Solved

Take Over of Internet Browser

Posted on 2008-06-13
8
755 Views
Last Modified: 2013-12-08
In the last week, each time I access the Web, within 1 minute of being online, two new web pages will appear.  Neither page accesses any content.  The message I get from IE is "HTTP Error 404 - File or Directory not found."   I am not initiating this action. Also, I am getting "pop-up" web pages without clicking any links.

I reinstalled Windows Vista to stop the problem.  I also installed Trend Micro but it only blocks some pop-ups rather than all of them.   My IE Pop-Up Blocker is enabled; so is my IE Phishing monitor.

What is happening here? How do I fix it? Thanks.      
0
Comment
Question by:dtaylor42863
  • 5
  • 3
8 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21783745
Show us a Hijackthis log first so we can check what specific infection is present in the system and we can suggest the right tool to fix it.

Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
0
 

Author Comment

by:dtaylor42863
ID: 21783977
Done.  
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:38:14 PM, on 6/13/2008

Platform: Windows Vista  (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Boot mode: Normal
 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Windows\System32\rundll32.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe

C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe

C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe

C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe

C:\Windows\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c

O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1

O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O13 - Gopher Prefix: 

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab

O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 

--

End of file - 6679 bytes

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 21784061
Thanks for the log.

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c  
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1
O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s


You have vundo/conhook inefction, you need to run Combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 500 total points
ID: 21784064
Run Combofix in Safe Mode, it will produce an error but it will continue, so let it continue.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Closing Comment

by:dtaylor42863
ID: 31467128
Great job again. Hats off to Experts Exchange.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21785428
Glad to know that the problem has been resolved.

Would you like to attach the CF log? Sometimes with vundo infection there will still be some leftovers that need to be removed using CFScript function.
If you like, we can take a look at the log to make sure it's clean.

But if you're happy with everything and don't want to show us the logfile, then please uninstal Combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The above command will uninstall combofix and its related files/folder.
Thanks!
0
 

Author Comment

by:dtaylor42863
ID: 21787023
It worked.  You truly are a Guru.  I have attached the CF and Hijack This Logs.  Thanks again for your help.

 
ComboFix 08-06-12.2 - Bogey Dead 6 2008-06-14 19:33:46.1 - NTFSx86

Microsoft® Windows Vista" Home Basic   6.0.6000.0.1252.1.1033.18.761 [GMT -4:00]

Running from: C:\Users\Bogey Dead 6\Desktop\ComboFix.exe

 * Created a new restore point

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Windows\Fonts\CALIBRIB.TTF

C:\Windows\system32\awtrPiGY.dll

D:\Autorun.inf
 

.

(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))

.
 

No new files created in this timespan
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-14 03:37	---------	d-----w	C:\Program Files\Trend Micro

2008-06-13 22:22	---------	d-----w	C:\ProgramData\Trend Micro

2008-06-13 18:13	---------	d-----w	C:\Program Files\Canon

2008-06-13 10:27	10,752	----a-w	C:\Windows\DCEBoot.exe

2008-06-12 11:06	174	--sha-w	C:\Program Files\desktop.ini

2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Mail

2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Calendar

2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Sidebar

2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Defender

2008-06-12 07:17	87,040	----a-w	C:\Windows\System32\msoert2.dll

2008-06-12 07:17	39,424	----a-w	C:\Windows\System32\ACCTRES.dll

2008-06-12 07:17	205,824	----a-w	C:\Windows\System32\msoeacct.dll

2008-06-12 07:16	704,000	----a-w	C:\Windows\System32\PhotoScreensaver.scr

2008-06-12 07:16	258,232	----a-w	C:\Windows\system32\drivers\acpi.sys

2008-06-12 07:16	24,064	----a-w	C:\Windows\System32\wtsapi32.dll

2008-06-12 07:15	67,584	----a-w	C:\Windows\System32\wlanhlp.dll

2008-06-12 07:15	542,720	----a-w	C:\Windows\System32\sysmain.dll

2008-06-12 07:15	502,784	----a-w	C:\Windows\System32\wlansvc.dll

2008-06-12 07:15	47,104	----a-w	C:\Windows\System32\wlanapi.dll

2008-06-12 07:15	297,984	----a-w	C:\Windows\System32\wlansec.dll

2008-06-12 07:15	290,816	----a-w	C:\Windows\System32\wlanmsm.dll

2008-06-12 07:15	2,923,520	----a-w	C:\Windows\explorer.exe

2008-06-12 07:14	194,560	----a-w	C:\Windows\System32\WebClnt.dll

2008-06-12 07:14	110,080	----a-w	C:\Windows\system32\drivers\mrxdav.sys

2008-06-12 07:12	49,664	----a-w	C:\Windows\System32\csrsrv.dll

2008-06-12 07:12	376,320	----a-w	C:\Windows\System32\winsrv.dll

2008-06-12 07:07	41,984	----a-w	C:\Windows\system32\drivers\monitor.sys

2008-06-12 07:07	1,060,920	----a-w	C:\Windows\system32\drivers\ntfs.sys

2008-06-12 07:05	374,456	----a-w	C:\Windows\System32\mcupdate_GenuineIntel.dll

2008-06-12 07:03	414,208	----a-w	C:\Windows\System32\msscp.dll

2008-06-12 07:02	8,147,968	----a-w	C:\Windows\System32\wmploc.DLL

2008-06-12 07:02	7,680	----a-w	C:\Windows\System32\spwmp.dll

2008-06-12 07:01	4,096	----a-w	C:\Windows\System32\dxmasf.dll

2008-06-12 07:01	356,864	----a-w	C:\Windows\System32\MediaMetadataHandler.dll

2008-06-12 07:00	86,016	----a-w	C:\Windows\System32\icfupgd.dll

2008-06-12 07:00	63,488	----a-w	C:\Windows\system32\drivers\mpsdrv.sys

2008-06-12 07:00	61,952	----a-w	C:\Windows\System32\cmifw.dll

2008-06-12 07:00	396,800	----a-w	C:\Windows\System32\MPSSVC.dll

2008-06-12 07:00	392,192	----a-w	C:\Windows\System32\FirewallAPI.dll

2008-06-12 07:00	23,040	----a-w	C:\Windows\system32\drivers\tunnel.sys

2008-06-12 07:00	178,688	----a-w	C:\Windows\System32\iphlpsvc.dll

2008-06-12 07:00	16,896	----a-w	C:\Windows\System32\wfapigp.dll

2008-06-12 07:00	15,360	----a-w	C:\Windows\system32\drivers\TUNMP.SYS

2008-06-12 06:57	45,112	----a-w	C:\Windows\system32\drivers\pciidex.sys

2008-06-12 06:57	3,504,696	----a-w	C:\Windows\System32\ntkrnlpa.exe

2008-06-12 06:57	3,470,392	----a-w	C:\Windows\System32\ntoskrnl.exe

2008-06-12 06:57	211,000	----a-w	C:\Windows\system32\drivers\volsnap.sys

2008-06-12 06:57	21,560	----a-w	C:\Windows\system32\drivers\atapi.sys

2008-06-12 06:57	154,624	----a-w	C:\Windows\system32\drivers\nwifi.sys

2008-06-12 06:57	15,928	----a-w	C:\Windows\system32\drivers\pciide.sys

2008-06-12 06:57	109,624	----a-w	C:\Windows\system32\drivers\ataport.sys

2008-06-12 06:55	104,448	----a-w	C:\Windows\System32\DWWIN.EXE

2008-06-12 06:54	2,048	----a-w	C:\Windows\System32\msxml3r.dll

2008-06-12 06:54	1,191,936	----a-w	C:\Windows\System32\msxml3.dll

2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hcrstco.dll

2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hccoin.dll

2008-06-12 06:53	73,216	----a-w	C:\Windows\system32\drivers\usbccgp.sys

2008-06-12 06:53	5,888	----a-w	C:\Windows\system32\drivers\usbd.sys

2008-06-12 06:53	38,400	----a-w	C:\Windows\system32\drivers\usbehci.sys

2008-06-12 06:53	224,768	----a-w	C:\Windows\system32\drivers\usbport.sys

2008-06-12 06:53	192,000	----a-w	C:\Windows\system32\drivers\usbhub.sys

2008-06-12 06:53	19,456	----a-w	C:\Windows\system32\drivers\usbohci.sys

2008-06-12 06:50	806,400	----a-w	C:\Windows\system32\drivers\tcpip.sys

2008-06-12 06:50	24,064	----a-w	C:\Windows\System32\netcfg.exe

2008-06-12 06:50	22,016	----a-w	C:\Windows\System32\netiougc.exe

2008-06-12 06:50	217,144	----a-w	C:\Windows\system32\drivers\netio.sys

2008-06-12 06:50	167,424	----a-w	C:\Windows\System32\tcpipcfg.dll

2008-06-12 06:41	1,585,664	----a-w	C:\Windows\System32\setupapi.dll

2008-06-12 06:39	613,888	----a-w	C:\Windows\System32\wpd_ci.dll

2008-06-12 06:39	40,960	----a-w	C:\Windows\System32\srclient.dll

2008-06-12 06:39	371,712	----a-w	C:\Windows\System32\srcore.dll

2008-06-12 06:39	313,856	----a-w	C:\Windows\System32\rstrui.exe

2008-06-12 06:39	16,384	----a-w	C:\Windows\System32\srdelayed.exe

2008-06-12 06:33	2,027,008	----a-w	C:\Windows\System32\win32k.sys

2008-06-12 06:32	---------	d-----w	C:\Program Files\CONEXANT

2008-06-12 06:31	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL

2008-06-12 06:31	296,448	----a-w	C:\Windows\System32\gdi32.dll

2008-06-12 06:31	223,232	----a-w	C:\Windows\System32\WMASF.DLL

2008-06-12 06:31	2,048	----a-w	C:\Windows\System32\asferror.dll

2008-06-12 06:29	57,856	----a-w	C:\Windows\System32\SLUINotify.dll

2008-06-12 06:29	566,784	----a-w	C:\Windows\System32\SLCommDlg.dll

2008-06-12 06:29	39,936	----a-w	C:\Windows\System32\slcinst.dll

2008-06-12 06:29	351,232	----a-w	C:\Windows\System32\SLUI.exe

2008-06-12 06:29	33,280	----a-w	C:\Windows\System32\slwmi.dll

2008-06-12 06:29	268,288	----a-w	C:\Windows\System32\mcbuilder.exe

2008-06-12 06:29	223,232	----a-w	C:\Windows\System32\SLC.dll

2008-06-12 06:29	2,605,568	----a-w	C:\Windows\System32\SLsvc.exe

2008-06-12 06:29	186,368	----a-w	C:\Windows\System32\SLLUA.exe

2008-06-12 06:28	2,048	----a-w	C:\Windows\System32\msxml6r.dll

2008-06-12 06:28	1,335,296	----a-w	C:\Windows\System32\msxml6.dll

2008-06-12 06:25	84,480	----a-w	C:\Windows\System32\INETRES.dll

2008-06-12 06:25	737,792	----a-w	C:\Windows\System32\inetcomm.dll

2008-06-12 06:24	14,848	----a-w	C:\Windows\System32\wshrm.dll

2008-06-12 06:24	113,664	----a-w	C:\Windows\system32\drivers\rmcast.sys

2008-06-12 06:24	11,776	----a-w	C:\Windows\System32\sbunattend.exe

2008-06-12 06:22	83,968	----a-w	C:\Windows\System32\dnsrslvr.dll

2008-06-12 06:22	24,576	----a-w	C:\Windows\System32\dnscacheugc.exe

2008-06-12 06:22	---------	d-----w	C:\Program Files\Common Files\Macromedia

2008-06-12 06:21	53,760	----a-w	C:\Windows\system32\drivers\hdaudbus.sys

2008-06-12 06:20	84,992	----a-w	C:\Windows\system32\drivers\srvnet.sys

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2008-02-15 07:38 103760]
 

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]

[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]

[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]

[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-06-12 02:24 1232896]

"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 01:02 492808]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]

"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
 

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AutoUpdateDisableNotify"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)
 

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys [2008-02-16 01:01]

R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys [2008-02-16 01:01]

R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
 

*Newly Created Service* - CATCHME

.

**************************************************************************
 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-14 19:39:14

Windows 6.0.6000  NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 0
 

**************************************************************************

.

Completion time: 2008-06-14 19:43:33

ComboFix-quarantined-files.txt  2008-06-14 23:43:29
 

      The system cannot find message text for message number 0x2379 in the message file for Application.

      The system cannot find message text for message number 0x2379 in the message file for Application.
 

172	--- E O F ---	2008-06-14 05:31:50

Open in new window

Hijack-This-Log-after-CF-Run.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21892538
I'm terribly sorry, please forgive my late reply. I've lost the alert of this somehow.

Hijackthis log is clean.
C:\Windows\DCEBoot.exe <-- this file can be deleted.


If you like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html

Also a couple of temp folder cleaners you can use if you haven't yet:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/

Again, I'm sorry for my late reply.

Thanks.
Happy and safe computing!

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It's here again; Microsoft is launching a new version of Internet Explorer: Internet Explorer 9, with noticeable changes on its interface, functions and new tools. As they say on its promotional video: "It's time to play, on a more beautiful web", f…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now