Solved

Take Over of Internet Browser

Posted on 2008-06-13
8
757 Views
Last Modified: 2013-12-08
In the last week, each time I access the Web, within 1 minute of being online, two new web pages will appear.  Neither page accesses any content.  The message I get from IE is "HTTP Error 404 - File or Directory not found."   I am not initiating this action. Also, I am getting "pop-up" web pages without clicking any links.

I reinstalled Windows Vista to stop the problem.  I also installed Trend Micro but it only blocks some pop-ups rather than all of them.   My IE Pop-Up Blocker is enabled; so is my IE Phishing monitor.

What is happening here? How do I fix it? Thanks.      
0
Comment
Question by:dtaylor42863
  • 5
  • 3
8 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21783745
Show us a Hijackthis log first so we can check what specific infection is present in the system and we can suggest the right tool to fix it.

Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
0
 

Author Comment

by:dtaylor42863
ID: 21783977
Done.  
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:14 PM, on 6/13/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O13 - Gopher Prefix: 
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 
--
End of file - 6679 bytes

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 21784061
Thanks for the log.

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c  
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1
O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s


You have vundo/conhook inefction, you need to run Combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 500 total points
ID: 21784064
Run Combofix in Safe Mode, it will produce an error but it will continue, so let it continue.
0
 

Author Closing Comment

by:dtaylor42863
ID: 31467128
Great job again. Hats off to Experts Exchange.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21785428
Glad to know that the problem has been resolved.

Would you like to attach the CF log? Sometimes with vundo infection there will still be some leftovers that need to be removed using CFScript function.
If you like, we can take a look at the log to make sure it's clean.

But if you're happy with everything and don't want to show us the logfile, then please uninstal Combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The above command will uninstall combofix and its related files/folder.
Thanks!
0
 

Author Comment

by:dtaylor42863
ID: 21787023
It worked.  You truly are a Guru.  I have attached the CF and Hijack This Logs.  Thanks again for your help.

 
ComboFix 08-06-12.2 - Bogey Dead 6 2008-06-14 19:33:46.1 - NTFSx86
Microsoft® Windows Vista" Home Basic   6.0.6000.0.1252.1.1033.18.761 [GMT -4:00]
Running from: C:\Users\Bogey Dead 6\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Windows\Fonts\CALIBRIB.TTF
C:\Windows\system32\awtrPiGY.dll
D:\Autorun.inf
 
.
(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))
.
 
No new files created in this timespan
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 03:37	---------	d-----w	C:\Program Files\Trend Micro
2008-06-13 22:22	---------	d-----w	C:\ProgramData\Trend Micro
2008-06-13 18:13	---------	d-----w	C:\Program Files\Canon
2008-06-13 10:27	10,752	----a-w	C:\Windows\DCEBoot.exe
2008-06-12 11:06	174	--sha-w	C:\Program Files\desktop.ini
2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Mail
2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Calendar
2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Sidebar
2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Defender
2008-06-12 07:17	87,040	----a-w	C:\Windows\System32\msoert2.dll
2008-06-12 07:17	39,424	----a-w	C:\Windows\System32\ACCTRES.dll
2008-06-12 07:17	205,824	----a-w	C:\Windows\System32\msoeacct.dll
2008-06-12 07:16	704,000	----a-w	C:\Windows\System32\PhotoScreensaver.scr
2008-06-12 07:16	258,232	----a-w	C:\Windows\system32\drivers\acpi.sys
2008-06-12 07:16	24,064	----a-w	C:\Windows\System32\wtsapi32.dll
2008-06-12 07:15	67,584	----a-w	C:\Windows\System32\wlanhlp.dll
2008-06-12 07:15	542,720	----a-w	C:\Windows\System32\sysmain.dll
2008-06-12 07:15	502,784	----a-w	C:\Windows\System32\wlansvc.dll
2008-06-12 07:15	47,104	----a-w	C:\Windows\System32\wlanapi.dll
2008-06-12 07:15	297,984	----a-w	C:\Windows\System32\wlansec.dll
2008-06-12 07:15	290,816	----a-w	C:\Windows\System32\wlanmsm.dll
2008-06-12 07:15	2,923,520	----a-w	C:\Windows\explorer.exe
2008-06-12 07:14	194,560	----a-w	C:\Windows\System32\WebClnt.dll
2008-06-12 07:14	110,080	----a-w	C:\Windows\system32\drivers\mrxdav.sys
2008-06-12 07:12	49,664	----a-w	C:\Windows\System32\csrsrv.dll
2008-06-12 07:12	376,320	----a-w	C:\Windows\System32\winsrv.dll
2008-06-12 07:07	41,984	----a-w	C:\Windows\system32\drivers\monitor.sys
2008-06-12 07:07	1,060,920	----a-w	C:\Windows\system32\drivers\ntfs.sys
2008-06-12 07:05	374,456	----a-w	C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-06-12 07:03	414,208	----a-w	C:\Windows\System32\msscp.dll
2008-06-12 07:02	8,147,968	----a-w	C:\Windows\System32\wmploc.DLL
2008-06-12 07:02	7,680	----a-w	C:\Windows\System32\spwmp.dll
2008-06-12 07:01	4,096	----a-w	C:\Windows\System32\dxmasf.dll
2008-06-12 07:01	356,864	----a-w	C:\Windows\System32\MediaMetadataHandler.dll
2008-06-12 07:00	86,016	----a-w	C:\Windows\System32\icfupgd.dll
2008-06-12 07:00	63,488	----a-w	C:\Windows\system32\drivers\mpsdrv.sys
2008-06-12 07:00	61,952	----a-w	C:\Windows\System32\cmifw.dll
2008-06-12 07:00	396,800	----a-w	C:\Windows\System32\MPSSVC.dll
2008-06-12 07:00	392,192	----a-w	C:\Windows\System32\FirewallAPI.dll
2008-06-12 07:00	23,040	----a-w	C:\Windows\system32\drivers\tunnel.sys
2008-06-12 07:00	178,688	----a-w	C:\Windows\System32\iphlpsvc.dll
2008-06-12 07:00	16,896	----a-w	C:\Windows\System32\wfapigp.dll
2008-06-12 07:00	15,360	----a-w	C:\Windows\system32\drivers\TUNMP.SYS
2008-06-12 06:57	45,112	----a-w	C:\Windows\system32\drivers\pciidex.sys
2008-06-12 06:57	3,504,696	----a-w	C:\Windows\System32\ntkrnlpa.exe
2008-06-12 06:57	3,470,392	----a-w	C:\Windows\System32\ntoskrnl.exe
2008-06-12 06:57	211,000	----a-w	C:\Windows\system32\drivers\volsnap.sys
2008-06-12 06:57	21,560	----a-w	C:\Windows\system32\drivers\atapi.sys
2008-06-12 06:57	154,624	----a-w	C:\Windows\system32\drivers\nwifi.sys
2008-06-12 06:57	15,928	----a-w	C:\Windows\system32\drivers\pciide.sys
2008-06-12 06:57	109,624	----a-w	C:\Windows\system32\drivers\ataport.sys
2008-06-12 06:55	104,448	----a-w	C:\Windows\System32\DWWIN.EXE
2008-06-12 06:54	2,048	----a-w	C:\Windows\System32\msxml3r.dll
2008-06-12 06:54	1,191,936	----a-w	C:\Windows\System32\msxml3.dll
2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hcrstco.dll
2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hccoin.dll
2008-06-12 06:53	73,216	----a-w	C:\Windows\system32\drivers\usbccgp.sys
2008-06-12 06:53	5,888	----a-w	C:\Windows\system32\drivers\usbd.sys
2008-06-12 06:53	38,400	----a-w	C:\Windows\system32\drivers\usbehci.sys
2008-06-12 06:53	224,768	----a-w	C:\Windows\system32\drivers\usbport.sys
2008-06-12 06:53	192,000	----a-w	C:\Windows\system32\drivers\usbhub.sys
2008-06-12 06:53	19,456	----a-w	C:\Windows\system32\drivers\usbohci.sys
2008-06-12 06:50	806,400	----a-w	C:\Windows\system32\drivers\tcpip.sys
2008-06-12 06:50	24,064	----a-w	C:\Windows\System32\netcfg.exe
2008-06-12 06:50	22,016	----a-w	C:\Windows\System32\netiougc.exe
2008-06-12 06:50	217,144	----a-w	C:\Windows\system32\drivers\netio.sys
2008-06-12 06:50	167,424	----a-w	C:\Windows\System32\tcpipcfg.dll
2008-06-12 06:41	1,585,664	----a-w	C:\Windows\System32\setupapi.dll
2008-06-12 06:39	613,888	----a-w	C:\Windows\System32\wpd_ci.dll
2008-06-12 06:39	40,960	----a-w	C:\Windows\System32\srclient.dll
2008-06-12 06:39	371,712	----a-w	C:\Windows\System32\srcore.dll
2008-06-12 06:39	313,856	----a-w	C:\Windows\System32\rstrui.exe
2008-06-12 06:39	16,384	----a-w	C:\Windows\System32\srdelayed.exe
2008-06-12 06:33	2,027,008	----a-w	C:\Windows\System32\win32k.sys
2008-06-12 06:32	---------	d-----w	C:\Program Files\CONEXANT
2008-06-12 06:31	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL
2008-06-12 06:31	296,448	----a-w	C:\Windows\System32\gdi32.dll
2008-06-12 06:31	223,232	----a-w	C:\Windows\System32\WMASF.DLL
2008-06-12 06:31	2,048	----a-w	C:\Windows\System32\asferror.dll
2008-06-12 06:29	57,856	----a-w	C:\Windows\System32\SLUINotify.dll
2008-06-12 06:29	566,784	----a-w	C:\Windows\System32\SLCommDlg.dll
2008-06-12 06:29	39,936	----a-w	C:\Windows\System32\slcinst.dll
2008-06-12 06:29	351,232	----a-w	C:\Windows\System32\SLUI.exe
2008-06-12 06:29	33,280	----a-w	C:\Windows\System32\slwmi.dll
2008-06-12 06:29	268,288	----a-w	C:\Windows\System32\mcbuilder.exe
2008-06-12 06:29	223,232	----a-w	C:\Windows\System32\SLC.dll
2008-06-12 06:29	2,605,568	----a-w	C:\Windows\System32\SLsvc.exe
2008-06-12 06:29	186,368	----a-w	C:\Windows\System32\SLLUA.exe
2008-06-12 06:28	2,048	----a-w	C:\Windows\System32\msxml6r.dll
2008-06-12 06:28	1,335,296	----a-w	C:\Windows\System32\msxml6.dll
2008-06-12 06:25	84,480	----a-w	C:\Windows\System32\INETRES.dll
2008-06-12 06:25	737,792	----a-w	C:\Windows\System32\inetcomm.dll
2008-06-12 06:24	14,848	----a-w	C:\Windows\System32\wshrm.dll
2008-06-12 06:24	113,664	----a-w	C:\Windows\system32\drivers\rmcast.sys
2008-06-12 06:24	11,776	----a-w	C:\Windows\System32\sbunattend.exe
2008-06-12 06:22	83,968	----a-w	C:\Windows\System32\dnsrslvr.dll
2008-06-12 06:22	24,576	----a-w	C:\Windows\System32\dnscacheugc.exe
2008-06-12 06:22	---------	d-----w	C:\Program Files\Common Files\Macromedia
2008-06-12 06:21	53,760	----a-w	C:\Windows\system32\drivers\hdaudbus.sys
2008-06-12 06:20	84,992	----a-w	C:\Windows\system32\drivers\srvnet.sys
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2008-02-15 07:38 103760]
 
[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-06-12 02:24 1232896]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 01:02 492808]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
 
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
 
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys [2008-02-16 01:01]
R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys [2008-02-16 01:01]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
 
*Newly Created Service* - CATCHME
.
**************************************************************************
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 19:39:14
Windows 6.0.6000  NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
Completion time: 2008-06-14 19:43:33
ComboFix-quarantined-files.txt  2008-06-14 23:43:29
 
      The system cannot find message text for message number 0x2379 in the message file for Application.
      The system cannot find message text for message number 0x2379 in the message file for Application.
 
172	--- E O F ---	2008-06-14 05:31:50

Open in new window

Hijack-This-Log-after-CF-Run.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21892538
I'm terribly sorry, please forgive my late reply. I've lost the alert of this somehow.

Hijackthis log is clean.
C:\Windows\DCEBoot.exe <-- this file can be deleted.


If you like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html

Also a couple of temp folder cleaners you can use if you haven't yet:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/

Again, I'm sorry for my late reply.

Thanks.
Happy and safe computing!

0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Software - Posting same reply on multiple forums. 4 87
Google Chrome Notifications 2 65
Secure Connection Failed - Sonicwall FW 1 82
Video won't play 5 62
Problem I downloaded the Microsoft Internet Explorer 9 Beta, today, to give it a test drive and maybe write a review for the site, and it failed miserably and got stuck in a crash restart loop. The error message given is as illustrated below i…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now