1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible Trojan symptoms..yet trojan has been removed.

Discussion in 'Virus & Other Malware Removal' started by Jmars25, Dec 3, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
    Hello. Whenever I try to reinstall new software on my computer, It gives me the message "Windows cannot access specified file path" and the error's title is "cannot find file rundll32.exe". I've been having this problem since I got rid of the trojan virus I had. I used combofix and trend micro IS to remove it and try to repair, but that didn't help. My brother suggested trying "sfc /scannow" on command prompt but that didn't seem to do anything either. Here are the logs you requested and THANKS in advance for taking the time to help me :):

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:58:01 PM, on 12/3/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Pando Networks\Media Booster\PMB.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IELowutil.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
    O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
    --
    End of file - 4624 bytes
     
  2. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
    .DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421Run by Owner at 12:58:50 on 2011-12-03Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3006.1795 [GMT -5:00].AV: Trend Micro Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}SP: Trend Micro Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\rundll32.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files\Trend Micro\Internet Security\SfCtlCom.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exeC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\DRIVERS\xaudio.exeC:\Windows\System32\rundll32.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Pando Networks\Media Booster\PMB.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\system32\taskeng.exeC:\Program Files\Trend Micro\Internet Security\TmProxy.exeC:\Program Files\Trend Micro\Internet Security\TmPfw.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exeC:\Program Files\Trend Micro\BM\TMBMSRV.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\msiexec.exeC:\Windows\System32\svchost.exe -k swprvC:\Program Files\Internet Explorer\IELowutil.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe.============== Pseudo HJT Report ===============.uURLSearchHooks: H - No FileBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileuRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRunuRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifworkuRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exeuRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exeuRun: [PlayNC Launcher] mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cabDPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cabDPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 10.10.24.1TCP: Interfaces\{9F4BE488-68EB-4E56-A134-EF468755A4D2} : DhcpNameServer = 10.10.24.1.============= SERVICES / DRIVERS ===============.R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-29 146448]R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-5 21504]R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-9-6 36624]R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-29 283152]R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-2-12 207360]R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-29 51792]R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2011-3-28 497008]R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-3-28 689416]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2011-12-03 17:55:27 388096 ----a-r- c:\users\owner\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe2011-12-03 17:46:22 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{61678a0c-d106-45ed-b80a-afddafee3ef4}\offreg.dll2011-12-02 16:01:11 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{61678a0c-d106-45ed-b80a-afddafee3ef4}\mpengine.dll2011-12-01 04:04:37 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll2011-12-01 04:04:37 527192 ----a-w- c:\windows\system32\XAudio2_7.dll2011-12-01 04:04:36 239960 ----a-w- c:\windows\system32\xactengine3_7.dll2011-12-01 04:04:36 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll2011-12-01 04:04:35 248672 ----a-w- c:\windows\system32\d3dx11_43.dll2011-12-01 04:04:35 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll2011-12-01 04:04:34 470880 ----a-w- c:\windows\system32\d3dx10_43.dll2011-12-01 04:04:34 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll2011-11-23 14:45:36 -------- d-----w- C:\download2011-11-23 14:04:47 -------- d-----w- c:\users\owner\appdata\roaming\GetRightToGo2011-11-20 08:14:36 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin2011-11-20 08:14:08 768544 ----a-w- c:\windows\system32\nvcplui.exe2011-11-20 08:14:08 446464 ----a-w- c:\windows\system32\nvuninst.exe2011-11-20 08:14:08 420384 ----a-w- c:\windows\system32\nvcpl.cpl2011-11-20 08:14:08 313888 ----a-w- c:\windows\system32\nvexpbar.dll2011-11-20 08:14:08 1079840 ----a-w- c:\windows\system32\nvcpluir.dll2011-11-09 08:46:54 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat2011-11-09 08:46:53 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys2011-11-09 08:46:49 707584 ----a-w- c:\program files\common files\system\wab32.dll.==================== Find3M ====================.2011-10-08 03:40:41 94208 ----a-w- c:\windows\DIIUnin.exe2011-10-08 03:40:41 2829 ----a-w- c:\windows\DIIUnin.pif2011-09-28 15:39:00 21840 ----atw- c:\windows\system32\SIntfNT.dll2011-09-28 15:39:00 17212 ----atw- c:\windows\system32\SIntf32.dll2011-09-28 15:39:00 12067 ----atw- c:\windows\system32\SIntf16.dll2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys.============= FINISH: 12:59:19.60 ===============
     
  3. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
    forgot to add this attachment..oops.
     

