Solved

Take Over of Internet Browser

Posted on 2008-06-13
8
766 Views
Last Modified: 2013-12-08
In the last week, each time I access the Web, within 1 minute of being online, two new web pages will appear.  Neither page accesses any content.  The message I get from IE is "HTTP Error 404 - File or Directory not found."   I am not initiating this action. Also, I am getting "pop-up" web pages without clicking any links.

I reinstalled Windows Vista to stop the problem.  I also installed Trend Micro but it only blocks some pop-ups rather than all of them.   My IE Pop-Up Blocker is enabled; so is my IE Phishing monitor.

What is happening here? How do I fix it? Thanks.      
0
Comment
Question by:dtaylor42863
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21783745
Show us a Hijackthis log first so we can check what specific infection is present in the system and we can suggest the right tool to fix it.

Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
0
 

Author Comment

by:dtaylor42863
ID: 21783977
Done.  
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:14 PM, on 6/13/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O13 - Gopher Prefix: 
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 
--
End of file - 6679 bytes

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 21784061
Thanks for the log.

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c  
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1
O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s


You have vundo/conhook inefction, you need to run Combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 500 total points
ID: 21784064
Run Combofix in Safe Mode, it will produce an error but it will continue, so let it continue.
0
 

Author Closing Comment

by:dtaylor42863
ID: 31467128
Great job again. Hats off to Experts Exchange.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21785428
Glad to know that the problem has been resolved.

Would you like to attach the CF log? Sometimes with vundo infection there will still be some leftovers that need to be removed using CFScript function.
If you like, we can take a look at the log to make sure it's clean.

But if you're happy with everything and don't want to show us the logfile, then please uninstal Combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The above command will uninstall combofix and its related files/folder.
Thanks!
0
 

Author Comment

by:dtaylor42863
ID: 21787023
It worked.  You truly are a Guru.  I have attached the CF and Hijack This Logs.  Thanks again for your help.

 
ComboFix 08-06-12.2 - Bogey Dead 6 2008-06-14 19:33:46.1 - NTFSx86
Microsoft® Windows Vista" Home Basic   6.0.6000.0.1252.1.1033.18.761 [GMT -4:00]
Running from: C:\Users\Bogey Dead 6\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Windows\Fonts\CALIBRIB.TTF
C:\Windows\system32\awtrPiGY.dll
D:\Autorun.inf
 
.
(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))
.
 
