Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Internet Security 2010 - System Scan - Security Warning - W


  • This topic is locked This topic is locked
96 replies to this topic

#1 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 12 December 2009 - 11:38 PM

Critical Warning! Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats (recommended) Internet Security 2010 Your computer is being attacked from a remote…. (I can’t read it. Oveprinted) Block Internet access to your computer to prevent system infection. Attacker IP: (# may change each time) Attack type: (may change each time) Windows Firewall has blocked this program from accepting ……(overwritten) …… the Internet or a network. If you recognize the program or trust the publisher, you can unblock it. When should i unblock a program. (author spelled “I” with a small I) Fake Spyware Alert - remove worm - wallpaper Internet 2010 Trial Version Internet 2010 Critical Vulnerables found! Spyware threat detected! Spyware may damage system files, monitor your Internet usage or intercept any data you send over Internet. It is strongly recommended that you remove detected threats and do not ignore this alert message Name SpyBot.Bank32.dll Trojan-Downloader.VBS.Agent.cd Trojan-Dropper:W32/Trojan-Dropper New Update available Warning! New version of dabases is avaliable! Would you like to update them right now? (If this did not have 1 or 2 mistakes it might read: New version of databases is available! Would you like to update them right now? ) Unfortunately, I DID use any TOOLS such as HijackThis fix without supervision. This is because I started outreading the posting on this forum: "[Resolved] your system is infected wallpaper" between bluiis and Sweet Tech The last post was by the victim on Dec 3, 2009 Then I read the posting by LPgirl435 My stumbling block was after I got to: "Double Click mbam-setup.exe to install...." "If an update is found, it will download and install the latest version" "Once the program has loaded you will see window similar to the one below." I did not get the Malwarebytes window. I got: " unable to execute file: c:\ProgramFile\Malwarebytes' Anti-Malware\mbam.exe CreateProcess failed; code 2 the system cannot find the file specified. " How do I get rid of the trojan (?) ? (I downloaded ERUNT) - - - - DDS DDS (Ver_09-06-26.01) - NTFSx86 Run by Myself at 22:55:12.21 on Sat 12/12/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1442 [GMT -5:00] AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\WINDOWS\Explorer.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\InternetSecurity2010\IS2010.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Myself\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.intergate.com/startpage/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Page_URL = hxxp://www.intergate.com/startpage/ mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.intergate.com/startpage/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: H - No File mWinlogon: Shell=Explorer.exe logon.exe BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No File TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe" uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [ShowLOMControl] 1 (0x1) mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe" mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe mRun: [PCLEUSBTip] c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController mRun: [USBToolTip] "c:\program files\pinnacle\shared files\\programs\usbtip\USBTip.exe" mRun: [kibimoboh] Rundll32.exe "c:\windows\system32\yivomadu.dll",a StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE uPolicies-explorer: NoSetActiveDesktop = 1 (0x1) uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-explorer: NoSetActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll nujeruze.dll c:\windows\system32\yivomadu.dll SSODL: SwUpdate - {009541A0-3B00-1F1C-00F3-040224001C01} - c:\documents and settings\all users\application data\macromedia\swupdate\swupdate.dll SSODL: vubarugaf - {76b3c12e-2b52-4cb2-9813-0663079bfddb} - c:\windows\system32\yivomadu.dll STS: kupuhivus: {76b3c12e-2b52-4cb2-9813-0663079bfddb} - c:\windows\system32\yivomadu.dll LSA: Notification Packages = scecli setizafu.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\myself\applic~1\mozilla\firefox\profiles\sr4rv36a.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-12 207792] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-4-26 372824] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-12 112592] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 190480] R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792] R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 31248] R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215] R3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [2006-4-14 375424] S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?] S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [2008-7-8 27904] S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [2008-7-8 1208448] S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [2008-7-8 1200768] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-12 359624] S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-12 1141712] =============== Created Last 30 ================ 2009-12-12 03:00 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-12 03:00 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-12-12 02:06 767,952 a------- c:\windows\BDTSupport.dll 2009-12-12 02:06 149,456 a------- c:\windows\SGDetectionTool.dll 2009-12-12 02:06 882 a------- c:\windows\RegSDImport.xml 2009-12-12 02:06 880 a------- c:\windows\RegISSImport.xml 2009-12-12 02:06 131 a------- c:\windows\IDB.zip 2009-12-12 02:06 1,640,400 a------- c:\windows\PCTBDCore.dll 2009-12-12 02:06 1,152,444 a------- c:\windows\UDB.zip 2009-12-12 02:06 165,840 a------- c:\windows\PCTBDRes.dll 2009-12-12 01:45 <DIR> --d----- c:\docume~1\myself\applic~1\Malwarebytes 2009-12-12 01:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-12-12 01:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-12-12 01:36 233,136 a------- c:\windows\system32\drivers\pctgntdi.sys 2009-12-12 01:36 7,387 a------- c:\windows\system32\drivers\pctgntdi.cat 2009-12-12 01:36 207,792 a------- c:\windows\system32\drivers\PCTCore.sys 2009-12-12 01:36 87,784 a------- c:\windows\system32\drivers\PCTAppEvent.sys 2009-12-12 01:36 7,412 a------- c:\windows\system32\drivers\PCTAppEvent.cat 2009-12-12 01:36 7,383 a------- c:\windows\system32\drivers\pctcore.cat 2009-12-12 01:36 70,408 a------- c:\windows\system32\drivers\pctplsg.sys 2009-12-12 01:36 7,383 a------- c:\windows\system32\drivers\pctplsg.cat 2009-12-12 01:35 <DIR> --d----- c:\program files\Spyware Doctor 2009-12-12 01:35 <DIR> --d----- c:\program files\common files\PC Tools 2009-12-12 01:35 <DIR> --d----- c:\docume~1\myself\applic~1\PC Tools 2009-12-12 01:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2009-12-12 00:37 512,000 -------- c:\windows\system32\dllcache\jscript.dll 2009-12-12 00:35 0 a------- c:\windows\system32\31567.exe 2009-12-12 00:15 0 a------- c:\windows\system32\26220.exe 2009-12-11 23:55 0 a------- c:\windows\system32\5621.exe 2009-12-11 23:21 0 a------- c:\windows\system32\15730.exe 2009-12-11 23:01 0 a------- c:\windows\system32\25328.exe 2009-12-11 22:41 0 a------- c:\windows\system32\25190.exe 2009-12-11 22:21 0 a------- c:\windows\system32\31684.exe 2009-12-10 21:59 <DIR> --d----- c:\program files\InternetSecurity2010 2009-12-10 21:58 0 a------- c:\windows\system32\41.exe 2009-12-10 21:57 18,944 a------- c:\windows\system32\winhelper86.dll 2009-12-10 21:57 2,854 a------- c:\windows\system32\critical_warning.html 2009-12-10 21:57 39,424 a------- c:\windows\system32\winupdate86.exe 2009-12-10 21:57 39,424 a------- c:\windows\system32\winlogon86.exe 2009-12-10 21:57 34,308 a------- c:\windows\system32\logon.exe 2009-11-27 22:32 <DIR> --d----- c:\windows\system32\en 2009-11-27 22:32 <DIR> --d----- c:\windows\system32\bits 2009-11-27 22:19 0 a------t c:\windows\005797_.tmp ==================== Find3M ==================== 2009-10-29 14:08 3,070,976 -------- c:\windows\system32\dllcache\mshtml.dll 2009-10-29 00:38 667,136 a------- c:\windows\system32\wininet.dll 2009-10-29 00:38 667,136 -------- c:\windows\system32\dllcache\wininet.dll 2009-10-29 00:38 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll 2009-10-29 00:38 627,712 -------- c:\windows\system32\dllcache\urlmon.dll 2009-10-21 00:38 75,776 a------- c:\windows\system32\strmfilt.dll 2009-10-21 00:38 25,088 a------- c:\windows\system32\httpapi.dll 2009-10-21 00:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll 2009-10-21 00:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll 2009-10-20 11:20 265,728 a------- c:\windows\system32\drivers\http.sys 2009-10-20 11:20 265,728 -------- c:\windows\system32\dllcache\http.sys 2009-10-13 05:30 270,336 a------- c:\windows\system32\oakley.dll 2009-10-13 05:30 270,336 -------- c:\windows\system32\dllcache\oakley.dll 2009-10-12 08:38 149,504 a------- c:\windows\system32\rastls.dll 2009-10-12 08:38 149,504 -------- c:\windows\system32\dllcache\rastls.dll 2009-10-12 08:38 79,872 a------- c:\windows\system32\raschap.dll 2009-10-12 08:38 79,872 -------- c:\windows\system32\dllcache\raschap.dll 2009-09-25 00:37 81,920 a------- c:\windows\system32\ieencode.dll 2009-09-25 00:37 81,920 -------- c:\windows\system32\dllcache\ieencode.dll 2007-09-02 16:57 60,968 a------- c:\documents and settings\myself\GoToAssistDownloadHelper.exe 2002-07-26 16:02 153,088 a------- c:\program files\UNWISE.EXE 2006-05-06 09:01 88 -c-shr-- c:\windows\system32\CB6D8158AE.sys 2009-09-11 22:06 51,712 a--sh--- c:\windows\system32\dowikabu.dll 2009-09-10 22:02 39,424 a--sh--- c:\windows\system32\jiyayuda.dll 2009-09-11 22:06 39,424 a--sh--- c:\windows\system32\kipiheba.dll 2009-09-11 22:07 51,712 a--sh--- c:\windows\system32\nujeruze.dll 2009-09-11 22:07 51,712 a--sh--- c:\windows\system32\setizafu.dll 2009-09-12 13:36 38,400 a--sh--- c:\windows\system32\tesegigo.dll 2009-09-11 22:07 51,712 a--sh--- c:\windows\system32\wifukolu.dll 2009-09-12 13:36 61,440 a--sh--- c:\windows\system32\yegejoso.dll 2009-09-12 13:36 92,160 a--sh--- c:\windows\system32\yivomadu.dll ============= FINISH: 22:55:54.25 =============== - - - - - - - - - ROOTREPEAL report 12 12 09 ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/12/12 23:05 Program Version: Version 1.3.5.0 Windows Version: Windows XP Media Center Edition SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB0F11000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA5F6000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAD80A000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1273180 #: 192 Function Name: NtRenameKey Status: Hooked by "PCTCore.sys" at address 0xb9ecbd60 ==EOF== Also, I can put a DVD in and the movie will play and the function buttons will work, but there is NO SOUND. Windows XP Media Center.

Attached Files


    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 December 2009 - 08:46 AM

1. launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""



2. Save this text as fixme.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop. Include the word REGEDIT4

3. Double-click on fixme.reg. When it asks you to merge the information to the registry click Yes.

Now see if MBAM will run and copy / paste the scan results

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 10:16 AM

There are no results to paste. I went through your instructions and things progressed "When it asks you to merge the information to the registry click Yes" I included REGEDIT4 in the paste. When I pulled up the Run window, I pulled up the recently "run": C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe and got nothing Yesterday, I tried renaming a couple of things "expolore.exe" When I pulled up the Run window with the recently "run": "C:\Documents and Settings\Desktop\explorer.exe" the "Open File - Security Warning" window recognized the Publisher as Malwarebytes Corporation, so I must have the right one. Welcome to the Malwarebytes' Anti-Malware Setup Wizard. "Select destination location" "c:\Documents and Settings\desktop" "Select Start Menu folder" "Malwarebytes' Anti-Malware" "Select Additional tasks" this is currently set at Create a destop icon (not selected) Create a Quick Launch icon (selected) I got the Installing toolbar to the end. I clicked finish on the wizard and nothing. So I went to Start, All Programs and selected Malwarebytes' Anti-Malware and got the "Missing Shortcut" window. "Windows is searching for mbam.exe. To locate the file yourself, click browse." It seems like an official (non-malware) message because it has a high-resolution red X icon on the window. Not like the fake malware red X that is low resolution/cut-and-paste "System warning!" "Continue working in unprotected mode is very dangerous...." (bad grammar) Also, I have gotten: " unable to execute file: c:\ProgramFile\Malwarebytes' Anti-Malware\mbam.exe CreateProcess failed; code 2 the system cannot find the file specified. "

#4 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 10:19 AM

- - - - - In short, after the installation wizard, I did not get theMalwarebytes' window. Sorry it took so long for me to reply. My "select" stopped working for cut and paste. And I had to reboot a bunch of times. - - - - -

#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 December 2009 - 10:22 AM

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 10:23 AM

Also, in my original foray, I followed instructions in a thread (?) to run LSPFix. Place a tick in "I know what I'm doing" In the KEEP box select winhelper86.dll and press ">>" button. Press Finish>> button.... So, now winhelper86.dll is gone. (Last time I checked).

#7 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 10:24 AM

OK. Let me work on that.

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 December 2009 - 10:28 AM

You need to stop running other fixes.
Do you know what LSPFIX is used for?
It's used if your internet connection isn't working. Using it wrong can kill your internet connection.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 10:58 AM

I was just telling you about old work I had done. In case you needed to know. Anyway, I think I got the scan from HijackThis and when I tried to reply it to you I got this: "You were redirected automatically here while trying to post your HijackThis log, it is most likely because you are using an outdated version of HijackThis! Please download HijackThis v2.0.2 from here. The latest version is required so that we may best help you. Sorry for the inconvenience, and thank you for your cooperation. " Is this valid?

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 December 2009 - 11:00 AM

Yes. Go there and get the lastest HijackThis :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 11:41 AM

Sorry about the delay.
Lots of problems!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:29 PM, on 12/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [kibimoboh] Rundll32.exe "c:\windows\system32\paviviwa.dll",a
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: nujeruze.dll c:\windows\system32\paviviwa.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: SwUpdate - {009541A0-3B00-1F1C-00F3-040224001C01} - C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
O21 - SSODL: tujedodip - {b687f362-4172-45d3-8ba9-1108bf9c77a3} - c:\windows\system32\paviviwa.dll
O22 - SharedTaskScheduler: kupuhivus - {b687f362-4172-45d3-8ba9-1108bf9c77a3} - c:\windows\system32\paviviwa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9783 bytes

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 December 2009 - 11:55 AM

1. launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""



2. Save this text as fixme.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop. Include the word REGEDIT4

3. Double-click on fixme.reg. When it asks you to merge the information to the registry click Yes.



1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
InternetSecurity2010


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O4 - HKLM\..\Run: [kibimoboh] Rundll32.exe "c:\windows\system32\paviviwa.dll",a
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O21 - SSODL: tujedodip - {b687f362-4172-45d3-8ba9-1108bf9c77a3} - c:\windows\system32\paviviwa.dll
O22 - SharedTaskScheduler: kupuhivus - {b687f362-4172-45d3-8ba9-1108bf9c77a3} - c:\windows\system32\paviviwa.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
c:\windows\system32\paviviwa.dll
C:\Program Files\InternetSecurity2010\IS2010.exe

Delete these Folders if listed:
C:\Program Files\InternetSecurity2010


Empty Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 12:22 PM

"2.Next, open Add/Remove Programs and remove if listed: InternetSecurity2010" Add/Remove populated alphbetically, and it is not in with the "i"s. Do I run HijackThis anyway?

#14 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 13 December 2009 - 12:26 PM

A while back the ZoneAlarm Security Alert popped up with: Internet Explorer is trying to access the trusted zone.”. Sometimes during this ordeal I have “allowed”, but I use Mozilla Firefox. So I have left it there for the last hour or two or three. Is this possibly something malware-related?

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 December 2009 - 12:27 PM

Run the fix please :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users