    Attached Files:

  4. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
    i tried to post this file log as i did the other ones...but for some reason it refuses to get posted....
    i hope putting as an attachment is ok >_<
     

    Attached Files:

    • ark.txt
      File size:
      135.7 KB
      Views:
      5
  5. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
  6. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
  7. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
  8. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
  9. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
  10. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hy
    my name is Daniel and I will be assisting you with your Malware related problems.

    Before we move on, please read the following points carefully.
    • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
    • Perform everything in the correct order. Sometimes one step requires the previous one.
    • If you have any problems while you are following my instructions, Stop there and tell me the exact nature of your problem.
    • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
    • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
    • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread and move on to assist someone else.
    • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
    • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



    I see you ran ComboFix without being instructed to. I would like to quote a section of the ComboFix tutorial located here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please look for a C:\Combofix.txt and post this in your next reply



    Please press the [​IMG] + R Key and Copy/Paste the following single-line command into the Run box and click OK

    notepad


    Click on the Format Tab and make sure Wordwrap is unchecked.







    Please launch DDS
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop and post both in your next reply



    Please delete the current version of Gmer.



    Please download Gmer from here and save it to your Desktop.
    • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



    Please post in your next reply
    Combofix.txt
    dds.txt
    attach.txt
    ark.txt
     
  11. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
    Hi Daniel, how are you? Thank you for taking the time to help me out, I really appreciate it! :)

    As far as Combofix goes, I ran that like 5 months ago to remove the trojan. A PC Repair business told me about Combofix and to run it to remove certain things that my antivirus may not have removed. They told me it was powerful and would check in hidden files and everything. After using it for a while (i used it as a second opinion to my antivirus), I no longer trusted the software and removed it. all logs that were made by the software were removed in the uninstallation. This was about 4 months ago, long before I started this post or even knew this forum existed. Did you want me to run combofix again and post the log from it or...?

    Here are the other logs you requested:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by Owner at 15:23:29 on 2011-12-13
    Microsoft® Windows Vista&#8482; Home Basic 6.0.6002.2.1252.1.1033.18.3006.1616 [GMT -5:00]
    .
    AV: Trend Micro Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
    SP: Trend Micro Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: H - No File
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [PlayNC Launcher]
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
    DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 10.10.24.1
    TCP: Interfaces\{9F4BE488-68EB-4E56-A134-EF468755A4D2} : DhcpNameServer = 10.10.24.1
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-29 146448]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-5 21504]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-9-6 36624]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-29 283152]
    R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-2-12 207360]
    R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-29 51792]
    R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2011-3-28 497008]
    R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-3-28 689416]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-12-13 12:07:36 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ca991bce-9231-4bdb-96a8-28d97fcba7cb}\offreg.dll
    2011-12-13 06:35:56 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ca991bce-9231-4bdb-96a8-28d97fcba7cb}\mpengine.dll
    2011-12-07 22:19:19 325632 ----a-w- c:\users\owner\appdata\local\ucm.exe
    2011-12-03 17:55:27 388096 ----a-r- c:\users\owner\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-12-01 04:04:37 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2011-12-01 04:04:37 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
    2011-12-01 04:04:36 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
    2011-12-01 04:04:36 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2011-12-01 04:04:35 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2011-12-01 04:04:35 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2011-12-01 04:04:34 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2011-12-01 04:04:34 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2011-11-23 14:45:36 -------- d-----w- C:\download
    2011-11-23 14:04:47 -------- d-----w- c:\users\owner\appdata\roaming\GetRightToGo
    2011-11-20 08:14:36 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2011-11-20 08:14:08 768544 ----a-w- c:\windows\system32\nvcplui.exe
    2011-11-20 08:14:08 446464 ----a-w- c:\windows\system32\nvuninst.exe
    2011-11-20 08:14:08 420384 ----a-w- c:\windows\system32\nvcpl.cpl
    2011-11-20 08:14:08 313888 ----a-w- c:\windows\system32\nvexpbar.dll
    2011-11-20 08:14:08 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
    .
    ==================== Find3M ====================
    .
    2011-10-08 03:40:41 94208 ----a-w- c:\windows\DIIUnin.exe
    2011-10-08 03:40:41 2829 ----a-w- c:\windows\DIIUnin.pif
    2011-09-28 15:39:00 21840 ----atw- c:\windows\system32\SIntfNT.dll
    2011-09-28 15:39:00 17212 ----atw- c:\windows\system32\SIntf32.dll
    2011-09-28 15:39:00 12067 ----atw- c:\windows\system32\SIntf16.dll
    2011-09-20 21:02:55 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    ============= FINISH: 15:23:54.97 ===============




    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista&#8482; Home Basic
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/27/2010 4:59:01 PM
    System Uptime: 12/13/2011 7:07:14 AM (8 hours ago)
    .
    Motherboard: ECS | | Iris8
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ | Socket AM2 | 2500/201mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 285.205 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP601: 12/1/2011 7:23:55 PM - Installed NCsoft Launcher
    RP602: 12/2/2011 11:00:37 AM - Windows Update
    RP604: 12/2/2011 11:07:27 AM - Installed NCsoft Launcher
    RP605: 12/3/2011 3:14:33 AM - Scheduled Checkpoint
    RP606: 12/3/2011 12:55:02 PM - Installed HiJackThis
    RP607: 12/4/2011 11:59:14 PM - Scheduled Checkpoint
    RP608: 12/5/2011 6:38:23 PM - Scheduled Checkpoint
    RP609: 12/6/2011 3:57:43 PM - Windows Update
    RP610: 12/8/2011 2:11:34 AM - Windows Update
    RP611: 12/9/2011 1:50:53 AM - Scheduled Checkpoint
    RP612: 12/9/2011 2:11:34 AM - Windows Update
    RP613: 12/10/2011 12:00:01 AM - Scheduled Checkpoint
    RP614: 12/11/2011 12:00:01 AM - Scheduled Checkpoint
    RP615: 12/12/2011 3:35:25 AM - Scheduled Checkpoint
    RP616: 12/13/2011 1:35:31 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Adobe Flash Player 10 ActiveX
    AVG PC Tuneup 2011
    Bandisoft MPEG-1 Decoder
    D3DX10
    DFOLauncher
    Diablo
    Diablo II
    Divinity II - Ego Draconis
    Download Manager 2.3.10
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java Auto Updater
    Java(TM) 6 Update 20
    Lineage®: Season 3: Episode 1.2: Crack of Time, Tikal+Antharas Update
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSVCRT
    NCsoft Launcher
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA PhysX
    OEM Logo and Information
    Pando Media Booster
    PCIe Soft Data Fax Modem with SmartCP
    PopTag!
    Realtek High Definition Audio Driver
    RuneScape Launcher 1.1
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Segoe UI
    System Requirements Lab
    TeamSpeak 3 Client
    Trend Micro Internet Security
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Ventrilo Client
    Vindictus
    VLC media player 1.0.1
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/12/2011 8:04:10 PM, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
    .
    ==== End Of File ===========================



    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-13 16:26:24
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000056 ST350041 rev.CC38
    Running: ipo9m6ox.exe; Driver: C:\Users\Owner\AppData\Local\Temp\uwldapow.sys

    ---- System - GMER 1.0.15 ----
    SSDT 884950A0 ZwCreateKey
    SSDT 884963E0 ZwCreateMutant
    SSDT 884942E0 ZwCreateProcess
    SSDT 884945A0 ZwCreateProcessEx
    SSDT 88495F00 ZwCreateThread
    SSDT 88495620 ZwDeleteKey
    SSDT 884958E0 ZwDeleteValueKey
    SSDT 88496240 ZwLoadDriver
    SSDT 88494B20 ZwOpenProcess
    SSDT 88496580 ZwSetSystemInformation
    SSDT 88495360 ZwSetValueKey
    SSDT 88494DE0 ZwTerminateProcess
    SSDT 88495D60 ZwWriteVirtualMemory
    SSDT 884960A0 ZwCreateThreadEx
    SSDT 88494860 ZwCreateUserProcess
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    ---- EOF - GMER 1.0.15 ----
     
  12. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    :eek:

    Now you learned, you shouldn't do this and maybe tell this the peoples from this PC Repair Business :D


    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT- Save ComboFix.exe to your Desktop

    ====================================================


    Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications


    ====================================================


    Double click on combofix.exe & follow the prompts.


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

    *Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.



    Please post in your next reply
    Combofix.txt
     
  13. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
    ComboFix 11-12-13.03 - Owner 12/14/2011 10:48:49.2.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3006.1886 [GMT -5:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    AV: Trend Micro Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
    FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    SP: Trend Micro Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Owner\AppData\Local\ucm.exe
    c:\users\Owner\AppData\Roaming\Adobe\plugs
    c:\users\Owner\AppData\Roaming\Adobe\shed
    c:\windows\system32\service
    c:\windows\system32\service\01052011_TIS17_SfFniAU.log
    c:\windows\system32\service\01102011_TIS17_SfFniAU.log
    c:\windows\system32\service\02092011_TIS17_SfFniAU.log
    c:\windows\system32\service\04122011_TIS17_SfFniAU.log
    c:\windows\system32\service\06072011_TIS17_SfFniAU.log
    c:\windows\system32\service\07082011_TIS17_SfFniAU.log
    c:\windows\system32\service\07102011_TIS17_SfFniAU.log
    c:\windows\system32\service\09052011_TIS17_SfFniAU.log
    c:\windows\system32\service\09082011_TIS17_SfFniAU.log
    c:\windows\system32\service\11062011_TIS17_SfFniAU.log
    c:\windows\system32\service\11072011_TIS17_SfFniAU.log
    c:\windows\system32\service\13042011_TIS17_SfFniAU.log
    c:\windows\system32\service\16082011_TIS17_SfFniAU.log
    c:\windows\system32\service\17042011_TIS17_SfFniAU.log
    c:\windows\system32\service\17092011_TIS17_SfFniAU.log
    c:\windows\system32\service\19042011_TIS17_SfFniAU.log
    c:\windows\system32\service\20082011_TIS17_SfFniAU.log
    c:\windows\system32\service\24062011_TIS17_SfFniAU.log
    c:\windows\system32\service\26112011_TIS17_SfFniAU.log
    c:\windows\system32\service\27052011_TIS17_SfFniAU.log
    c:\windows\system32\service\27092011_TIS17_SfFniAU.log
    c:\windows\system32\service\29042011_TIS17_SfFniAU.log
    c:\windows\system32\service\29052011_TIS17_SfFniAU.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-14 to 2011-12-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-14 15:53 . 2011-12-14 15:53 -------- d-----w- c:\users\Owner\AppData\Local\temp
    2011-12-14 15:53 . 2011-12-14 15:53 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-12-14 15:53 . 2011-12-14 15:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-14 02:04 . 2011-12-14 02:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA991BCE-9231-4BDB-96A8-28D97FCBA7CB}\offreg.dll
    2011-12-13 06:35 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA991BCE-9231-4BDB-96A8-28D97FCBA7CB}\mpengine.dll
    2011-12-03 17:55 . 2011-12-03 17:55 388096 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-12-01 04:15 . 2011-12-01 04:15 -------- d-----w- c:\users\Owner\AppData\Roaming\InstallShield
    2011-12-01 04:04 . 2010-06-02 09:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2011-12-01 04:04 . 2010-06-02 09:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
