1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Vista Defender Attack

Discussion in 'Malware and Virus Removal Archive' started by pegmorell, 2010/04/04.

Thread Status:
Not open for further replies.
  1. 2010/04/04
    pegmorell

    pegmorell Inactive Thread Starter

    Joined:
    2005/04/09
    Messages:
    75
    Likes Received:
    0
    [Inactive] Vista Defender Attack

    popups from Vista Defender repeat constantly with warnings about horrible threats. My pc protected by TrendMicro Internet Pro 2008, which says all is okay. When I try to run a fresh Trend Micro Scan, the can button grays and nothing happens.

    DDS (Ver_10-03-17.01) - NTFSX64
    Run by Margaret at 21:58:02.64 on Sat 04/03/2010
    Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_15
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.6132.3810 [GMT -7:00]

    AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RAVCpl64.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Windows\WindowsMobile\wmdSync.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\System32\spool\drivers\x64\3\E_IATICLA.EXE
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\Copernic Desktop Search 2\DesktopSearchService.exe
    C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files (x86)\Registry Mechanic\RMTray.exe
    C:\Program Files (x86)\WinTV\Ir.exe
    C:\Program Files (x86)\Digital Line Detect\DLG.exe
    C:\Program Files (x86)\Stardock\Impulse\Now\ImpulseNow.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files (x86)\Java\jre6\bin\jusched.exe
    C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
    C:\Windows\Samsung\PanelMgr\SSMMgr.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Windows\SysWOW64\UTSCSI.EXE
    C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\Samsung\PanelMgr\caller64.exe
    C:\Windows\system32\DRIVERS\xaudio64.exe
    C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Windows\ehome\ehsched.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehRecvr.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\Users\Margaret\AppData\Roaming\mjusbsp\magicJack.exe
    C:\Program Files (x86)\Internet Explorer\IELowutil.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\splwow64.exe
    C:\Users\Margaret\AppData\Local\ave.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Margaret\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mDefault_Page_URL = hxxp://www.dell.com
    mLocal Page = c:\windows\syswow64\blank.htm
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files (x86)\yahoo!\companion\installs\cpn2\yt.dll
    mWinlogon: Userinit=userinit.exe
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files (x86)\yahoo!\companion\installs\cpn2\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files (x86)\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: Transaction Protector: {e7620c98-fccc-40e5-92ec-c7685d2e1e40} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files (x86)\yahoo!\companion\installs\cpn2\yt.dll
    TB: Copernic Desktop Search - Home: {968631b6-4729-440d-9bf4-251f5593ec9a} - c:\program files (x86)\copernic desktop search 2\DesktopSearchBand300000081.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
    EB: Copernic Desktop Search - Home: {968631b6-4729-440d-9bf4-251f5593ec9a} - c:\program files (x86)\copernic desktop search 2\DesktopSearchBand300000081.dll
    EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files (x86)\copernic desktop search 2\DesktopSearchBand300000081.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
    uRun: [EPSON Stylus Photo RX595 Series] c:\windows\system32\spool\drivers\x64\3\e_iaticla.exe /fu "c:\windows\temp\E_SE178.tmp" /EF "HKCU "
    uRun: [Aim6]
    uRun: [MsnMsgr] "c:\program files (x86)\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
    uRun: [Copernic Desktop Search - Home] "c:\program files (x86)\copernic desktop search 2\DesktopSearchService.exe" /tray
    uRun: [TrendSecure Remote File Lock] c:\program files\trend micro\trendsecure\remotefilelock\FLMain.exe
    uRun: [cdloader] "c:\users\margaret\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [RegistryMechanic] c:\program files (x86)\registry mechanic\RMTray.exe /H
    mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe "
    mRun: [TkBellExe] "c:\program files (x86)\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
    mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
    mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe "
    StartupFolder: c:\users\margaret\appdata\roaming\micros~1\windows\startm~1\programs\startup\impuls~1.lnk - c:\program files (x86)\stardock\impulse\now\ImpulseNow.exe
    StartupFolder: c:\users\margaret\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files (x86)\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\users\margaret\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
    StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\autost~1.lnk - c:\program files (x86)\wintv\Ir.exe
    StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files (x86)\digital line detect\DLG.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: nexon.net\card
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg64.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
    TB-X64: Copernic Desktop Search - Home: {968631B6-4729-440D-9BF4-251F5593EC9A} -
    mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun-x64: [RtHDVCpl] RAVCpl64.exe
    mRun-x64: [Skytel] Skytel.exe
    mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
    mRun-x64: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe "
    mRun-x64: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    STS-X64: FencesShlExt Class: {1984DD45-52CF-49cd-AB77-18F378FEA264} - c:\program files (x86)\stardock\fences\FencesMenu64.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\margaret\appdata\roaming\mozilla\firefox\profiles\6ylrgk08.default\
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files (x86)\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files (x86)\mozilla firefox\plugins\NPCIG.dll
    FF - plugin: c:\program files (x86)\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
    FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
    FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
    FF - plugin: c:\users\margaret\appdata\roaming\move networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\users\margaret\appdata\roaming\move networks\plugins\npqmp071505000011.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2008-6-17 53488]
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-2-16 192528]
    R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2010-1-29 11576]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-7-15 42000]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-2-16 275984]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files (x86)\viewpoint\common\ViewpointService.exe [2008-8-5 24652]
    R3 CAXHWBS2;CAXHWBS2;c:\windows\system32\drivers\CAXHWBS2.sys [2008-6-18 403456]
    R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-9-21 587696]
    R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-9-21 854280]
    S2 gupdate1ca711b95076331;Google Update Service (gupdate1ca711b95076331);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-11-29 133104]
    S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-8-22 93184]
    S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]

    ============== File Associations ===============

    JSEFile=c:\windows\syswow64\WScript.exe "%1" %*
    .exe=secfile

    =============== Created Last 30 ================

    2010-03-11 17:43:59 32768 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-11 17:43:59 24064 ----a-w- c:\windows\syswow64\nshhttp.dll
    2010-03-11 17:43:57 610304 ----a-w- c:\windows\system32\drivers\http.sys
    2010-03-11 17:43:57 33792 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-11 17:43:57 31232 ----a-w- c:\windows\syswow64\httpapi.dll

    ==================== Find3M ====================

    2010-02-24 17:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-23 07:03:02 1147904 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:57:40 132096 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 06:57:39 77312 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:39:13 916480 ----a-w- c:\windows\syswow64\wininet.dll
    2010-02-23 06:39:00 1209344 ----a-w- c:\windows\syswow64\urlmon.dll
    2010-02-23 06:37:26 206848 ----a-w- c:\windows\syswow64\occache.dll
    2010-02-23 06:35:21 611840 ----a-w- c:\windows\syswow64\mstime.dll
    2010-02-23 06:34:51 5944832 ----a-w- c:\windows\syswow64\mshtml.dll
    2010-02-23 06:34:49 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
    2010-02-23 06:34:49 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
    2010-02-23 06:34:06 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
    2010-02-23 06:33:45 71680 ----a-w- c:\windows\syswow64\iesetup.dll
    2010-02-23 06:33:45 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
    2010-02-23 06:33:45 164352 ----a-w- c:\windows\syswow64\ieui.dll
    2010-02-23 06:33:45 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
    2010-02-23 06:33:44 55808 ----a-w- c:\windows\syswow64\iernonce.dll
    2010-02-23 06:33:44 184320 ----a-w- c:\windows\syswow64\iepeers.dll
    2010-02-23 06:33:44 11070976 ----a-w- c:\windows\syswow64\ieframe.dll
    2010-02-23 06:33:38 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
    2010-02-23 05:19:22 162816 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-23 04:55:36 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
    2010-02-23 04:55:24 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
    2010-02-23 04:54:43 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
    2010-01-30 00:58:59 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-01-30 00:58:58 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-01-30 00:58:55 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-01-25 13:03:03 534016 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 13:03:03 159232 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 13:03:03 158720 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 13:02:33 535040 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 13:00:33 457216 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 12:48:34 472576 ----a-w- c:\windows\syswow64\secproc_isv.dll
    2010-01-25 12:48:34 151040 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
    2010-01-25 12:48:34 151040 ----a-w- c:\windows\syswow64\secproc_ssp.dll
    2010-01-25 12:48:06 472064 ----a-w- c:\windows\syswow64\secproc.dll
    2010-01-25 12:45:56 329216 ----a-w- c:\windows\syswow64\msdrm.dll
    2010-01-25 08:37:36 413696 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:37:32 594944 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:37:32 409600 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-25 08:37:29 594432 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:35:01 346624 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
    2010-01-25 08:35:00 523776 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
    2010-01-25 08:34:56 511488 ----a-w- c:\windows\syswow64\RMActivate.exe
    2010-01-25 08:34:56 347136 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
    2010-01-23 10:00:20 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-01-23 09:44:02 2048 ----a-w- c:\windows\syswow64\tzres.dll
    2008-07-22 21:11:34 353640 ----a-w- c:\program files\oldbookmarks.html
    2008-07-20 01:35:30 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
    2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
    2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-10-16 15:41:32 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2009-10-16 15:41:32 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2009-10-16 15:41:32 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2009-10-16 15:41:32 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-11-09 20:43:28 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

    ============= FINISH: 21:58:16.38 ===============

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 6/17/2008 6:10:31 PM
    System Uptime: 4/3/2010 2:25:08 PM (7 hours ago)

    Motherboard: Dell Inc. | | 0FM586
    Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2400/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 594 GiB total, 308.488 GiB free.
    D: is FIXED (NTFS) - 2 GiB total, 1.003 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    K: is Removable
    L: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP699: 3/7/2010 3:08:07 PM - Windows Update
    RP700: 3/8/2010 12:18:58 PM - Windows Update
    RP701: 3/8/2010 12:23:24 PM - Windows Update
    RP702: 3/9/2010 8:53:39 AM - Windows Update
    RP703: 3/10/2010 8:26:26 AM - Windows Update
    RP704: 3/11/2010 9:39:30 AM - Windows Update
    RP705: 3/11/2010 9:49:05 AM - Windows Update
    RP706: 3/12/2010 4:25:30 AM - Windows Update
    RP707: 3/13/2010 10:47:08 AM - Windows Update
    RP708: 3/13/2010 10:19:38 PM - Windows Update
    RP709: 3/14/2010 1:36:11 PM - Scheduled Checkpoint
    RP710: 3/15/2010 8:16:19 AM - Windows Update
    RP711: 3/15/2010 8:20:27 AM - Windows Update
    RP712: 3/16/2010 11:14:47 AM - Windows Update
    RP713: 3/17/2010 12:53:07 PM - Windows Update
    RP714: 3/18/2010 10:29:35 AM - Windows Update
    RP715: 3/18/2010 10:35:24 AM - Windows Update
    RP716: 3/19/2010 10:01:06 AM - Windows Update
    RP717: 3/20/2010 11:10:58 AM - Windows Update
    RP718: 3/21/2010 11:11:50 AM - Windows Update
    RP719: 3/22/2010 10:59:00 AM - Windows Update
    RP720: 3/22/2010 11:03:27 AM - Windows Update
    RP721: 3/23/2010 9:07:00 AM - Windows Update
    RP722: 3/24/2010 11:23:22 AM - Windows Update
    RP723: 3/25/2010 10:00:44 AM - Windows Update
    RP724: 3/25/2010 10:09:06 AM - Windows Update
    RP725: 3/26/2010 8:59:34 AM - Windows Update
    RP726: 3/27/2010 12:16:37 PM - Windows Update
    RP727: 3/28/2010 1:05:39 PM - Windows Update
    RP728: 3/29/2010 9:55:41 AM - Windows Update
    RP729: 3/29/2010 9:59:57 AM - Windows Update
    RP730: 3/30/2010 11:01:38 AM - Windows Update
    RP731: 3/31/2010 11:34:15 AM - Windows Update
    RP732: 4/1/2010 10:33:44 AM - Windows Update
    RP733: 4/1/2010 10:37:46 AM - Windows Update
    RP734: 4/2/2010 11:08:30 AM - Windows Update
    RP735: 4/3/2010 2:30:22 PM - Windows Update

    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    AIM 6
    ALOT Toolbar
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Software Update
    ArcSoft PhotoImpression 6
    ArcSoft Print Creations
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MOV Decoder
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 3.5
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture DC
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Compatibility Pack for the 2007 Office system
    Cooking Dash (remove only)
    Copernic Desktop Search - Home
    Dell Getting Started Guide
    Digital Line Detect
    Disney Toontown Online
    EDocs
    EPSON Print CD
    EPSON RX595 User's Guide
    EPSON Scan
    EPSON Stylus Photo RX595 Series Scanner Driver Update
    Fences
    Fences (Free)
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hauppauge English Help Files and Resources
    Hauppauge MCE XP/Vista Software Encoder (2.0.26057)
    Hauppauge WinTV
    Hauppauge WinTV Infrared Remote
    Hauppauge WinTV Scheduler
    Hauppauge WinTV Soft PVR
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    InterVideo FilterSDK for Hauppauge
    iPhone Configuration Utility
    Java(TM) 6 Update 15
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    LiveUpdate (Symantec Corporation)
    magicJack Recovery Tool 1.0
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Move Media Player
    Mozilla Firefox (3.6.3)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    OpenOffice.org Installer 1.0
    Quicken 2008
    QuickTime
    RealPlayer
    Realtek High Definition Audio Driver
    Registry Mechanic 8.0
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Samsung CLP-310 Series
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB969679)
    Security Update for Microsoft Office Excel 2007 (KB969682)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Spelling Dictionaries Support For Adobe Reader 8
    Stardock Impulse
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Viewpoint Media Player
    Windows Live installer
    Windows Live Messenger
    Windows Media Player Firefox Plugin
    Yahoo! Software Update
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    4/3/2010 8:16:53 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Margaret-PC\Margaret SID (S-1-5-21-3512747794-2064448692-4110259937-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    4/2/2010 11:05:09 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
    4/1/2010 10:29:21 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Automatic LiveUpdate Scheduler service to connect.
    3/30/2010 10:57:15 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    3/27/2010 12:22:18 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Office Word 2007 (KB974561).
    3/27/2010 12:21:49 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Excel 2007 (KB978382).
    3/27/2010 12:21:42 PM, Error: Service Control Manager [7034] - The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).
    3/27/2010 12:21:23 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Office InfoPath 2007 (KB976416).
    3/27/2010 12:20:57 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for the 2007 Microsoft Office System (KB978380).
    3/27/2010 12:16:42 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Trend Micro Proxy Service service to connect.
    3/27/2010 12:16:42 PM, Error: Service Control Manager [7000] - The Trend Micro Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/27/2010 12:16:11 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
    3/27/2010 12:16:11 PM, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/27/2010 12:16:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments " " in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
    3/27/2010 12:13:38 PM, Error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the file specified.

    ==== End Of File ===========================
     
    pegmorell,
    #1
  2. 2010/04/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.[/LIST]

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    ===============================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/04/04
    pegmorell

    pegmorell Inactive Thread Starter

    Joined:
    2005/04/09
    Messages:
    75
    Likes Received:
    0
    vista defender attack solved?

    sorry. did not find your answer until 4-4. in the meantime i ran a reg.fix from yahoo that i found by searching for vista defender.

    it appears to have worked

    do you recommend anything else?
     
    pegmorell,
    #3
  5. 2010/04/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes. I recommend running the above scans.
     
    broni,
    #4
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...