Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


Photo

System tool spyware.


  • This topic is locked This topic is locked
15 replies to this topic

#1 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 15 March 2011 - 04:59 PM

dell optiplex sx 280 running XPpro sp3. with multiple users.

When running under one user, will gett system tool spyware alert, whole screen is covered and overides anything I am doing.

DS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 17:34:00.00 on Tue 03/15/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.580 [GMT -5:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {12916D5B-EF29-4AD0-AB12-C7D3F61D4683}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.GONPH\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] "c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\viaimp~1.lnk - c:\program files\elinc\via\system\VIA Import Manager.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281534011664
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
TCP: {22E23B4F-4043-42CC-B3D6-F6A356E968DC} = 192.168.113.2
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2009-12-4 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-12-4 36368]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-8-11 57424]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2010-7-20 689416]
S4 NewServiceInstall1;VIA Service;c:\program files\elinc\via\via service\Eklin.Via.Service.exe [2010-5-20 11776]

=============== Created Last 30 ================

2011-03-15 16:14 <DIR> --d----- c:\docume~1\admini~1.gon\applic~1\Malwarebytes
2011-03-15 16:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-15 16:14 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-03-15 16:14 20,952 a------- c:\windows\system32\drivers\mbam.sys
2011-03-15 16:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2011-03-14 17:04 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\fNnJkKg06300

==================== Find3M ====================

2010-08-11 11:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010081120100812\index.dat

============= FINISH: 17:35:08.02 ===============


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:36:31 PM, on 3/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.GONPH\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [OE] "C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VIA Import Manager.lnk = C:\Program Files\Elinc\Via\System\VIA Import Manager.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech....Detection32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1281534011664
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{22E23B4F-4043-42CC-B3D6-F6A356E968DC}: NameServer = 192.168.113.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe

--
End of file - 5098 bytes

OTL logfile created on: 3/15/2011 5:39:17 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\administrator.GONPH\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 578.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 23.92 Gb Free Space | 64.28% Space Free | Partition Type: NTFS

Computer Name: LAB | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\administrator.GONPH\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\BM\TMBMSRV.exe ()
PRC - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\BAsfIpM.exe (Broadcom Corp.)
PRC - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\administrator.GONPH\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (tmlisten) -- C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe (Trend Micro Inc.)
SRV - (ntrtscan) -- C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe (Trend Micro Inc.)
SRV - (TMBMServer) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe ()
SRV - (NewServiceInstall1) -- C:\Program Files\Elinc\Via\Via Service\Eklin.Via.Service.exe (Microsoft)
SRV - (TmProxy) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe (Trend Micro Inc.)
SRV - (BAsfIpM) -- C:\WINDOWS\system32\BAsfIpM.exe (Broadcom Corp.)
SRV - (spkrmon) -- C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe ()


========== Driver Services (SafeList) ==========

DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys ()
DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys ()
DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys ()
DRV - (VSApiNt) -- C:\Program Files\Trend Micro\Client Server Security Agent\vsapint.sys (Trend Micro Inc.)
DRV - (TmFilter) -- C:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys (Trend Micro Inc.)
DRV - (TmPreFilter) -- C:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (BASFND) -- C:\WINDOWS\system32\drivers\BASFND.sys (Broadcom Corporation)
DRV - (USA49W) -- C:\WINDOWS\system32\drivers\usa49w2k.sys (Keyspan)
DRV - (USA49W2KP) -- C:\WINDOWS\system32\drivers\usa49w2kp.sys (Keyspan)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension [2010/10/25 01:29:11 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/02/28 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll (Trend Micro Inc.)
O4 - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VIA Import Manager.lnk = C:\Program Files\Elinc\Via\System\VIA Import Manager.exe (Elinc Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech....Detection32.cab (Device Detection)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1281534011664 (WUWebControl Class)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.c.../cpcScanner.cab (Crucial cpcScan)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/23 16:50:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/03/15 17:31:13 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\administrator.GONPH\Desktop\HiJackThis.exe
[2011/03/15 16:36:35 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\administrator.GONPH\Desktop\ATF_Cleaner.exe
[2011/03/15 16:14:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator.GONPH\Application Data\Malwarebytes
[2011/03/15 16:14:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/15 16:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/15 16:14:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2011/03/15 16:14:09 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/15 16:14:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/15 16:13:24 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\administrator.GONPH\Desktop\OTL.exe
[2011/03/15 16:12:36 | 007,734,216 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\administrator.GONPH\Desktop\mbam-setup.exe
[2011/03/14 17:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\fNnJkKg06300
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/15 17:31:14 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\administrator.GONPH\Desktop\HiJackThis.exe
[2011/03/15 17:31:03 | 000,359,929 | ---- | M] () -- C:\Documents and Settings\administrator.GONPH\Desktop\dds.scr
[2011/03/15 16:46:35 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/15 16:36:36 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\administrator.GONPH\Desktop\ATF_Cleaner.exe
[2011/03/15 16:14:31 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3E8E658E-685C-4E81-9166-7292136CC348}.job
[2011/03/15 16:14:14 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/15 16:13:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.GONPH\Desktop\OTL.exe
[2011/03/15 16:12:48 | 007,734,216 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\administrator.GONPH\Desktop\mbam-setup.exe
[2011/03/15 16:07:58 | 000,014,674 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2011/03/15 16:07:05 | 000,443,350 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/15 16:07:05 | 000,070,794 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/15 16:05:35 | 000,000,031 | ---- | M] () -- C:\tmuninst.ini
[2011/03/15 16:04:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/15 17:31:02 | 000,359,929 | ---- | C] () -- C:\Documents and Settings\administrator.GONPH\Desktop\dds.scr
[2011/03/15 16:14:14 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/11 11:24:31 | 000,014,674 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2010/08/11 11:23:19 | 000,177,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/08/11 11:23:19 | 000,067,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2010/08/11 11:23:19 | 000,057,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2010/08/11 11:14:22 | 000,000,035 | ---- | C] () -- C:\WINDOWS\System32\drivers\lw.ini
[2010/08/11 10:13:23 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Usa49wPropPage.dll
[2010/08/11 10:13:23 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\k49winst.dll
[2010/08/09 15:02:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/08/09 14:54:38 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/08/09 09:44:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/08/09 09:43:24 | 000,103,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/10 16:03:30 | 000,462,488 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2007/08/16 16:17:50 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2006/02/28 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 07:00:00 | 000,443,350 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 07:00:00 | 000,070,794 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/12/21 17:57:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll
[2005/12/21 17:54:34 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll
[2004/06/23 12:20:22 | 000,068,608 | ---- | C] () -- C:\WINDOWS\AutoItX3.dll
[2002/06/28 15:20:54 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat
[2002/03/26 06:59:40 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\DymoCfg.dll
[1997/08/04 16:37:30 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\RMTSHARE.EXE

========== LOP Check ==========

[2010/08/11 17:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.GONPH\Application Data\Xerox
[2010/08/11 09:58:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Eklin
[2011/03/14 17:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\fNnJkKg06300
[2011/03/15 16:14:31 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{3E8E658E-685C-4E81-9166-7292136CC348}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005/09/23 16:50:42 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/09 14:52:13 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2005/09/23 16:50:42 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/09/23 16:50:42 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2005/09/23 16:50:42 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/08/11 10:57:18 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/03/15 16:04:24 | 1195,376,640 | -HS- | M] () -- C:\pagefile.sys
[2011/03/15 16:05:35 | 000,000,031 | ---- | M] () -- C:\tmuninst.ini

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/08/09 14:57:54 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/08/09 09:42:42 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/08/09 09:42:42 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/08/09 09:42:42 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/08/11 11:02:54 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/08/11 08:39:44 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\administrator.GONPH\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2010/08/11 08:39:43 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\administrator.GONPH\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2011/03/15 16:36:36 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\administrator.GONPH\Desktop\ATF_Cleaner.exe
[2011/03/15 17:31:14 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\administrator.GONPH\Desktop\HiJackThis.exe
[2011/03/15 16:12:48 | 007,734,216 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\administrator.GONPH\Desktop\mbam-setup.exe
[2011/03/15 16:13:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.GONPH\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoUpdate" = 0
"AUOptions" = 4
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 4
"UseWUServer" = 1

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< >

< End of report >

OTL Extras logfile created on: 3/15/2011 4:50:48 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\administrator.GONPH\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 653.00 Mb Available Physical Memory | 64.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 23.92 Gb Free Space | 64.29% Space Free | Partition Type: NTFS
Drive E: | 1.86 Gb Total Space | 0.07 Gb Free Space | 3.98% Space Free | Partition Type: FAT

Computer Name: LAB | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"%ProgramFiles%\Microsoft ActiveSync\CeAppMgr.exe:LocalSubnet:Enabled:ActiveSync Application Manager" = %ProgramFiles%\Microsoft ActiveSync\CeAppMgr.exe:LocalSubnet:Enabled:ActiveSync Application Manager
"%ProgramFiles%\Microsoft ActiveSync\WCESMgr.exe:LocalSubnet:Enabled:ActiveSync Application" = %ProgramFiles%\Microsoft ActiveSync\WCESMgr.exe:LocalSubnet:Enabled:ActiveSync Application
"%ProgramFiles%\Microsoft ActiveSync\WCESComm.exe:LocalSubnet:Enabled:ActiveSync Connection Manager" = %ProgramFiles%\Microsoft ActiveSync\WCESComm.exe:LocalSubnet:Enabled:ActiveSync Connection Manager

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = LocalSubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"35186:TCP" = 35186:TCP:*:Enabled:Trend Micro Client/Server Security Agent Listener

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{25D24E84-64A9-40D2-85CF-540B1C4A6D52}" = Broadcom ASF Management Applications
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4F84DFF6-EB5B-4B5B-926D-C4A768CBADBC}" = Keyspan USB 4-Port Serial Adapter
"{5F48C5E7-142E-4E0B-9BB2-DD815ABCEAF8}" = Dymo Drivers and Settings
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8C20144B-0CD3-4EBD-A566-D31926AAC005}" = VIA
"{90BA5FE3-B858-4939-B9AF-3CCC33CF6112}" = MultiRes 1.46
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}" = Broadcom 440x 10/100 Integrated Controller
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7646-A00000000001}" = Adobe Reader 6.0.1
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EB33A035-9C61-449D-982A-A2BC706BA2D2}" = Deploy.ScriptTools
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ie8" = Windows Internet Explorer 8
"InstallShield_{25D24E84-64A9-40D2-85CF-540B1C4A6D52}" = Broadcom ASF Management Applications
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/26/2011 9:50:08 AM | Computer Name = LAB | Source = UserInit | ID = 1000
Description = Could not execute the following script \\hdc\netlogon\Proc.Printers.vbs.
The network location cannot be reached. For information about network troubleshooting,
see Windows Help. .

Error - 2/26/2011 9:50:08 AM | Computer Name = LAB | Source = UserInit | ID = 1000
Description = Could not execute the following script \\hdc\NETLOGON\Proc.Wallpaper.VBS.
The network location cannot be reached. For information about network troubleshooting,
see Windows Help. .

Error - 2/26/2011 9:51:50 AM | Computer Name = LAB | Source = Application Hang | ID = 1002
Description = Hanging application VIA Import Manager.exe, version 6.0.0.78, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/26/2011 9:54:48 AM | Computer Name = LAB | Source = Application Management | ID = 102
Description = The install of application Via Managed 3.8.6 from policy Deploy.VIA3.8.6
failed. The error was : %1612

Error - 2/26/2011 9:54:49 AM | Computer Name = LAB | Source = Application Management | ID = 108
Description = Failed to apply changes to software installation settings. Software
changes could not be applied. A previous log entry with details should exist.
The error was : %1612

Error - 2/26/2011 9:54:49 AM | Computer Name = LAB | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

Error - 3/9/2011 6:00:05 PM | Computer Name = LAB | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/15/2011 5:04:49 PM | Computer Name = LAB | Source = Application Management | ID = 102
Description = The install of application Via Managed 3.8.6 from policy Deploy.VIA3.8.6
failed. The error was : %1612

Error - 3/15/2011 5:04:49 PM | Computer Name = LAB | Source = Application Management | ID = 108
Description = Failed to apply changes to software installation settings. Software
changes could not be applied. A previous log entry with details should exist.
The error was : %1612

Error - 3/15/2011 5:04:49 PM | Computer Name = LAB | Source = Userenv | ID = 1085
Description = The Group Policy client-side extension Software Installation failed
to execute. Please look for any errors reported earlier by that extension.

[ System Events ]
Error - 11/9/2010 1:46:06 PM | Computer Name = LAB | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/11/2010 1:46:07 PM | Computer Name = LAB | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >


Thanks for your help.

Brad

#2 NoodleTech

NoodleTech

    Malware Eradicator

  • Malware Team
  • 2,380 posts

Posted 15 March 2011 - 07:32 PM

Hi Brad,

:welcome:

My name is NoodleTech. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clean.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


#3 NoodleTech

NoodleTech

    Malware Eradicator

  • Malware Team
  • 2,380 posts

Posted 15 March 2011 - 07:45 PM

Hi Brad,

Please run Malwarebytes' Anti-Malware.

  • Click the Update tab, then click Check for Updates.
  • If an update is found, it will download and install the latest version.
  • Next, click Scanner, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
===================================================

NEXT:

I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start.  The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button.  The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
Also describe how your computer is running at the moment.

#4 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 15 March 2011 - 08:35 PM

i ran malwarebytes initially, did not find anything initially, have had this problem before where it needs to be run under the user in order to find the spyware. unfortunately this spyware will load and knock me out malware bytes if trying to run under the user that has the problem. I will try the other program in the am. will post the log as well. All of these scans were run under administrator. Thanks Brad

#5 NoodleTech

NoodleTech

    Malware Eradicator

  • Malware Team
  • 2,380 posts

Posted 15 March 2011 - 09:00 PM

Brad, What do you mean by knock you out of malwarebytes? Does malwarebytes just close? Does a message pop up? Post the results of the ESET scan and we'll go from there.

#6 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 15 March 2011 - 09:24 PM

when the spyware screen came up, it has a popup window that shows a scan running, but the background of the desk top has a transparent graphic over it saying system alert. or something similar, my desktop icons are still visible. Malwarebytes was not showing in the task bar, so i assumed it was closed by the spyware. It may have still been running behind the spyware, but the popup window was smaller than the malwarebytes window.

#7 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 15 March 2011 - 09:26 PM

would it be worth running a restore from admin then running malware bytes from that user if it will let me?

#8 NoodleTech

NoodleTech

    Malware Eradicator

  • Malware Team
  • 2,380 posts

Posted 15 March 2011 - 09:34 PM

would it be worth running a restore from admin then running malware bytes from that user if it will let me?

Hi Brad,

No. Run ESET first. I'll have you run some tools afterwards that should allow you to run Malwarebytes with no problems.

#9 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 16 March 2011 - 08:10 AM

Here is the ESET results. C:\Documents and Settings\All Users.WINDOWS\Application Data\fNnJkKg06300\fNnJkKg06300.exe

#10 NoodleTech

NoodleTech

    Malware Eradicator

  • Malware Team
  • 2,380 posts

Posted 16 March 2011 - 08:28 AM

Hi Brad,

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image 

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


#11 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 16 March 2011 - 09:02 AM

ComboFix 11-03-15.03 - Administrator 03/16/2011 9:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.685 [GMT -5:00]
Running from: c:\documents and settings\administrator.GONPH\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\fNnJkKg06300
c:\documents and settings\All Users.WINDOWS\Application Data\fNnJkKg06300\fNnJkKg06300
c:\documents and settings\All Users.WINDOWS\Application Data\fNnJkKg06300\fNnJkKg06300.exe
c:\documents and settings\tech\Application Data\alot
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\drivers\fad.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-16 14:39 . 2011-03-16 14:39 -------- d-----w- c:\windows\LastGood
2011-03-16 13:27 . 2011-03-16 13:27 -------- d-----w- c:\program files\ESET
2011-03-15 22:59 . 2011-03-15 22:59 -------- d-----w- c:\documents and settings\doctor.GONPH
2011-03-15 21:45 . 2011-03-15 21:45 -------- d-----w- c:\documents and settings\tech.GONPH\Application Data\Malwarebytes
2011-03-15 21:14 . 2011-03-15 21:14 -------- d-----w- c:\documents and settings\administrator.GONPH\Application Data\Malwarebytes
2011-03-15 21:14 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-15 21:14 . 2011-03-15 21:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-03-15 21:14 . 2011-03-15 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-15 21:14 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
.
c:\documents and settings\tech\Start Menu\Programs\Startup\
VIA Import Manager.lnk - c:\program files\Elinc\Via\System\VIA Import Manager.exe [2010-5-20 86016]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
VIA Import Manager.lnk - c:\program files\Elinc\Via\System\VIA Import Manager.exe [2010-5-20 86016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S4 NewServiceInstall1;VIA Service;c:\program files\Elinc\Via\Via Service\Eklin.Via.Service.exe [5/20/2010 10:43 AM 11776]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - tmactmon
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - TmFilter
*Deregistered* - VSApiNt
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\User_Feed_Synchronization-{3E8E658E-685C-4E81-9166-7292136CC348}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
TCP: {22E23B4F-4043-42CC-B3D6-F6A356E968DC} = 192.168.113.2
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 09:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1478119072-2579398175-4031385270-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,b9,0e,9b,c3,fe,ae,4c,9c,3e,94,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,b9,0e,9b,c3,fe,ae,4c,9c,3e,94,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-16 09:57:55
ComboFix-quarantined-files.txt 2011-03-16 14:57
.
Pre-Run: 25,791,533,056 bytes free
Post-Run: 25,813,094,400 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
.
- - End Of File - - 01CF5C9E2B3254CC0EEA7BAF7CCDADCF

#12 NoodleTech

NoodleTech

    Malware Eradicator

  • Malware Team
  • 2,380 posts

Posted 16 March 2011 - 02:12 PM

Hi Brad,

Log into the account that is giving you issues, then follow these steps:



Print out these instructions as we may need to close every window that is open later in the fix.


It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions.  If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Do not reboot your computer after running rkill as the malware programs will start again.

===================================================

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

===================================================

Please run Malwarebytes' Anti-Malware.
  • Click the Update tab, then click Check for Updates.
  • If an update is found, it will download and install the latest version.
  • Next, click Scanner, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

How is the computer running now?

#13 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 16 March 2011 - 03:01 PM

exeHelper by Raktor Build 20100414 Run at 15:52:23 on 03/16/11 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6069 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/16/2011 3:56:04 PM mbam-log-2011-03-16 (15-56-04).txt Scan type: Quick scan Objects scanned: 157994 Time elapsed: 2 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Seems to be working better, I have not seen spyware rearing its ugly head.

#14 NoodleTech

NoodleTech

    Malware Eradicator

  • Malware Team
  • 2,380 posts

Posted 16 March 2011 - 06:04 PM

Hi Brad,

Good to hear. Looks to me like the system is clean!

Please do the following:

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image

===================================================

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure
  • Click Start > Run
  • Type Inetcpl.cpl and click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected and Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to Prompt, and ("Initialize and Script ActiveX controls not marked as safe") to Disable.
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis.  With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update   regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Do you have any further questions?

#15 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 105 posts

Posted 17 March 2011 - 06:39 AM

no further questions, Thanks for your help.



Similar Topics: System tool spyware.     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users