    2011-12-01 04:04 . 2010-06-02 09:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
    2011-12-01 04:04 . 2010-05-26 16:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2011-12-01 04:04 . 2010-05-26 16:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2011-12-01 04:04 . 2010-05-26 16:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2011-12-01 04:04 . 2010-05-26 16:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2011-12-01 04:04 . 2010-05-26 16:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2011-11-23 14:45 . 2011-11-23 14:45 -------- d-----w- C:\download
    2011-11-23 14:04 . 2011-11-23 14:43 -------- d-----w- c:\users\Owner\AppData\Roaming\GetRightToGo
    2011-11-20 08:14 . 2008-07-08 13:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2011-11-20 08:14 . 2008-07-30 01:33 446464 ----a-w- c:\windows\system32\nvuninst.exe
    2011-11-20 08:14 . 2008-05-23 02:49 768544 ----a-w- c:\windows\system32\nvcplui.exe
    2011-11-20 08:14 . 2008-05-23 02:49 420384 ----a-w- c:\windows\system32\nvcpl.cpl
    2011-11-20 08:14 . 2008-05-23 02:49 313888 ----a-w- c:\windows\system32\nvexpbar.dll
    2011-11-20 08:14 . 2008-05-23 02:49 1079840 ----a-w- c:\windows\system32\nvcpluir.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-08 03:40 . 2011-10-08 03:40 94208 ----a-w- c:\windows\DIIUnin.exe
    2011-10-08 03:40 . 2011-10-08 03:40 2829 ----a-w- c:\windows\DIIUnin.pif
    2011-09-30 03:49 . 2011-03-28 22:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-09-28 15:39 . 2010-07-21 22:43 21840 ----atw- c:\windows\system32\SIntfNT.dll
    2011-09-28 15:39 . 2010-07-21 22:43 17212 ----atw- c:\windows\system32\SIntf32.dll
    2011-09-28 15:39 . 2010-07-21 22:43 12067 ----atw- c:\windows\system32\SIntf16.dll
    2011-09-20 21:02 . 2011-11-09 08:46 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-07-08 3077528]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2011-07-08 14:12 3077528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-08-02 3732680]
    R3 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-07-19 51792]
    R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-07-29 497008]
    R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-07-29 689416]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-07-29 146448]
    S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2011-07-12 36624]
    S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-07-29 283152]
    S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 10.10.24.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-PlayNC Launcher - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-14 10:53
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-12-14 10:55:21
    ComboFix-quarantined-files.txt 2011-12-14 15:55
    ComboFix2.txt 2010-12-29 04:40
    .
    Pre-Run: 320,345,874,432 bytes free
    Post-Run: 325,446,529,024 bytes free
    .
    - - End Of File - - B8948336F5484423A197A3C9FD207742
     
  14. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    How is your system behaving now ?



    Download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Save it to your desktop.
    Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.



    Please post in your next reply
    MBAM Log
     
  15. Jmars25

    Jmars25 Thread Starter

    Joined:
    Dec 3, 2011
    Messages:
    26
    baaahh....sneaky trojans! Trend Micro IS didnt pick them up apparently :/. what do you mean by "how is my system behaving?"? are yu asking about after combofix or after malwarebytes?

    after running malware bytes, I was finally able to access my Windows Firewall settings. I kept getting some run32dll error message every time I tried to access the firewall settings. Internet seems to be running a little faster too I think, this page loaded pretty fast unlike what it was doing when I started the post.


    here's the log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org
    Database version: 8377
    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421
    12/15/2011 2:28:21 PM
    mbam-log-2011-12-15 (14-28-21).txt
    Scan type: Quick scan
    Objects scanned: 154903
    Time elapsed: 2 minute(s), 27 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\B60JHDGR6V (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1029521

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice