: 2795

Object: Hidden Code [ETHREAD: 0x8a6c9b30]
Process: System Address: 0x8a5cbc11 Size: 1009

Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5a81c0 Size: 3652

==EOF==
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm

Re: HELP..i think my computer is infected

Unread postby Bio-Hazard » July 29th, 2009, 8:02 pm

ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.




Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Malwarebytes Antimalware log
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HELP..i think my computer is infected

Unread postby robo122 » July 31st, 2009, 9:23 am

ran atf cleaner

mbam-log

Malwarebytes' Anti-Malware 1.39
Database version: 2529
Windows 5.1.2600 Service Pack 3

7/30/2009 8:56:59 AM
mbam-log-2009-07-30 (08-56-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178845
Time elapsed: 20 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(default) (Hijack.Tray) -> Bad: (C:\DOCUME~1\COMPUT~1\LOCALS~1\Temp\\shell32.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP216\A0037889.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winarps32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\COMPUTER E\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.



i ran the online virus scan, and after a few minutes my comp goes crazy, the window takes over the whole screen, and it goes all white. i can wipe the screen with another window and see it is still running, after it finishes, i can see it found 5 items. but when i click "save report as" the screen turns white and nothing happens, and then the "save report as" box becomes opaque, and i can't click on it.

but i did run a new hijack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:51 PM, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\AutoCAD 2010\acad.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kdfmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6080205
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/index.jsp?c_id=nyy
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6080205
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)" -"http://www.nabiscoworld.com/Games/game_large.aspx?gameid=10098"
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2750017656
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - http://radaol-prod-web-rr.streamops.aol ... 0.84.2.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/Game ... meHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: C-DillaSrv (uuyju4i27tvuecaq) - Unknown owner - C:\WINDOWS\system32\winy.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14081 bytes



i am still having the same problem that the internet connection keeps dropping, but i am still connected to my office network.
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm

Re: HELP..i think my computer is infected

Unread postby robo122 » July 31st, 2009, 9:24 am

ran atf cleaner

mbam-log

Malwarebytes' Anti-Malware 1.39
Database version: 2529
Windows 5.1.2600 Service Pack 3

7/30/2009 8:56:59 AM
mbam-log-2009-07-30 (08-56-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178845
Time elapsed: 20 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(default) (Hijack.Tray) -> Bad: (C:\DOCUME~1\COMPUT~1\LOCALS~1\Temp\\shell32.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP216\A0037889.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winarps32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\COMPUTER E\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.



i ran the online virus scan, and after a few minutes my comp goes crazy, the window takes over the whole screen, and it goes all white. i can wipe the screen with another window and see it is still running, after it finishes, i can see it found 5 items. but when i click "save report as" the screen turns white and nothing happens, and then the "save report as" box becomes opaque, and i can't click on it.

but i did run a new hijack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:51 PM, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\AutoCAD 2010\acad.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kdfmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6080205
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://newyork.yankees.mlb.com/index.jsp?c_id=nyy
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6080205
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)" -"http://www.nabiscoworld.com/Games/game_large.aspx?gameid=10098"
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2750017656
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - http://radaol-prod-web-rr.streamops.aol ... 0.84.2.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/Game ... meHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: C-DillaSrv (uuyju4i27tvuecaq) - Unknown owner - C:\WINDOWS\system32\winy.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14081 bytes



i am still having the same problem that the internet connection keeps dropping, but i am still connected to my office network.
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm

Re: HELP..i think my computer is infected

Unread postby Bio-Hazard » July 31st, 2009, 5:40 pm

Hello!

Is this a business computer?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HELP..i think my computer is infected

Unread postby robo122 » July 31st, 2009, 8:10 pm

it is my computer at work....not a business
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm

Re: HELP..i think my computer is infected

Unread postby Bio-Hazard » August 1st, 2009, 5:19 am

robo122 wrote:it is my computer at work....not a business


So if i understand correctly this is a personal computer which you use at your work place. Why i am asking is because we can not help to clean business computers as we dont know what restrictions might be in place and also we dont want to compromise any business data.

Malware Removal Forum Guidelines and Rules

We do not help in cleaning business or corporate computers. There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware. There may also be legal issues regarding any loss of business data that we do not wish to deal with.
If you ask for help and, unknown to us, it involves a business computer, you need to understand that any damages resulting from our advice are YOUR RESPONSIBILITY.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HELP..i think my computer is infected

Unread postby robo122 » August 1st, 2009, 9:18 am

you are correct
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm

Re: HELP..i think my computer is infected

Unread postby Bio-Hazard » August 1st, 2009, 1:34 pm

Hello!

Ok lets continue.