No new files created in this timespan
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 03:37	---------	d-----w	C:\Program Files\Trend Micro
2008-06-13 22:22	---------	d-----w	C:\ProgramData\Trend Micro
2008-06-13 18:13	---------	d-----w	C:\Program Files\Canon
2008-06-13 10:27	10,752	----a-w	C:\Windows\DCEBoot.exe
2008-06-12 11:06	174	--sha-w	C:\Program Files\desktop.ini
2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Mail
2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Calendar
2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Sidebar
2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Defender
2008-06-12 07:17	87,040	----a-w	C:\Windows\System32\msoert2.dll
2008-06-12 07:17	39,424	----a-w	C:\Windows\System32\ACCTRES.dll
2008-06-12 07:17	205,824	----a-w	C:\Windows\System32\msoeacct.dll
2008-06-12 07:16	704,000	----a-w	C:\Windows\System32\PhotoScreensaver.scr
2008-06-12 07:16	258,232	----a-w	C:\Windows\system32\drivers\acpi.sys
2008-06-12 07:16	24,064	----a-w	C:\Windows\System32\wtsapi32.dll
2008-06-12 07:15	67,584	----a-w	C:\Windows\System32\wlanhlp.dll
2008-06-12 07:15	542,720	----a-w	C:\Windows\System32\sysmain.dll
2008-06-12 07:15	502,784	----a-w	C:\Windows\System32\wlansvc.dll
2008-06-12 07:15	47,104	----a-w	C:\Windows\System32\wlanapi.dll
2008-06-12 07:15	297,984	----a-w	C:\Windows\System32\wlansec.dll
2008-06-12 07:15	290,816	----a-w	C:\Windows\System32\wlanmsm.dll
2008-06-12 07:15	2,923,520	----a-w	C:\Windows\explorer.exe
2008-06-12 07:14	194,560	----a-w	C:\Windows\System32\WebClnt.dll
2008-06-12 07:14	110,080	----a-w	C:\Windows\system32\drivers\mrxdav.sys
2008-06-12 07:12	49,664	----a-w	C:\Windows\System32\csrsrv.dll
2008-06-12 07:12	376,320	----a-w	C:\Windows\System32\winsrv.dll
2008-06-12 07:07	41,984	----a-w	C:\Windows\system32\drivers\monitor.sys
2008-06-12 07:07	1,060,920	----a-w	C:\Windows\system32\drivers\ntfs.sys
2008-06-12 07:05	374,456	----a-w	C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-06-12 07:03	414,208	----a-w	C:\Windows\System32\msscp.dll
2008-06-12 07:02	8,147,968	----a-w	C:\Windows\System32\wmploc.DLL
2008-06-12 07:02	7,680	----a-w	C:\Windows\System32\spwmp.dll
2008-06-12 07:01	4,096	----a-w	C:\Windows\System32\dxmasf.dll
2008-06-12 07:01	356,864	----a-w	C:\Windows\System32\MediaMetadataHandler.dll
2008-06-12 07:00	86,016	----a-w	C:\Windows\System32\icfupgd.dll
2008-06-12 07:00	63,488	----a-w	C:\Windows\system32\drivers\mpsdrv.sys
2008-06-12 07:00	61,952	----a-w	C:\Windows\System32\cmifw.dll
2008-06-12 07:00	396,800	----a-w	C:\Windows\System32\MPSSVC.dll
2008-06-12 07:00	392,192	----a-w	C:\Windows\System32\FirewallAPI.dll
2008-06-12 07:00	23,040	----a-w	C:\Windows\system32\drivers\tunnel.sys
2008-06-12 07:00	178,688	----a-w	C:\Windows\System32\iphlpsvc.dll
2008-06-12 07:00	16,896	----a-w	C:\Windows\System32\wfapigp.dll
2008-06-12 07:00	15,360	----a-w	C:\Windows\system32\drivers\TUNMP.SYS
2008-06-12 06:57	45,112	----a-w	C:\Windows\system32\drivers\pciidex.sys
2008-06-12 06:57	3,504,696	----a-w	C:\Windows\System32\ntkrnlpa.exe
2008-06-12 06:57	3,470,392	----a-w	C:\Windows\System32\ntoskrnl.exe
2008-06-12 06:57	211,000	----a-w	C:\Windows\system32\drivers\volsnap.sys
2008-06-12 06:57	21,560	----a-w	C:\Windows\system32\drivers\atapi.sys
2008-06-12 06:57	154,624	----a-w	C:\Windows\system32\drivers\nwifi.sys
2008-06-12 06:57	15,928	----a-w	C:\Windows\system32\drivers\pciide.sys
2008-06-12 06:57	109,624	----a-w	C:\Windows\system32\drivers\ataport.sys
2008-06-12 06:55	104,448	----a-w	C:\Windows\System32\DWWIN.EXE
2008-06-12 06:54	2,048	----a-w	C:\Windows\System32\msxml3r.dll
2008-06-12 06:54	1,191,936	----a-w	C:\Windows\System32\msxml3.dll
2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hcrstco.dll
2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hccoin.dll
2008-06-12 06:53	73,216	----a-w	C:\Windows\system32\drivers\usbccgp.sys
2008-06-12 06:53	5,888	----a-w	C:\Windows\system32\drivers\usbd.sys
2008-06-12 06:53	38,400	----a-w	C:\Windows\system32\drivers\usbehci.sys
2008-06-12 06:53	224,768	----a-w	C:\Windows\system32\drivers\usbport.sys
2008-06-12 06:53	192,000	----a-w	C:\Windows\system32\drivers\usbhub.sys
2008-06-12 06:53	19,456	----a-w	C:\Windows\system32\drivers\usbohci.sys
2008-06-12 06:50	806,400	----a-w	C:\Windows\system32\drivers\tcpip.sys
2008-06-12 06:50	24,064	----a-w	C:\Windows\System32\netcfg.exe
2008-06-12 06:50	22,016	----a-w	C:\Windows\System32\netiougc.exe
2008-06-12 06:50	217,144	----a-w	C:\Windows\system32\drivers\netio.sys
2008-06-12 06:50	167,424	----a-w	C:\Windows\System32\tcpipcfg.dll
2008-06-12 06:41	1,585,664	----a-w	C:\Windows\System32\setupapi.dll
2008-06-12 06:39	613,888	----a-w	C:\Windows\System32\wpd_ci.dll
2008-06-12 06:39	40,960	----a-w	C:\Windows\System32\srclient.dll
2008-06-12 06:39	371,712	----a-w	C:\Windows\System32\srcore.dll
2008-06-12 06:39	313,856	----a-w	C:\Windows\System32\rstrui.exe
2008-06-12 06:39	16,384	----a-w	C:\Windows\System32\srdelayed.exe
2008-06-12 06:33	2,027,008	----a-w	C:\Windows\System32\win32k.sys
2008-06-12 06:32	---------	d-----w	C:\Program Files\CONEXANT
2008-06-12 06:31	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL
2008-06-12 06:31	296,448	----a-w	C:\Windows\System32\gdi32.dll
2008-06-12 06:31	223,232	----a-w	C:\Windows\System32\WMASF.DLL
2008-06-12 06:31	2,048	----a-w	C:\Windows\System32\asferror.dll
2008-06-12 06:29	57,856	----a-w	C:\Windows\System32\SLUINotify.dll
2008-06-12 06:29	566,784	----a-w	C:\Windows\System32\SLCommDlg.dll
2008-06-12 06:29	39,936	----a-w	C:\Windows\System32\slcinst.dll
2008-06-12 06:29	351,232	----a-w	C:\Windows\System32\SLUI.exe
2008-06-12 06:29	33,280	----a-w	C:\Windows\System32\slwmi.dll
2008-06-12 06:29	268,288	----a-w	C:\Windows\System32\mcbuilder.exe
2008-06-12 06:29	223,232	----a-w	C:\Windows\System32\SLC.dll
2008-06-12 06:29	2,605,568	----a-w	C:\Windows\System32\SLsvc.exe
2008-06-12 06:29	186,368	----a-w	C:\Windows\System32\SLLUA.exe
2008-06-12 06:28	2,048	----a-w	C:\Windows\System32\msxml6r.dll
2008-06-12 06:28	1,335,296	----a-w	C:\Windows\System32\msxml6.dll
2008-06-12 06:25	84,480	----a-w	C:\Windows\System32\INETRES.dll
2008-06-12 06:25	737,792	----a-w	C:\Windows\System32\inetcomm.dll
2008-06-12 06:24	14,848	----a-w	C:\Windows\System32\wshrm.dll
2008-06-12 06:24	113,664	----a-w	C:\Windows\system32\drivers\rmcast.sys
2008-06-12 06:24	11,776	----a-w	C:\Windows\System32\sbunattend.exe
2008-06-12 06:22	83,968	----a-w	C:\Windows\System32\dnsrslvr.dll
2008-06-12 06:22	24,576	----a-w	C:\Windows\System32\dnscacheugc.exe
2008-06-12 06:22	---------	d-----w	C:\Program Files\Common Files\Macromedia
2008-06-12 06:21	53,760	----a-w	C:\Windows\system32\drivers\hdaudbus.sys
2008-06-12 06:20	84,992	----a-w	C:\Windows\system32\drivers\srvnet.sys
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2008-02-15 07:38 103760]
 
[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-06-12 02:24 1232896]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 01:02 492808]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
 
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
 
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys [2008-02-16 01:01]
R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys [2008-02-16 01:01]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
 
*Newly Created Service* - CATCHME
.
**************************************************************************
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 19:39:14
Windows 6.0.6000  NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
Completion time: 2008-06-14 19:43:33
ComboFix-quarantined-files.txt  2008-06-14 23:43:29
 
      The system cannot find message text for message number 0x2379 in the message file for Application.
      The system cannot find message text for message number 0x2379 in the message file for Application.
 
172	--- E O F ---	2008-06-14 05:31:50

Open in new window

Hijack-This-Log-after-CF-Run.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21892538
I'm terribly sorry, please forgive my late reply. I've lost the alert of this somehow.

Hijackthis log is clean.
C:\Windows\DCEBoot.exe <-- this file can be deleted.


If you like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html

Also a couple of temp folder cleaners you can use if you haven't yet:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/

Again, I'm sorry for my late reply.

Thanks.
Happy and safe computing!

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Now-a-days, indirectly, postal services have been replaced by email services. Yes, whenever we hear the word "email" a lot of people only think of gmail. Some people still think that email and gmail are one and the same thing :-). Let's see some …
I recently found myself in a Corporate Situation where the client had requested blocking access to any and all websites except his own Domain? Easy? I am sure this would be your answer but their requirement was, this has to be done without using…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question