Solved

Take Over of Internet Browser

Posted on 2008-06-13
8
754 Views
Last Modified: 2013-12-08
In the last week, each time I access the Web, within 1 minute of being online, two new web pages will appear.  Neither page accesses any content.  The message I get from IE is "HTTP Error 404 - File or Directory not found."   I am not initiating this action. Also, I am getting "pop-up" web pages without clicking any links.

I reinstalled Windows Vista to stop the problem.  I also installed Trend Micro but it only blocks some pop-ups rather than all of them.   My IE Pop-Up Blocker is enabled; so is my IE Phishing monitor.

What is happening here? How do I fix it? Thanks.      
0
Comment
Question by:dtaylor42863
  • 5
  • 3
8 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21783745
Show us a Hijackthis log first so we can check what specific infection is present in the system and we can suggest the right tool to fix it.

Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
0
 

Author Comment

by:dtaylor42863
ID: 21783977
Done.  
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:38:14 PM, on 6/13/2008

Platform: Windows Vista  (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Boot mode: Normal
 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Windows\System32\rundll32.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe

C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe

C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe

C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe

C:\Windows\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c

O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1

O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O13 - Gopher Prefix: 

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab

O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 

--

End of file - 6679 bytes

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 21784061
Thanks for the log.

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c  
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1
O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s


You have vundo/conhook inefction, you need to run Combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 500 total points
ID: 21784064
Run Combofix in Safe Mode, it will produce an error but it will continue, so let it continue.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Closing Comment

by:dtaylor42863
ID: 31467128
Great job again. Hats off to Experts Exchange.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21785428
Glad to know that the problem has been resolved.

Would you like to attach the CF log? Sometimes with vundo infection there will still be some leftovers that need to be removed using CFScript function.
If you like, we can take a look at the log to make sure it's clean.

But if you're happy with everything and don't want to show us the logfile, then please uninstal Combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The above command will uninstall combofix and its related files/folder.
Thanks!
0
 

Author Comment

by:dtaylor42863
ID: 21787023
It worked.  You truly are a Guru.  I have attached the CF and Hijack This Logs.  Thanks again for your help.

 
ComboFix 08-06-12.2 - Bogey Dead 6 2008-06-14 19:33:46.1 - NTFSx86

Microsoft® Windows Vista" Home Basic   6.0.6000.0.1252.1.1033.18.761 [GMT -4:00]

Running from: C:\Users\Bogey Dead 6\Desktop\ComboFix.exe

 * Created a new restore point

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Windows\Fonts\CALIBRIB.TTF

C:\Windows\system32\awtrPiGY.dll

D:\Autorun.inf
 

.

(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))

.
 

No new files created in this timespan
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-14 03:37	---------	d-----w	C:\Program Files\Trend Micro

2008-06-13 22:22	---------	d-----w	C:\ProgramData\Trend Micro

2008-06-13 18:13	---------	d-----w	C:\Program Files\Canon

2008-06-13 10:27	10,752	----a-w	C:\Windows\DCEBoot.exe

2008-06-12 11:06	174	--sha-w	C:\Program Files\desktop.ini

2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Mail

2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Calendar

2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Sidebar

2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Defender

2008-06-12 07:17	87,040	----a-w	C:\Windows\System32\msoert2.dll

2008-06-12 07:17	39,424	----a-w	C:\Windows\System32\ACCTRES.dll

2008-06-12 07:17	205,824	----a-w	C:\Windows\System32\msoeacct.dll

2008-06-12 07:16	704,000	----a-w	C:\Windows\System32\PhotoScreensaver.scr

2008-06-12 07:16	258,232	----a-w	C:\Windows\system32\drivers\acpi.sys

2008-06-12 07:16	24,064	----a-w	C:\Windows\System32\wtsapi32.dll

2008-06-12 07:15	67,584	----a-w	C:\Windows\System32\wlanhlp.dll

2008-06-12 07:15	542,720	----a-w	C:\Windows\System32\sysmain.dll

2008-06-12 07:15	502,784	----a-w	C:\Windows\System32\wlansvc.dll

2008-06-12 07:15	47,104	----a-w	C:\Windows\System32\wlanapi.dll

2008-06-12 07:15	297,984	----a-w	C:\Windows\System32\wlansec.dll

2008-06-12 07:15	290,816	----a-w	C:\Windows\System32\wlanmsm.dll

2008-06-12 07:15	2,923,520	----a-w	C:\Windows\explorer.exe

2008-06-12 07:14	194,560	----a-w	C:\Windows\System32\WebClnt.dll

2008-06-12 07:14	110,080	----a-w	C:\Windows\system32\drivers\mrxdav.sys

2008-06-12 07:12	49,664	----a-w	C:\Windows\System32\csrsrv.dll

2008-06-12 07:12	376,320	----a-w	C:\Windows\System32\winsrv.dll

2008-06-12 07:07	41,984	----a-w	C:\Windows\system32\drivers\monitor.sys

2008-06-12 07:07	1,060,920	----a-w	C:\Windows\system32\drivers\ntfs.sys

2008-06-12 07:05	374,456	----a-w	C:\Windows\System32\mcupdate_GenuineIntel.dll

2008-06-12 07:03	414,208	----a-w	C:\Windows\System32\msscp.dll

2008-06-12 07:02	8,147,968	----a-w	C:\Windows\System32\wmploc.DLL

2008-06-12 07:02	7,680	----a-w	C:\Windows\System32\spwmp.dll

2008-06-12 07:01	4,096	----a-w	C:\Windows\System32\dxmasf.dll

2008-06-12 07:01	356,864	----a-w	C:\Windows\System32\MediaMetadataHandler.dll

2008-06-12 07:00	86,016	----a-w	C:\Windows\System32\icfupgd.dll

2008-06-12 07:00	63,488	----a-w	C:\Windows\system32\drivers\mpsdrv.sys

2008-06-12 07:00	61,952	----a-w	C:\Windows\System32\cmifw.dll

2008-06-12 07:00	396,800	----a-w	C:\Windows\System32\MPSSVC.dll

2008-06-12 07:00	392,192	----a-w	C:\Windows\System32\FirewallAPI.dll

2008-06-12 07:00	23,040	----a-w	C:\Windows\system32\drivers\tunnel.sys

2008-06-12 07:00	178,688	----a-w	C:\Windows\System32\iphlpsvc.dll

2008-06-12 07:00	16,896	----a-w	C:\Windows\System32\wfapigp.dll

2008-06-12 07:00	15,360	----a-w	C:\Windows\system32\drivers\TUNMP.SYS

2008-06-12 06:57	45,112	----a-w	C:\Windows\system32\drivers\pciidex.sys

2008-06-12 06:57	3,504,696	----a-w	C:\Windows\System32\ntkrnlpa.exe

2008-06-12 06:57	3,470,392	----a-w	C:\Windows\System32\ntoskrnl.exe

2008-06-12 06:57	211,000	----a-w	C:\Windows\system32\drivers\volsnap.sys

2008-06-12 06:57	21,560	----a-w	C:\Windows\system32\drivers\atapi.sys

2008-06-12 06:57	154,624	----a-w	C:\Windows\system32\drivers\nwifi.sys

2008-06-12 06:57	15,928	----a-w	C:\Windows\system32\drivers\pciide.sys

2008-06-12 06:57	109,624	----a-w	C:\Windows\system32\drivers\ataport.sys

2008-06-12 06:55	104,448	----a-w	C:\Windows\System32\DWWIN.EXE

2008-06-12 06:54	2,048	----a-w	C:\Windows\System32\msxml3r.dll

2008-06-12 06:54	1,191,936	----a-w	C:\Windows\System32\msxml3.dll

2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hcrstco.dll

2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hccoin.dll

2008-06-12 06:53	73,216	----a-w	C:\Windows\system32\drivers\usbccgp.sys

2008-06-12 06:53	5,888	----a-w	C:\Windows\system32\drivers\usbd.sys

2008-06-12 06:53	38,400	----a-w	C:\Windows\system32\drivers\usbehci.sys

2008-06-12 06:53	224,768	----a-w	C:\Windows\system32\drivers\usbport.sys

2008-06-12 06:53	192,000	----a-w	C:\Windows\system32\drivers\usbhub.sys

2008-06-12 06:53	19,456	----a-w	C:\Windows\system32\drivers\usbohci.sys

2008-06-12 06:50	806,400	----a-w	C:\Windows\system32\drivers\tcpip.sys

2008-06-12 06:50	24,064	----a-w	C:\Windows\System32\netcfg.exe

2008-06-12 06:50	22,016	----a-w	C:\Windows\System32\netiougc.exe

2008-06-12 06:50	217,144	----a-w	C:\Windows\system32\drivers\netio.sys

2008-06-12 06:50	167,424	----a-w	C:\Windows\System32\tcpipcfg.dll

2008-06-12 06:41	1,585,664	----a-w	C:\Windows\System32\setupapi.dll

2008-06-12 06:39	613,888	----a-w	C:\Windows\System32\wpd_ci.dll

2008-06-12 06:39	40,960	----a-w	C:\Windows\System32\srclient.dll

2008-06-12 06:39	371,712	----a-w	C:\Windows\System32\srcore.dll

2008-06-12 06:39	313,856	----a-w	C:\Windows\System32\rstrui.exe

2008-06-12 06:39	16,384	----a-w	C:\Windows\System32\srdelayed.exe

2008-06-12 06:33	2,027,008	----a-w	C:\Windows\System32\win32k.sys

2008-06-12 06:32	---------	d-----w	C:\Program Files\CONEXANT

2008-06-12 06:31	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL

2008-06-12 06:31	296,448	----a-w	C:\Windows\System32\gdi32.dll

2008-06-12 06:31	223,232	----a-w	C:\Windows\System32\WMASF.DLL

2008-06-12 06:31	2,048	----a-w	C:\Windows\System32\asferror.dll

2008-06-12 06:29	57,856	----a-w	C:\Windows\System32\SLUINotify.dll

2008-06-12 06:29	566,784	----a-w	C:\Windows\System32\SLCommDlg.dll

2008-06-12 06:29	39,936	----a-w	C:\Windows\System32\slcinst.dll

2008-06-12 06:29	351,232	----a-w	C:\Windows\System32\SLUI.exe

2008-06-12 06:29	33,280	----a-w	C:\Windows\System32\slwmi.dll

2008-06-12 06:29	268,288	----a-w	C:\Windows\System32\mcbuilder.exe

2008-06-12 06:29	223,232	----a-w	C:\Windows\System32\SLC.dll

2008-06-12 06:29	2,605,568	----a-w	C:\Windows\System32\SLsvc.exe

2008-06-12 06:29	186,368	----a-w	C:\Windows\System32\SLLUA.exe

2008-06-12 06:28	2,048	----a-w	C:\Windows\System32\msxml6r.dll

2008-06-12 06:28	1,335,296	----a-w	C:\Windows\System32\msxml6.dll

2008-06-12 06:25	84,480	----a-w	C:\Windows\System32\INETRES.dll

2008-06-12 06:25	737,792	----a-w	C:\Windows\System32\inetcomm.dll

2008-06-12 06:24	14,848	----a-w	C:\Windows\System32\wshrm.dll

2008-06-12 06:24	113,664	----a-w	C:\Windows\system32\drivers\rmcast.sys

2008-06-12 06:24	11,776	----a-w	C:\Windows\System32\sbunattend.exe

2008-06-12 06:22	83,968	----a-w	C:\Windows\System32\dnsrslvr.dll

2008-06-12 06:22	24,576	----a-w	C:\Windows\System32\dnscacheugc.exe

2008-06-12 06:22	---------	d-----w	C:\Program Files\Common Files\Macromedia

2008-06-12 06:21	53,760	----a-w	C:\Windows\system32\drivers\hdaudbus.sys

2008-06-12 06:20	84,992	----a-w	C:\Windows\system32\drivers\srvnet.sys

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2008-02-15 07:38 103760]
 

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]

[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]

[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]

[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-06-12 02:24 1232896]

"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 01:02 492808]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]

"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
 

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AutoUpdateDisableNotify"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)
 

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys [2008-02-16 01:01]

R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys [2008-02-16 01:01]

R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
 

*Newly Created Service* - CATCHME

.

**************************************************************************
 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-14 19:39:14

Windows 6.0.6000  NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 0
 

**************************************************************************

.

Completion time: 2008-06-14 19:43:33

ComboFix-quarantined-files.txt  2008-06-14 23:43:29
 

      The system cannot find message text for message number 0x2379 in the message file for Application.

      The system cannot find message text for message number 0x2379 in the message file for Application.
 

172	--- E O F ---	2008-06-14 05:31:50

Open in new window

Hijack-This-Log-after-CF-Run.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21892538
I'm terribly sorry, please forgive my late reply. I've lost the alert of this somehow.

Hijackthis log is clean.
C:\Windows\DCEBoot.exe <-- this file can be deleted.


If you like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html

Also a couple of temp folder cleaners you can use if you haven't yet:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/

Again, I'm sorry for my late reply.

Thanks.
Happy and safe computing!

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
Several part series to implement Internet Explorer 11 Enterprise Mode
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now