Gmer

Please download Gmer by Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HELP..i think my computer is infected

Unread postby robo122 » August 3rd, 2009, 12:04 pm

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-03 11:31:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 89E06DC0 ZwCreateKey
SSDT 89E062C0 ZwCreateProcess
SSDT 89E06580 ZwCreateProcessEx
SSDT 89E07C20 ZwCreateThread
SSDT 89E07340 ZwDeleteKey
SSDT 89E07600 ZwDeleteValueKey
SSDT 89E07DC0 ZwLoadDriver
SSDT 89E06840 ZwOpenProcess
SSDT 89E07080 ZwSetValueKey
SSDT 89E06B00 ZwTerminateProcess
SSDT 89E07A80 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? system32\Drivers\neokdss.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\alg.exe[456] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00B52B80
.text C:\WINDOWS\System32\alg.exe[456] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00B52B3D
.text C:\WINDOWS\System32\alg.exe[456] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00B52B01
.text C:\WINDOWS\System32\alg.exe[456] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B52AE6
.text C:\WINDOWS\System32\alg.exe[456] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B52972
.text C:\WINDOWS\System32\alg.exe[456] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B52A64
.text C:\WINDOWS\System32\alg.exe[456] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B529AA
.text C:\WINDOWS\System32\alg.exe[456] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B529E2
.text C:\WINDOWS\Explorer.EXE[748] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01B02B80
.text C:\WINDOWS\Explorer.EXE[748] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01B02B3D
.text C:\WINDOWS\Explorer.EXE[748] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01B02B01
.text C:\WINDOWS\Explorer.EXE[748] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01B02AE6
.text C:\WINDOWS\Explorer.EXE[748] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B02972
.text C:\WINDOWS\Explorer.EXE[748] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01B02A64
.text C:\WINDOWS\Explorer.EXE[748] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01B029AA
.text C:\WINDOWS\Explorer.EXE[748] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01B029E2
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 03A92B80
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 03A92B3D
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 03A92B01
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03A92AE6
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ws2_32.dll!send 71AB4C27 5 Bytes JMP 03A92972
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03A92A64
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ws2_32.dll!recv 71AB676F 5 Bytes JMP 03A929AA
.text C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE[1184] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03A929E2
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01352B80
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01352B3D
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01352B01
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01352AE6
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01352972
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01352A64
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013529AA
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe[1260] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013529E2
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 010F2B80
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 010F2B3D
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 010F2B01
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010F2AE6
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010F2972
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010F2A64
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010F29AA
.text C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe[1388] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010F29E2
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00DF2B80
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00DF2B3D
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00DF2B01
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF2AE6
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF2972
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DF2A64
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DF29AA
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[1516] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DF29E2
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01222B80
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01222B3D
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01222B01
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01222AE6
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01222972
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01222A64
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012229AA
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1648] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012229E2
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 03462B80
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 03462B3D
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 03462B01
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03462AE6
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03462972
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03462A64
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] WS2_32.dll!recv 71AB676F 5 Bytes JMP 034629AA
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1740] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 034629E2
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 012C2B80
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 012C2B3D
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 012C2B01
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012C2AE6
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012C2972
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012C2A64
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012C29AA
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1776] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012C29E2
.text C:\WINDOWS\system32\ctfmon.exe[1824] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 010A2B80
.text C:\WINDOWS\system32\ctfmon.exe[1824] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 010A2B3D
.text C:\WINDOWS\system32\ctfmon.exe[1824] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 010A2B01
.text C:\WINDOWS\system32\ctfmon.exe[1824] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010A2AE6
.text C:\WINDOWS\system32\ctfmon.exe[1824] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010A2972
.text C:\WINDOWS\system32\ctfmon.exe[1824] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010A2A64
.text C:\WINDOWS\system32\ctfmon.exe[1824] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010A29AA
.text C:\WINDOWS\system32\ctfmon.exe[1824] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010A29E2
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02BA2B80
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02BA2B3D
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02BA2B01
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02BA2AE6
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02BA2972
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02BA2A64
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02BA29AA
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1924] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02BA29E2
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00E62B80
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00E62B3D
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00E62B01
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E62AE6
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E62972
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E62A64
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E629AA
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E629E2
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00B32B80
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00B32B3D
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00B32B01
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B32AE6
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B32972
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B32A64
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B329AA
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B329E2
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01082AE6
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01082972
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01082A64
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010829AA
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010829E2
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01082B80
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01082B3D
.text C:\Program Files\Southwest Airlines\Ding\Ding.exe[2512] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01082B01
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00CA2B80
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00CA2B3D
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00CA2B01
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CA2AE6
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CA2972
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CA2A64
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CA29AA
.text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[2772] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CA29E2
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 03802B80
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 03802B3D
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 03802B01
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03802AE6
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03802972
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03802A64
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] WS2_32.dll!recv 71AB676F 5 Bytes JMP 038029AA
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3076] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 038029E2
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00932B80
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00932B3D
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00932B01
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00932AE6
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00932972
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00932A64
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] WS2_32.dll!recv 71AB676F 5 Bytes JMP 009329AA
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3116] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 009329E2
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02762B80
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02762B3D
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02762B01
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02762AE6
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02762972
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02762A64
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] WS2_32.dll!recv 71AB676F 5 Bytes JMP 027629AA
.text C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe[3228] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 027629E2
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01372B80
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01372B3D
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01372B01
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 01372AE6
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8F]
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!send 71AB4C27 3 Bytes JMP 01372972
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8F]
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!WSARecv 71AB4CB5 3 Bytes JMP 01372A64
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!WSARecv + 4 71AB4CB9 1 Byte [8F]
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!recv 71AB676F 3 Bytes JMP 013729AA
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!recv + 4 71AB6773 1 Byte [8F]
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!WSASend 71AB68FA 3 Bytes JMP 013729E2
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[3544] WS2_32.dll!WSASend + 4 71AB68FE 1 Byte [8F]
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01C12B80
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01C12B3D
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01C12B01
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C12AE6
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C12972
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C12A64
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C129AA
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3608] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C129E2
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D92AE6
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D92972
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D92A64
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D929AA
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D929E2
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00D92B80
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00D92B3D
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[3676] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00D92B01
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01FD2AE6
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01FD2972
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01FD2A64
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01FD29AA
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01FD29E2
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01FD2B80
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01FD2B3D
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[3864] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01FD2B01
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01C62B80
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01C62B3D
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01C62B01
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C62AE6
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C62972
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C62A64
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C629AA
.text C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe[4292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C629E2
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01A72B80
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01A72B3D
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01A72B01
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01A72AE6
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01A72972
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01A72A64
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01A729AA
.text C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe[4660] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01A729E2
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02292B80
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02292B3D
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02292B01
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02292AE6
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ws2_32.dll!send 71AB4C27 5 Bytes JMP 02292972
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02292A64
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ws2_32.dll!recv 71AB676F 5 Bytes JMP 022929AA
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[5020] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 022929E2
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 03FE2B80
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 03FE2B3D
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 03FE2B01
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03FE2AE6
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ws2_32.dll!send 71AB4C27 5 Bytes JMP 03FE2972
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03FE2A64
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ws2_32.dll!recv 71AB676F 5 Bytes JMP 03FE29AA
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[5552] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03FE29E2

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI \Device\00000050 8A5C31C0
Device \Driver\ACPI \Device\00000051 8A5C31C0
Device \Driver\ACPI \Device\00000044 8A5C31C0
Device \Driver\ACPI \Device\00000052 8A5C31C0
Device \Driver\ACPI \Device\00000053 8A5C31C0
Device \Driver\ACPI \Device\00000060 8A5C31C0
Device \Driver\ACPI \Device\00000054 8A5C31C0
Device \Driver\ACPI \Device\00000047 8A5C31C0
Device \Driver\ACPI \Device\00000055 8A5C31C0
Device \Driver\ACPI \Device\00000048 8A5C31C0

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI \Device\00000049 8A5C31C0
Device \Driver\ACPI \Device\00000063 8A5C31C0
Device \Driver\usbhub \Device\00000071 neokdss.sys
Device \Driver\usbhub \Device\00000072 neokdss.sys
Device \Driver\ACPI \Device\00000059 8A5C31C0
Device \Driver\usbhub \Device\00000073 neokdss.sys
Device \Driver\ACPI \Device\00000066 8A5C31C0
Device \Driver\usbhub \Device\00000074 neokdss.sys
Device \Driver\ACPI \Device\00000067 8A5C31C0
Device \Driver\usbhub \Device\00000075 neokdss.sys
Device \Driver\ACPI \Device\00000068 8A5C31C0
Device \Driver\usbhub \Device\00000076 neokdss.sys
Device \Driver\usbhub \Device\00000077 neokdss.sys
Device \Driver\usbhub \Device\00000078 neokdss.sys
Device \Driver\ACPI \Device\0000004c 8A5C31C0
Device \Driver\ACPI \Device\0000004d 8A5C31C0
Device \Driver\ACPI \Device\0000004e 8A5C31C0
Device \Driver\ACPI \Device\0000004f 8A5C31C0

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI \Device\0000006b 8A5C31C0
Device \Driver\ACPI \Device\0000006c 8A5C31C0
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A81BDD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Threads - GMER 1.0.15 ----

Thread System [4:492] 8A5F91A0
Thread System [4:496] 8A5E3F9F
Thread System [4:500] 8A617517
Thread System [4:504] 8A5E6C11

---- EOF - GMER 1.0.15 ----
robo122
Regular Member
 
Posts: 21
Joined: July 21st, 2009, 12:31 pm

Re: HELP..i think my computer is infected

Unread postby Bio-Hazard » August 3rd, 2009, 6:03 pm

Gmer's mbr.exe

Please download mbr.exe from HERE and save it to your desktop.


  • Click the downloaded file to run the scan (a window will open briefly,then close).
  • The scan will create a mbr.log on your desktop
  • Please copy/paste those contents in your next reply.



Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

  • You must download it to and run it from your Desktop
  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Double click on ComboFix.exe and follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.

IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • mbr log
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 466 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware