Possible Trojan symptoms..yet trojan has been removed.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Jmars25

Thread Starter
Joined
Dec 3, 2011
Messages
26
Hello. Whenever I try to reinstall new software on my computer, It gives me the message "Windows cannot access specified file path" and the error's title is "cannot find file rundll32.exe". I've been having this problem since I got rid of the trojan virus I had. I used combofix and trend micro IS to remove it and try to repair, but that didn't help. My brother suggested trying "sfc /scannow" on command prompt but that didn't seem to do anything either. Here are the logs you requested and THANKS in advance for taking the time to help me :):

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:58:01 PM, on 12/3/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 4624 bytes
 

Jmars25

Thread Starter
Joined
Dec 3, 2011
Messages
26
.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421Run by Owner at 12:58:50 on 2011-12-03Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3006.1795 [GMT -5:00].AV: Trend Micro Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}SP: Trend Micro Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\rundll32.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files\Trend Micro\Internet Security\SfCtlCom.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exeC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\DRIVERS\xaudio.exeC:\Windows\System32\rundll32.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Pando Networks\Media Booster\PMB.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\system32\taskeng.exeC:\Program Files\Trend Micro\Internet Security\TmProxy.exeC:\Program Files\Trend Micro\Internet Security\TmPfw.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exeC:\Program Files\Trend Micro\BM\TMBMSRV.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\msiexec.exeC:\Windows\System32\svchost.exe -k swprvC:\Program Files\Internet Explorer\IELowutil.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe.============== Pseudo HJT Report ===============.uURLSearchHooks: H - No FileBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileuRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRunuRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifworkuRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exeuRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exeuRun: [PlayNC Launcher] mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cabDPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cabDPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 10.10.24.1TCP: Interfaces\{9F4BE488-68EB-4E56-A134-EF468755A4D2} : DhcpNameServer = 10.10.24.1.============= SERVICES / DRIVERS ===============.R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-29 146448]R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-5 21504]R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-9-6 36624]R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-29 283152]R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-2-12 207360]R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-29 51792]R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2011-3-28 497008]R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-3-28 689416]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2011-12-03 17:55:27 388096 ----a-r- c:\users\owner\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe2011-12-03 17:46:22 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{61678a0c-d106-45ed-b80a-afddafee3ef4}\offreg.dll2011-12-02 16:01:11 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{61678a0c-d106-45ed-b80a-afddafee3ef4}\mpengine.dll2011-12-01 04:04:37 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll2011-12-01 04:04:37 527192 ----a-w- c:\windows\system32\XAudio2_7.dll2011-12-01 04:04:36 239960 ----a-w- c:\windows\system32\xactengine3_7.dll2011-12-01 04:04:36 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll2011-12-01 04:04:35 248672 ----a-w- c:\windows\system32\d3dx11_43.dll2011-12-01 04:04:35 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll2011-12-01 04:04:34 470880 ----a-w- c:\windows\system32\d3dx10_43.dll2011-12-01 04:04:34 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll2011-11-23 14:45:36 -------- d-----w- C:\download2011-11-23 14:04:47 -------- d-----w- c:\users\owner\appdata\roaming\GetRightToGo2011-11-20 08:14:36 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin2011-11-20 08:14:08 768544 ----a-w- c:\windows\system32\nvcplui.exe2011-11-20 08:14:08 446464 ----a-w- c:\windows\system32\nvuninst.exe2011-11-20 08:14:08 420384 ----a-w- c:\windows\system32\nvcpl.cpl2011-11-20 08:14:08 313888 ----a-w- c:\windows\system32\nvexpbar.dll2011-11-20 08:14:08 1079840 ----a-w- c:\windows\system32\nvcpluir.dll2011-11-09 08:46:54 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat2011-11-09 08:46:53 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys2011-11-09 08:46:49 707584 ----a-w- c:\program files\common files\system\wab32.dll.==================== Find3M ====================.2011-10-08 03:40:41 94208 ----a-w- c:\windows\DIIUnin.exe2011-10-08 03:40:41 2829 ----a-w- c:\windows\DIIUnin.pif2011-09-28 15:39:00 21840 ----atw- c:\windows\system32\SIntfNT.dll2011-09-28 15:39:00 17212 ----atw- c:\windows\system32\SIntf32.dll2011-09-28 15:39:00 12067 ----atw- c:\windows\system32\SIntf16.dll2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys.============= FINISH: 12:59:19.60 ===============
 

Jmars25

Thread Starter
Joined
Dec 3, 2011
Messages
26
i tried to post this file log as i did the other ones...but for some reason it refuses to get posted....
i hope putting as an attachment is ok >_<
 

Attachments

Joined
Aug 9, 2011
Messages
808
Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread and move on to assist someone else.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



I used combofix and
I see you ran ComboFix without being instructed to. I would like to quote a section of the ComboFix tutorial located here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.
Please look for a C:\Combofix.txt and post this in your next reply



Please press the
+ R Key and Copy/Paste the following single-line command into the Run box and click OK

notepad


Click on the Format Tab and make sure Wordwrap is unchecked.







