Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help!


  • Please log in to reply

#1
blueraider

blueraider

    Member

  • Member
  • PipPip
  • 31 posts
I have been having a problem the past couple of days with my computer running slow. While browsing on Firefox I get a message from TrendMicro telling me drwtsn32.exe was trying to change my settings. After that my internet connection will not work. I scanned my computer with Hijack this and this is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:10 AM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200322707218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160678548546
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Unknown owner - C:\Program Files\Norton Ghost\Agent\VProSvc.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 8050 bytes

I would greatly appreciate any help. Thanks.
  • 0

Advertisements


#2
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

There is nothing really showing in your log, but lets see what we come up with. Please do the following...

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

===============================================

Needed in your next reply:

Malwarebytes log
Fresh HijackThis log

And let me know how things are running now :)
  • 0

#3
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks for the help. I ran the malwarebytes and it detected one infection. Here's my malware log and hijack this log:

Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 2

4/6/2009 12:03:29 PM
mbam-log-2009-04-06 (12-03-29).txt

Scan type: Quick Scan
Objects scanned: 79753
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:57 PM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200322707218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160678548546
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Unknown owner - C:\Program Files\Norton Ghost\Agent\VProSvc.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 8083 bytes
  • 0

#4
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi blueraider,

drwtsn32.exe is a process belonging to Microsoft's Dr Watson program error debug utility. This utility can be important for technical support purposes and should be left alone unless suspected of causing problems. Did Trend Micro give you file path for it, and was there any other error messages?

You are running two Anti-Virus at the same time (Trend Micro Internet Security
& Norton ). It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory can cause system crashes, high system usage and/or conflicts with each other. So please decide witch one you want to keep then simply uninstall the other one.


Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s



Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===============================================

Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • 0

#5
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here is the Kaspersky scan log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, April 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, April 06, 2009 18:44:06
Records in database: 2018604
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 88163
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:52:16


File name / Threat name / Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\8AB.tmp Infected: Trojan-Downloader.WMA.GetCodec.i 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\FCB.tmp Infected: not-a-virus:AdWare.Win32.Agent.hzg 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll Infected: Trojan.Win32.Pakes.mmg 1

The selected area was scanned.
  • 0

#6
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi blueraider,

your logs look good, the only thing found are in your Trend Micro Internet Security Quarantine, so you can just empty that out. are you having any problems? How are things running?
  • 0

#7
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Do I just delete all the quarantine stuff?
  • 0

#8
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi

If your unsure we can just do it this way…..

OTMoveIt3 by OldTimer

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy everything inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\Program Files\Trend Micro\Internet Security\Quarantine\8AB.tmp 
    C:\Program Files\Trend Micro\Internet Security\Quarantine\FCB.tmp 
    C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll
    :Reg
    :Commands
    [purity]
    [emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Also let me know if your having any other problems :)
  • 0

#9
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Well i ran it and it said : otmoveit3.exe - bad image. The application or DLL C:/Programfiles/TrendMicro/InternetSecurity/QuaratineurqNDTNh.dll is not a valid windows image. Please check this against your installation diskette. When I rebooted it sat on the Windows screen for a minute or two and when it loaded I got a prompt that said: Windows cannot find C:/docume~1/DerekM~1/locals~1/temp/VcVhUp0.exe. Now my firefox will not open and it says the software update failed.
Here's the OT log:
========== FILES ==========
C:\Program Files\Trend Micro\Internet Security\Quarantine\8AB.tmp moved successfully.
C:\Program Files\Trend Micro\Internet Security\Quarantine\FCB.tmp moved successfully.
LoadLibrary failed for C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll
C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll NOT unregistered.
File move failed. C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll scheduled to be moved on reboot.
========== REGISTRY ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\etilqs_oqO8JocInlrJCbFFAgpR scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\quarantine[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\qua_virus[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\sub_banner[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\trans_pixel[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\banner[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\contents[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\footer[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\frame[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\navi[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\view[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\0F69EG42\mstoolbar[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\0F69EG42\muoptdefault[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\0F69EG42\muopt[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\rg4sfay scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ydf8dk scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04072009_112300

Files moved on Reboot...
LoadLibrary failed for C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll
C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll NOT unregistered.
File move failed. C:\Program Files\Trend Micro\Internet Security\Quarantine\urqNDTNh.dll scheduled to be moved on reboot.
File C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\etilqs_oqO8JocInlrJCbFFAgpR not found!
C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\quarantine[1].htm moved successfully.
C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\qua_virus[1].htm moved successfully.
C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\sub_banner[1].htm moved successfully.
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\H2KQK6HB\trans_pixel[1].gif not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\banner[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\contents[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\footer[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\frame[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\navi[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\7113UNJA\view[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\0F69EG42\mstoolbar[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\0F69EG42\muoptdefault[1].htm not found!
File C:\Documents and Settings\Derek Milner\Local Settings\Temporary Internet Files\Content.IE5\0F69EG42\muopt[1].htm not found!
File move failed. C:\WINDOWS\temp\rg4sfay scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ydf8dk scheduled to be moved on reboot.
C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Derek Milner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\urlclassifier3.sqlite moved successfully.
  • 0

#10
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
all that did for firefox was clean out the Cache, that should have no impact on it starting up. It possible FF was open when you ran it witch sometime causes problems, so close everything and restart your system.

let me know how its running?
  • 0

Advertisements


#11
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Tried that and Firefox still won't open. It says it needs to install the updates and gets about a quarter of the way through then says something about it being open somewhere else. It's continues the cycle until I end the process for Firefox. My start up still seems to be slow where it will sit on the welcome screen for about a minute. When I first start the computer the a black screen flashes with a blue bar running across the top. It has some text but it flashes too fast for me to read it.
  • 0

#12
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello again,

I can't see why anything we did would of caused this problem, but let do this....

with OTMoveIt files don't get deleted, just moved, so it is possible to restore them. Clicking the Restore button in OTM3 will will open a standard Open File dialog box, navigate to the c:\_OTMoveIt\MovedFiles folder and restore the files you want. Select the box beside anything that has to do with Firefox and then click the RestoreIt! button. This will copy (not move) the selected files back to their original locations, recreating the folder structures as it goes.

so if we did cause it, this should fix it. If not its just a diffrent problem so we might look at uninstalling FF and then reinstalling it.

let me know how it works out.
  • 0

#13
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I tried to restore it but there was nothing in there to restore. When I go to start and programs, when I highlight firefox it says in parenthesis Firefox (safe mode). Also I don't know if this has anything to do with my problems, but everytime I try to go to window's update, IE encounters a problem and shuts off. When I did download SP3 my computer wouldn't completely install on my computer and windows would tell me it might not work properly. That's when I did a system restore to an earlier date.

Edited by blueraider, 07 April 2009 - 07:51 PM.

  • 0

#14
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
if you did a system restore chances are you reinfected your system, lets take a look...

ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • 0

#15
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here's the log:
ComboFix 09-04-04.01 - Derek Milner 2009-04-07 21:34:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.518 [GMT -5:00]
Running from: c:\documents and settings\Derek Milner\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Derek Milner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\windows\system32\sysmwwod.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2009-04-07 11:23 . 2009-04-07 11:23 <DIR> d-------- C:\_OTMoveIt
2009-04-06 09:59 . 2009-04-06 09:59 <DIR> d-------- c:\windows\ServicePackFiles
2009-04-06 09:12 . 2009-04-06 09:12 <DIR> d-------- c:\program files\MSXML 6.0
2009-04-06 08:13 . 2004-08-10 06:00 79,996 --a------ c:\windows\system32\dllcache\apps.chm
2009-04-03 13:31 . 2004-08-10 06:00 274,304 --a------ c:\windows\system32\drivers\bthport.sys
2009-04-03 13:17 . 2008-04-13 19:12 8,461,312 --a------ c:\windows\system32\SET320.tmp
2009-04-03 13:16 . 2008-04-13 19:11 1,082,368 --a------ c:\windows\system32\SET52D.tmp
2009-04-03 13:15 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET59D.tmp
2009-03-19 12:15 . 2009-03-19 12:15 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-17 08:33 . 2009-03-17 08:33 <DIR> d-------- c:\program files\iTunes
2009-03-17 08:33 . 2009-03-17 08:33 <DIR> d-------- c:\program files\iPod
2009-03-17 08:33 . 2009-03-17 08:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 08:30 . 2009-03-17 08:30 <DIR> d-------- c:\program files\QuickTime
2009-03-17 08:23 . 2009-03-17 08:23 <DIR> d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 19:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-06 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-06 16:33 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 21:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 21:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-17 13:33 --------- d-----w c:\program files\Common Files\Apple
2009-03-03 15:23 --------- d-----w c:\program files\Common Files\Corel
2009-03-03 13:29 --------- d-----w c:\documents and settings\Derek Milner\Application Data\Azureus
2009-02-27 04:58 --------- d-----w c:\program files\Azureus
2009-02-21 19:45 --------- d-----w c:\program files\FrostWire
2009-02-16 16:50 --------- d-----w c:\program files\Free Mp3WmaOgg Converter
2006-08-29 19:35 56 --sha-r c:\windows\system32\49A2039B48.sys
2006-11-12 19:08 88 --sha-r c:\windows\system32\AD88DAF5C1.sys
2008-03-19 21:30 4,496 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-05-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-07-21 52240]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [2006-06-21 53307]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-07-21 648456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Derek Milner\Application Data\Mozilla\Firefox\Profiles\ugcfwwso.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 21:38:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-04-07 21:42:42
ComboFix-quarantined-files.txt 2009-04-08 02:41:20

Pre-Run: 6,633,979,904 bytes free
Post-Run: 6,631,157,760 bytes free

120 --- E O F --- 2008-12-18 09:01:17
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP