1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Iexplore.exe trojan?

Discussion in 'Malware and Virus Removal Archive' started by RunningRaptor, 2009/07/22.

  1. 2009/07/22
    RunningRaptor

    RunningRaptor Inactive Thread Starter

    Joined:
    2009/07/22
    Messages:
    2
    Likes Received:
    0
    [Active] Iexplore.exe trojan?

    I am not sure how long this problem has been going on, but I am noticing it's effects more and more every day. Even when I am not running Internet Explorer (I use Firefox), there is a process in the Task Manager called iexplore.exe that always is using a substantial amount of memory and a large percentage of the CPU. Sometimes there is also another process called the same thing, that also uses lots of memory. Whenever I end the processes, they come right back after about 5-10 seconds. I suspect that this is some kind of virus. I have tried running a couple of virus-scans both in the regular mode and safe mode, but nothing has solved the problem. Here are the two DDS logs:

    DDS.txt-


    DDS (Ver_09-06-26.01) - NTFSx86
    Run by Owner at 18:26:40.56 on Wed 07/22/2009
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.68 [GMT -7:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Bar = hxxp://www.google.com/ie
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe "
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiafa.exe /fu "c:\windows\temp\E_S16F.tmp" /EF "HKCU "
    uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
    uRun: [nah_Shell] c:\documents and settings\owner\nah_pqux.exe
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
    mRun: [<NO NAME>]
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe "
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
    mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe "
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\run_startmenu.cmd
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: {0AE56811-AD21-4499-AAA7-C3623E8877BE} = 68.238.128.12,68.238.0.12

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\84o3hoes.default\
    FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\84o3hoes.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 3\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('capability.policy.localfilelinks.checkloaduri.enabled', 'allAccess');c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.cache_size ", 51200);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.ogg.enabled ", true);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.wave.enabled ", true);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.autoplay.enabled ", true);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "layout.css.dpi ", -1);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "geo.enabled ", true);
    c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
    c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");

    ============= SERVICES / DRIVERS ===============

    R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-7-12 22024]
    R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-7-12 27656]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-29 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-29 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-29 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-29 55640]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-6-12 36368]
    R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-11-9 280392]
    S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-7-12 4368952]

    =============== Created Last 30 ================

    2009-07-22 16:38 <DIR> --d----- c:\documents and settings\owner\DoctorWeb
    2009-07-20 22:13 <DIR> --d----- c:\documents and settings\owner\.thumbnails
    2009-07-18 20:52 <DIR> --d----- c:\documents and settings\all users\Application Databm
    2009-07-18 20:48 <DIR> --d----- c:\program files\bluemoon
    2009-07-17 13:21 <DIR> --d----- c:\windows\pss
    2009-07-13 23:26 <DIR> --d----- C:\dosgames
    2009-07-13 23:23 <DIR> --d----- c:\program files\DOSBox-0.73
    2009-07-12 22:06 27,656 a------- c:\windows\system32\drivers\pxsec.sys
    2009-07-12 22:06 22,024 a------- c:\windows\system32\drivers\pxscan.sys
    2009-07-12 22:06 <DIR> --d----- c:\program files\Prevx
    2009-07-12 22:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
    2009-07-12 22:06 63 a------- c:\windows\wininit.ini
    2009-07-11 20:20 <DIR> --d----- c:\program files\AaaaaAAaaaAAAaaAAAAaAAAAA!!! - A Reckless Disregard for Gravity - Beta-1
    2009-07-10 23:00 <DIR> --d----- c:\program files\Download Manager
    2009-07-10 17:06 <DIR> --d----- c:\docume~1\owner\applic~1\ScummVM
    2009-07-10 17:05 <DIR> --d----- c:\program files\ScummVM
    2009-06-25 23:17 0 a---h--- c:\windows\SwSys2.bmp
    2009-06-25 23:17 0 a---h--- c:\windows\SwSys1.bmp
    2009-06-25 23:17 <DIR> --d----- c:\program files\Game_Maker7

    ==================== Find3M ====================

    2009-06-18 15:01 38,952 a------- c:\documents and settings\owner\nah_log.dat
    2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
    2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
    2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
    2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
    2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
    2009-05-28 19:38 57,906 a------- c:\windows\Sysvxd.exe
    2009-05-24 18:26 56 a------- C:\xcrashdump.dat
    2009-05-24 18:01 182,656 a------- c:\windows\system32\drivers\ndis.sys
    2009-05-24 17:58 15,000 a------- c:\windows\system32\hjs398iddi.dll
    2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
    2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
    2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
    2009-01-30 23:40 60,928 a------- c:\documents and settings\owner\jbfmod.dll
    2009-01-30 23:40 161,280 a------- c:\documents and settings\owner\fmod.dll

    ============= FINISH: 18:28:18.59 ===============

    Attach.txt


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-06-26.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/27/2008 4:06:47 PM
    System Uptime: 7/22/2009 12:42:20 AM (18 hours ago)

    Motherboard: First International Computer, Inc. | | K7MNF-64
    Processor: AMD Sempron(tm) 3000+ | Socket A | 1991/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 150 GiB total, 6.255 GiB free.
    D: is FIXED (FAT32) - 4 GiB total, 1.677 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    K: is CDROM ()
    L: is CDROM ()
    N: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP211: 6/19/2009 12:05:08 PM - System Checkpoint
    RP212: 6/20/2009 2:14:57 PM - System Checkpoint
    RP213: 6/20/2009 9:59:11 PM - Installed Sid Meier's Civilization 4
    RP214: 6/21/2009 7:44:04 PM - Configured Sid Meier's Civilization 4
    RP215: 6/22/2009 11:10:58 PM - System Checkpoint
    RP216: 6/23/2009 7:32:33 PM - Software Distribution Service 3.0
    RP217: 6/23/2009 7:38:06 PM - Installed Java(TM) 6 Update 13
    RP218: 6/24/2009 8:09:28 PM - System Checkpoint
    RP219: 6/25/2009 9:09:29 PM - System Checkpoint
    RP220: 6/26/2009 9:28:31 PM - System Checkpoint
    RP221: 6/27/2009 10:02:16 PM - System Checkpoint
    RP222: 6/28/2009 10:37:56 PM - System Checkpoint
    RP223: 7/8/2009 8:23:45 PM - System Checkpoint
    RP224: 7/9/2009 8:32:20 PM - System Checkpoint
    RP225: 7/11/2009 1:54:32 PM - System Checkpoint
    RP226: 7/12/2009 4:43:27 PM - System Checkpoint
    RP227: 7/13/2009 6:33:13 PM - System Checkpoint
    RP228: 7/14/2009 7:00:54 PM - System Checkpoint
    RP229: 7/14/2009 8:54:04 PM - Software Distribution Service 3.0
    RP230: 7/16/2009 7:09:37 PM - System Checkpoint
    RP231: 7/17/2009 7:29:35 PM - System Checkpoint
    RP232: 7/18/2009 10:09:23 PM - System Checkpoint
    RP233: 7/20/2009 12:45:37 PM - System Checkpoint
    RP234: 7/21/2009 7:54:16 PM - System Checkpoint

    ==== Installed Programs ======================

    µTorrent
    AaaaaAAaaaAAAaaAAAAaAAAAA!!! - A Reckless Disregard for Gravity
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0
    Adobe Shockwave Player 11
    American McGee's Alice(tm)
    AOL Toolbar
    AOL You've Got Pictures Screensaver
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.2.6
    Avira AntiVir Personal - Free Antivirus
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    BigFix
    bluemoon v.0.5 beta
    Bonjour
    CDisplay 1.8
    Choice Guard
    ConvertHelper 2.2
    Crayon Physics Deluxe - release 51
    Dangerous High School Girls In Trouble 1.00
    Democracy 2
    Digital Media Reader
    Download Manager 2.3.9
    eBook to Images
    EPSON Printer Software
    EPSON Scan
    Football Manager 2008
    GIMP 2.6.6
    Google Toolbar for Internet Explorer
    Hotfix for Windows XP (KB952287)
    iDump (Build: 28)
    iTunes
    Java 2 Runtime Environment, SE v1.4.2
    Java(TM) 6 Update 13
    Junk Mail filter update
    Learn2 Player (Uninstall Only)
    Mafia
    Malwarebytes' Anti-Malware
    Max Payne
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0
    Microsoft Application Error Reporting
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2005
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Disc 2
    Microsoft Office 2000 Professional
    Microsoft Office 2000 Small Business
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Works
    Mozilla Firefox (3.0.7)
    Mozilla Firefox (3.5.1)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    Nero BurnRights
    Nero OEM
    NVIDIA Drivers
    NvMixer
    OpenAL
    PowerDVD
    Prevx 3.0
    Puzzle Quest
    Python 2.6.1
    QuickTime
    RealPlayer Basic
    Rome - Total War(TM)
    ScummVM 0.12.0
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB973346)
    Segoe UI
    Sid Meier's Civilization 4
    SimCity 4 Deluxe
    SoftV92 Data Fax Modem with SmartCP
    System Requirements Lab
    The Sims 2
    Trend Micro PC-cillin Internet Security
    Unity Web Player
    Update for Windows XP (KB951978)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Viewpoint Media Player
    VobSub v2.23 (Remove Only)
    WebFldrs XP
    WinAVI MP4 Converter
    Windows Backup Utility
    Windows Internet Explorer 7
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player Firefox Plugin
    Windows XP Service Pack 3
    WinRAR archiver
    XP Codec Pack
    Xvid 1.2.1 final uninstall

    ==== Event Viewer Messages From Past Week ========

    7/22/2009 12:33:46 PM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 3 time(s).
    7/20/2009 4:48:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 ASPI32 avgio avipbb Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip tmtdi
    7/20/2009 4:48:05 PM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/20/2009 4:48:05 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    7/20/2009 4:48:05 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/20/2009 4:48:05 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/20/2009 4:48:05 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    7/20/2009 4:48:05 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/20/2009 4:48:05 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/20/2009 4:47:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    7/20/2009 4:47:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/20/2009 3:18:08 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AntiVirSchedulerService service.
    7/18/2009 1:35:56 PM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 2 time(s).
    7/17/2009 1:27:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    7/17/2009 1:27:30 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    7/16/2009 7:14:41 PM, error: Service Control Manager [7034] - The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).
    7/16/2009 6:44:26 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.1.3. The machine with the IP address 192.168.1.137 did not allow the name to be claimed by this machine.
    7/15/2009 1:32:08 PM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).
    7/15/2009 1:24:02 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

    ==== End Of File ===========================
     
    RunningRaptor,
    #1
  2. 2009/07/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/07/22
    RunningRaptor

    RunningRaptor Inactive Thread Starter

    Joined:
    2009/07/22
    Messages:
    2
    Likes Received:
    0
    The iexplore.exe processes seem to be gone right now. Anyways, here are the combofix and HJT logs:

    Combofix-

    ComboFix 09-07-22.01 - Owner 07/22/2009 20:46.1.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.111 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\-1065637710
    c:\documents and settings\Owner\Application Data\wiaserva.log
    c:\documents and settings\Owner\nah_log.dat
    c:\recycler\S-1-5-21-1042304642-1844421974-437319698-6840
    c:\recycler\S-1-5-21-694890652-1861647634-2892160341-1003
    c:\windows\system32\hjs398iddi.dll
    c:\windows\system32\p2hhr.bat
    c:\windows\Sysvxd.exe
    C:\xcrashdump.dat
    D:\Autorun.inf

    c:\windows\system32\grpconv.exe . . . is missing!!

    Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
    Restored copy from - The cat ate it :)
    .
    ((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
    .

    2009-07-22 23:38 . 2009-07-22 23:38 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
    2009-07-21 05:13 . 2009-07-22 02:15 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
    2009-07-21 05:13 . 2009-07-21 05:13 -------- d-----w- c:\documents and settings\Owner\.thumbnails
    2009-07-19 03:52 . 2009-07-19 03:52 -------- d-----w- c:\documents and settings\All Users\Application Databm
    2009-07-19 03:48 . 2009-07-22 22:00 -------- d-----w- c:\program files\bluemoon
    2009-07-14 06:26 . 2009-07-14 06:29 -------- d-----w- C:\dosgames
    2009-07-14 06:24 . 2009-07-14 06:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\DOSBox
    2009-07-14 06:23 . 2009-07-14 06:47 -------- d-----w- c:\program files\DOSBox-0.73
    2009-07-13 05:06 . 2009-07-13 05:06 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
    2009-07-13 05:06 . 2009-07-13 05:06 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
    2009-07-13 05:06 . 2009-07-13 05:06 -------- d-----w- c:\program files\Prevx
    2009-07-13 05:06 . 2009-07-21 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
    2009-07-12 03:25 . 2009-07-12 03:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AaaaaRecklessDisregard
    2009-07-12 03:20 . 2009-07-12 03:22 -------- d-----w- c:\program files\AaaaaAAaaaAAAaaAAAAaAAAAA!!! - A Reckless Disregard for Gravity - Beta-1
    2009-07-11 06:00 . 2009-07-11 06:00 -------- d-----w- c:\program files\Download Manager
    2009-07-11 06:00 . 2009-07-11 22:17 -------- d-----w- c:\documents and settings\Owner\Application Data\IGN_DLM
    2009-07-11 00:06 . 2009-07-11 00:06 -------- d-----w- c:\documents and settings\Owner\Application Data\ScummVM
    2009-07-11 00:05 . 2009-07-11 00:49 -------- d-----w- c:\program files\ScummVM
    2009-06-26 06:17 . 2009-07-13 21:47 -------- d-----w- c:\program files\Game_Maker7

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-23 03:56 . 2008-12-28 03:20 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
    2009-07-23 03:19 . 2004-08-26 16:12 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
    2009-07-23 03:16 . 2008-12-28 00:38 -------- d-----w- c:\program files\Trend Micro
    2009-07-23 03:12 . 2009-03-19 03:11 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
    2009-07-20 19:37 . 2009-06-01 00:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-06-24 02:38 . 2008-12-27 23:48 -------- d-----w- c:\program files\Java
    2009-06-24 02:36 . 2009-04-24 01:56 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
    2009-06-20 02:39 . 2009-06-20 02:38 -------- d-----w- c:\program files\Mafia
    2009-06-18 23:33 . 2009-06-18 22:22 -------- d-----w- c:\program files\Max Payne
    2009-06-18 22:22 . 2008-12-27 23:49 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-06-16 14:36 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-16 14:36 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-11 03:25 . 2009-06-11 01:54 -------- d-----w- c:\program files\commons
    2009-06-08 22:34 . 2009-06-08 22:34 -------- d-----w- c:\program files\ConvertHelper
    2009-06-07 05:38 . 2008-12-28 03:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
    2009-06-06 01:48 . 2009-06-06 01:48 528 ----a-w- c:\windows\eReg.dat
    2009-06-06 01:47 . 2009-06-06 01:47 -------- d-----w- c:\program files\Maxis
    2009-06-03 19:09 . 2004-08-26 16:12 1291264 ----a-w- c:\windows\system32\quartz.dll
    2009-06-03 01:43 . 2009-06-02 01:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
    2009-06-02 04:24 . 2009-06-02 04:23 -------- d-----w- c:\program files\iTunes
    2009-06-02 04:23 . 2009-06-02 04:23 -------- d-----w- c:\program files\iPod
    2009-06-02 04:23 . 2008-12-28 03:10 -------- d-----w- c:\program files\Common Files\Apple
    2009-06-02 04:19 . 2009-06-02 04:17 -------- d-----w- c:\program files\QuickTime
    2009-06-02 04:00 . 2009-06-02 04:00 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
    2009-05-29 23:26 . 2009-05-29 23:26 -------- d-----w- c:\program files\Avira
    2009-05-29 23:26 . 2009-05-29 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2009-05-29 20:36 . 2009-03-14 19:30 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
    2009-05-29 20:36 . 2008-12-28 03:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-05-28 19:15 . 2009-05-28 19:15 -------- d-----w- c:\program files\Alwil Software
    2009-05-28 04:39 . 2009-05-28 04:39 10121 ----a-w- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite\kern.dll
    2009-05-28 04:39 . 2009-05-28 04:39 16141 ----a-w- c:\documents and settings\Owner\Application Data\Crayon Physics Deluxe\lego.exe
    2009-05-28 04:39 . 2009-05-28 04:39 145131 ----a-w- c:\documents and settings\Owner\Application Data\AVS4YOU\nomad.exe
    2009-05-28 04:39 . 2009-05-28 04:39 11410 ----a-w- c:\documents and settings\Owner\Application Data\DAEMON Tools\msgdi.dll
    2009-05-28 04:39 . 2009-05-28 04:39 422 ----a-w- c:\documents and settings\Owner\Application Data\Apple Computer\socks1.exe
    2009-05-28 04:39 . 2009-05-28 04:39 13221 ----a-w- c:\documents and settings\Owner\Application Data\AdobeUM\rengo.dll
    2009-05-28 04:39 . 2009-05-28 04:39 11232 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\shalom.exe
    2009-05-26 21:54 . 2009-05-26 21:54 -------- d-----w- c:\program files\XP Codec Pack
    2009-05-26 21:52 . 2009-05-17 00:38 -------- d-----w- c:\program files\Xvid
    2009-05-25 01:55 . 2009-05-25 01:52 -------- d-----w- c:\program files\Crayon Physics Deluxe
    2009-05-25 01:55 . 2009-05-25 01:52 -------- d-----w- c:\program files\Democracy2
    2009-05-25 01:55 . 2009-05-25 01:55 -------- d-----w- c:\program files\Strategy First
    2009-05-25 01:54 . 2009-05-25 01:54 -------- d-----w- c:\program files\Sports Interactive
    2009-05-25 01:54 . 2009-03-01 03:25 -------- d-----w- c:\program files\Mafia
    2009-05-25 01:54 . 2009-05-25 01:53 -------- d-----w- c:\program files\Puzzle Quest
    2009-05-25 01:54 . 2008-12-28 03:56 -------- d-----w- c:\program files\EA GAMES
    2009-05-25 01:54 . 2009-05-25 01:54 -------- d-----w- c:\program files\PC TechZone
    2009-05-25 01:54 . 2009-05-25 01:54 -------- d-----w- c:\program files\Music Catch
    2009-05-25 01:54 . 2009-05-25 01:53 -------- d-----w- c:\program files\Mount&Blade
    2009-05-25 01:53 . 2009-05-25 01:53 -------- d-----w- c:\program files\MP3ToIpodAudioBookConverter
    2009-05-25 01:53 . 2009-05-25 01:53 -------- d-----w- c:\program files\ReflexiveArcade
    2009-05-25 01:53 . 2009-05-25 01:53 -------- d-----w- c:\program files\Nobilis
    2009-05-25 01:53 . 2009-05-25 01:53 -------- d-----w- c:\program files\ROM CHECK FAIL
    2009-05-25 01:53 . 2009-05-25 01:53 -------- d-----w- c:\program files\Steam
    2009-05-25 01:52 . 2009-05-25 01:52 -------- d-----w- c:\program files\Defense Grid - The Awakening
    2009-05-25 01:52 . 2009-05-25 01:52 -------- d-----w- c:\program files\BestGameEver
    2009-05-25 01:52 . 2009-05-25 01:52 -------- d-----w- c:\program files\Bethesda Softworks
    2009-05-25 01:52 . 2009-05-17 06:39 -------- d-----w- c:\program files\FlashDevelop
    2009-05-25 01:50 . 2009-05-25 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\19185464
    2009-05-14 00:45 . 2009-05-14 00:45 25 ----a-w- c:\windows\popcinfot.dat
    2009-05-07 15:32 . 2004-08-26 16:11 345600 ----a-w- c:\windows\system32\localspl.dll
    2009-04-29 04:56 . 2004-08-26 16:12 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-04-29 04:55 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-03-06 22:10 . 2008-12-28 03:03 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OE_OEM "= "c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-11-01 321040]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
    "igndlm.exe "= "c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
    "SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
    "NVMixerTray "= "c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
    "NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
    "pccguide.exe "= "c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-16 1807696]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
    "nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    run_startmenu.cmd [2004-10-11 45]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=c:\windows\pss\BigFix.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "%windir%\\system32\\drivers\\svchost.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe "=

    R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [7/12/2009 10:06 PM 22024]
    R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [7/12/2009 10:06 PM 27656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/29/2009 4:26 PM 108289]
    R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [7/12/2009 10:06 PM 4368952]
    R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/16/2007 4:28 AM 345432]
    R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 1:03 AM 923216]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [6/12/2007 5:00 AM 36368]
    R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 1:04 AM 566872]
    R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 1:03 AM 280392]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    TCP: {0AE56811-AD21-4499-AAA7-C3623E8877BE} = 68.238.128.12,68.238.0.12
    DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\84o3hoes.default\
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\84o3hoes.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
    FF - plugin: c:\program files\Download Manager\npfpdlm.dll
    FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('capability.policy.localfilelinks.checkloaduri.enabled', 'allAccess');c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "media.cache_size ", 51200);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "media.ogg.enabled ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "media.wave.enabled ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "media.autoplay.enabled ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "layout.css.dpi ", -1);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\all.js - pref( "geo.enabled ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
    c:\program files\Mozilla Firefox 3.1 Beta 3\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-07-22 21:00
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-07-23 21:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-07-23 04:12

    Pre-Run: 10,021,384,192 bytes free
    Post-Run: 11,599,454,208 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    271 --- E O F --- 2009-07-15 04:07

    HJT-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:17:37 PM, on 7/22/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe "
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\WINDOWS\TEMP\E_S16F.tmp" /EF "HKCU "
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\Owner\nah_pqux.exe
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: run_startmenu.cmd
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE56811-AD21-4499-AAA7-C3623E8877BE}: NameServer = 68.238.128.12,68.238.0.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AE56811-AD21-4499-AAA7-C3623E8877BE}: NameServer = 68.238.128.12,68.238.0.12
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0AE56811-AD21-4499-AAA7-C3623E8877BE}: NameServer = 192.168.1.1,192.168.1.4
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0AE56811-AD21-4499-AAA7-C3623E8877BE}: NameServer = 68.238.128.12,68.238.0.12
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    --
    End of file - 9317 bytes
     
    RunningRaptor,
    #3
  5. 2009/07/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Attached is zipped grpconv.exe file. Unzip it, and paste grpconv.exe file into c:\windows\system32 folder.

    Please, upload following files to http://www.virustotal.com/ for security check:
    - pxscan.sys, pxsec.sys located @ c:\windows\system32\drivers
    Post scan results.


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\drivers\tmpreflt.sys
c:\windows\system32\drivers\TM_CFW.sys


Folder::
c:\progra~1\TRENDM~1\INTERN~1

Driver::
Tmntsrv
TmPfw
tmpreflt
tmproxy
tmcfw


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
 "DisableMonitoring "=-

RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     

    Attached Files:

    broni,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...