Please launch DDS
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop and post both in your next reply



Please delete the current version of Gmer.



Please download Gmer from here and save it to your Desktop.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please post in your next reply
Combofix.txt
dds.txt
attach.txt
ark.txt
 

Jmars25

Thread Starter
Joined
Dec 3, 2011
Messages
26
Hi Daniel, how are you? Thank you for taking the time to help me out, I really appreciate it! :)

As far as Combofix goes, I ran that like 5 months ago to remove the trojan. A PC Repair business told me about Combofix and to run it to remove certain things that my antivirus may not have removed. They told me it was powerful and would check in hidden files and everything. After using it for a while (i used it as a second opinion to my antivirus), I no longer trusted the software and removed it. all logs that were made by the software were removed in the uninstallation. This was about 4 months ago, long before I started this post or even knew this forum existed. Did you want me to run combofix again and post the log from it or...?

Here are the other logs you requested:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 15:23:29 on 2011-12-13
Microsoft® Windows Vista&#8482; Home Basic 6.0.6002.2.1252.1.1033.18.3006.1616 [GMT -5:00]
.
AV: Trend Micro Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [PlayNC Launcher]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.10.24.1
TCP: Interfaces\{9F4BE488-68EB-4E56-A134-EF468755A4D2} : DhcpNameServer = 10.10.24.1
.
============= SERVICES / DRIVERS ===============
.
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-29 146448]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-5 21504]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-9-6 36624]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-29 283152]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-2-12 207360]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-29 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2011-3-28 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-3-28 689416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-13 12:07:36 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ca991bce-9231-4bdb-96a8-28d97fcba7cb}\offreg.dll
2011-12-13 06:35:56 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ca991bce-9231-4bdb-96a8-28d97fcba7cb}\mpengine.dll
2011-12-07 22:19:19 325632 ----a-w- c:\users\owner\appdata\local\ucm.exe
2011-12-03 17:55:27 388096 ----a-r- c:\users\owner\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-01 04:04:37 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-12-01 04:04:37 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-12-01 04:04:36 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-12-01 04:04:36 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-12-01 04:04:35 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-12-01 04:04:35 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-12-01 04:04:34 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-12-01 04:04:34 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-11-23 14:45:36 -------- d-----w- C:\download
2011-11-23 14:04:47 -------- d-----w- c:\users\owner\appdata\roaming\GetRightToGo
2011-11-20 08:14:36 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-11-20 08:14:08 768544 ----a-w- c:\windows\system32\nvcplui.exe
2011-11-20 08:14:08 446464 ----a-w- c:\windows\system32\nvuninst.exe
2011-11-20 08:14:08 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2011-11-20 08:14:08 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2011-11-20 08:14:08 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
.
==================== Find3M ====================
.
2011-10-08 03:40:41 94208 ----a-w- c:\windows\DIIUnin.exe
2011-10-08 03:40:41 2829 ----a-w- c:\windows\DIIUnin.pif
2011-09-28 15:39:00 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-09-28 15:39:00 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-09-28 15:39:00 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-09-20 21:02:55 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 15:23:54.97 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista&#8482; Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 4/27/2010 4:59:01 PM
System Uptime: 12/13/2011 7:07:14 AM (8 hours ago)
.
Motherboard: ECS | | Iris8
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ | Socket AM2 | 2500/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 285.205 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP601: 12/1/2011 7:23:55 PM - Installed NCsoft Launcher
RP602: 12/2/2011 11:00:37 AM - Windows Update
RP604: 12/2/2011 11:07:27 AM - Installed NCsoft Launcher
RP605: 12/3/2011 3:14:33 AM - Scheduled Checkpoint
RP606: 12/3/2011 12:55:02 PM - Installed HiJackThis
RP607: 12/4/2011 11:59:14 PM - Scheduled Checkpoint
RP608: 12/5/2011 6:38:23 PM - Scheduled Checkpoint
RP609: 12/6/2011 3:57:43 PM - Windows Update
RP610: 12/8/2011 2:11:34 AM - Windows Update
RP611: 12/9/2011 1:50:53 AM - Scheduled Checkpoint
RP612: 12/9/2011 2:11:34 AM - Windows Update
RP613: 12/10/2011 12:00:01 AM - Scheduled Checkpoint
RP614: 12/11/2011 12:00:01 AM - Scheduled Checkpoint
RP615: 12/12/2011 3:35:25 AM - Scheduled Checkpoint
RP616: 12/13/2011 1:35:31 AM - Windows Update
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 10 ActiveX
AVG PC Tuneup 2011
Bandisoft MPEG-1 Decoder
D3DX10
DFOLauncher
Diablo
Diablo II
Divinity II - Ego Draconis
Download Manager 2.3.10
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 20
Lineage®: Season 3: Episode 1.2: Crack of Time, Tikal+Antharas Update
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
NCsoft Launcher
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
OEM Logo and Information
Pando Media Booster
PCIe Soft Data Fax Modem with SmartCP
PopTag!
Realtek High Definition Audio Driver
RuneScape Launcher 1.1
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Segoe UI
System Requirements Lab
TeamSpeak 3 Client
Trend Micro Internet Security
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Ventrilo Client
Vindictus
VLC media player 1.0.1
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
.
==== Event Viewer Messages From Past Week ========
.
12/12/2011 8:04:10 PM, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
.
==== End Of File ===========================



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-13 16:26:24
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000056 ST350041 rev.CC38
Running: ipo9m6ox.exe; Driver: C:\Users\Owner\AppData\Local\Temp\uwldapow.sys

---- System - GMER 1.0.15 ----
SSDT 884950A0 ZwCreateKey
SSDT 884963E0 ZwCreateMutant
SSDT 884942E0 ZwCreateProcess
SSDT 884945A0 ZwCreateProcessEx
SSDT 88495F00 ZwCreateThread
SSDT 88495620 ZwDeleteKey
SSDT 884958E0 ZwDeleteValueKey
SSDT 88496240 ZwLoadDriver
SSDT 88494B20 ZwOpenProcess
SSDT 88496580 ZwSetSystemInformation
SSDT 88495360 ZwSetValueKey
SSDT 88494DE0 ZwTerminateProcess
SSDT 88495D60 ZwWriteVirtualMemory
SSDT 884960A0 ZwCreateThreadEx
SSDT 88494860 ZwCreateUserProcess
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
---- EOF - GMER 1.0.15 ----
 
Joined
Aug 9, 2011
Messages
808
A PC Repair business told me about Combofix and to run it to remove certain things
:eek:

i used it as a second opinion to my antivirus
Now you learned, you shouldn't do this and maybe tell this the peoples from this PC Repair Business :D


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.



Please post in your next reply
Combofix.txt
 

Jmars25

Thread Starter
Joined
Dec 3, 2011
Messages
26
ComboFix 11-12-13.03 - Owner 12/14/2011 10:48:49.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3006.1886 [GMT -5:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Trend Micro Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\ucm.exe
c:\users\Owner\AppData\Roaming\Adobe\plugs
c:\users\Owner\AppData\Roaming\Adobe\shed
c:\windows\system32\service
c:\windows\system32\service\01052011_TIS17_SfFniAU.log
c:\windows\system32\service\01102011_TIS17_SfFniAU.log
c:\windows\system32\service\02092011_TIS17_SfFniAU.log
c:\windows\system32\service\04122011_TIS17_SfFniAU.log
c:\windows\system32\service\06072011_TIS17_SfFniAU.log
c:\windows\system32\service\07082011_TIS17_SfFniAU.log
c:\windows\system32\service\07102011_TIS17_SfFniAU.log
c:\windows\system32\service\09052011_TIS17_SfFniAU.log
c:\windows\system32\service\09082011_TIS17_SfFniAU.log
c:\windows\system32\service\11062011_TIS17_SfFniAU.log
c:\windows\system32\service\11072011_TIS17_SfFniAU.log
c:\windows\system32\service\13042011_TIS17_SfFniAU.log
c:\windows\system32\service\16082011_TIS17_SfFniAU.log
c:\windows\system32\service\17042011_TIS17_SfFniAU.log
c:\windows\system32\service\17092011_TIS17_SfFniAU.log
c:\windows\system32\service\19042011_TIS17_SfFniAU.log
c:\windows\system32\service\20082011_TIS17_SfFniAU.log
c:\windows\system32\service\24062011_TIS17_SfFniAU.log
c:\windows\system32\service\26112011_TIS17_SfFniAU.log
c:\windows\system32\service\27052011_TIS17_SfFniAU.log
c:\windows\system32\service\27092011_TIS17_SfFniAU.log
c:\windows\system32\service\29042011_TIS17_SfFniAU.log
c:\windows\system32\service\29052011_TIS17_SfFniAU.log
.
.
((((((((((((((((((((((((( Files Created from 2011-11-14 to 2011-12-14 )))))))))))))))))))))))))))))))
.
.
2011-12-14 15:53 . 2011-12-14 15:53 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-12-14 15:53 . 2011-12-14 15:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-14 15:53 . 2011-12-14 15:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-14 02:04 . 2011-12-14 02:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA991BCE-9231-4BDB-96A8-28D97FCBA7CB}\offreg.dll
2011-12-13 06:35 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA991BCE-9231-4BDB-96A8-28D97FCBA7CB}\mpengine.dll
2011-12-03 17:55 . 2011-12-03 17:55 388096 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-01 04:15 . 2011-12-01 04:15 -------- d-----w- c:\users\Owner\AppData\Roaming\InstallShield
2011-12-01 04:04 . 2010-06-02 09:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-12-01 04:04 . 2010-06-02 09:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-12-01 04:04 . 2010-06-02 09:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-12-01 04:04 . 2010-05-26 16:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-12-01 04:04 . 2010-05-26 16:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-12-01 04:04 . 2010-05-26 16:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-12-01 04:04 . 2010-05-26 16:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-12-01 04:04 . 2010-05-26 16:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-11-23 14:45 . 2011-11-23 14:45 -------- d-----w- C:\download
2011-11-23 14:04 . 2011-11-23 14:43 -------- d-----w- c:\users\Owner\AppData\Roaming\GetRightToGo
2011-11-20 08:14 . 2008-07-08 13:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-11-20 08:14 . 2008-07-30 01:33 446464 ----a-w- c:\windows\system32\nvuninst.exe
2011-11-20 08:14 . 2008-05-23 02:49 768544 ----a-w- c:\windows\system32\nvcplui.exe
2011-11-20 08:14 . 2008-05-23 02:49 420384 ----a-w- c:\windows\system32\nvcpl.cpl
2011-11-20 08:14 . 2008-05-23 02:49 313888 ----a-w- c:\windows\system32\nvexpbar.dll
2011-11-20 08:14 . 2008-05-23 02:49 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-08 03:40 . 2011-10-08 03:40 94208 ----a-w- c:\windows\DIIUnin.exe
2011-10-08 03:40 . 2011-10-08 03:40 2829 ----a-w- c:\windows\DIIUnin.pif
2011-09-30 03:49 . 2011-03-28 22:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-28 15:39 . 2010-07-21 22:43 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-09-28 15:39 . 2010-07-21 22:43 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-09-28 15:39 . 2010-07-21 22:43 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-09-20 21:02 . 2011-11-09 08:46 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-07-08 3077528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2011-07-08 14:12 3077528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-08-02 3732680]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-07-19 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-07-29 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-07-29 689416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-07-29 146448]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2011-07-12 36624]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-07-29 283152]
S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.10.24.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-PlayNC Launcher - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-14 10:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-14 10:55:21
ComboFix-quarantined-files.txt 2011-12-14 15:55
ComboFix2.txt 2010-12-29 04:40
.
Pre-Run: 320,345,874,432 bytes free
Post-Run: 325,446,529,024 bytes free
.
- - End Of File - - B8948336F5484423A197A3C9FD207742
 
Joined
Aug 9, 2011
Messages
808
How is your system behaving now ?



Download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.



Please post in your next reply
MBAM Log
 

Jmars25

Thread Starter
Joined
Dec 3, 2011
Messages
26
baaahh....sneaky trojans! Trend Micro IS didnt pick them up apparently :/. what do you mean by "how is my system behaving?"? are yu asking about after combofix or after malwarebytes?

after running malware bytes, I was finally able to access my Windows Firewall settings. I kept getting some run32dll error message every time I tried to access the firewall settings. Internet seems to be running a little faster too I think, this page loaded pretty fast unlike what it was doing when I started the post.


here's the log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8377
Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421
12/15/2011 2:28:21 PM
mbam-log-2011-12-15 (14-28-21).txt
Scan type: Quick scan
Objects scanned: 154903
Time elapsed: 2 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\B60JHDGR6V (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top