Link to home
Create AccountLog in
Avatar of dtaylor42863
dtaylor42863Flag for United States of America

asked on

Take Over of Internet Browser

In the last week, each time I access the Web, within 1 minute of being online, two new web pages will appear.  Neither page accesses any content.  The message I get from IE is "HTTP Error 404 - File or Directory not found."   I am not initiating this action. Also, I am getting "pop-up" web pages without clicking any links.

I reinstalled Windows Vista to stop the problem.  I also installed Trend Micro but it only blocks some pop-ups rather than all of them.   My IE Pop-Up Blocker is enabled; so is my IE Phishing monitor.

What is happening here? How do I fix it? Thanks.      
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Show us a Hijackthis log first so we can check what specific infection is present in the system and we can suggest the right tool to fix it.

Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
Avatar of dtaylor42863

ASKER

Done.  
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:14 PM, on 6/13/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtrPiGY.dll,#1
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\vtUkhGvW.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BOGEYD~1\AppData\Local\Temp\qoMgfcax.dll,#1
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BMdb67e695] Rundll32.exe "C:\Users\BOGEYD~1\AppData\Local\Temp\cuxqkjkb.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O13 - Gopher Prefix: 
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 
--
End of file - 6679 bytes

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Great job again. Hats off to Experts Exchange.
Glad to know that the problem has been resolved.

Would you like to attach the CF log? Sometimes with vundo infection there will still be some leftovers that need to be removed using CFScript function.
If you like, we can take a look at the log to make sure it's clean.

But if you're happy with everything and don't want to show us the logfile, then please uninstal Combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The above command will uninstall combofix and its related files/folder.
Thanks!
It worked.  You truly are a Guru.  I have attached the CF and Hijack This Logs.  Thanks again for your help.

 
ComboFix 08-06-12.2 - Bogey Dead 6 2008-06-14 19:33:46.1 - NTFSx86
Microsoft® Windows Vista" Home Basic   6.0.6000.0.1252.1.1033.18.761 [GMT -4:00]
Running from: C:\Users\Bogey Dead 6\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Windows\Fonts\CALIBRIB.TTF
C:\Windows\system32\awtrPiGY.dll
D:\Autorun.inf
 
.
(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))
.
 
No new files created in this timespan
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 03:37	---------	d-----w	C:\Program Files\Trend Micro
2008-06-13 22:22	---------	d-----w	C:\ProgramData\Trend Micro
2008-06-13 18:13	---------	d-----w	C:\Program Files\Canon
2008-06-13 10:27	10,752	----a-w	C:\Windows\DCEBoot.exe
2008-06-12 11:06	174	--sha-w	C:\Program Files\desktop.ini
2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Mail
2008-06-12 11:00	---------	d-----w	C:\Program Files\Windows Calendar
2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Sidebar
2008-06-12 10:59	---------	d-----w	C:\Program Files\Windows Defender
2008-06-12 07:17	87,040	----a-w	C:\Windows\System32\msoert2.dll
2008-06-12 07:17	39,424	----a-w	C:\Windows\System32\ACCTRES.dll
2008-06-12 07:17	205,824	----a-w	C:\Windows\System32\msoeacct.dll
2008-06-12 07:16	704,000	----a-w	C:\Windows\System32\PhotoScreensaver.scr
2008-06-12 07:16	258,232	----a-w	C:\Windows\system32\drivers\acpi.sys
2008-06-12 07:16	24,064	----a-w	C:\Windows\System32\wtsapi32.dll
2008-06-12 07:15	67,584	----a-w	C:\Windows\System32\wlanhlp.dll
2008-06-12 07:15	542,720	----a-w	C:\Windows\System32\sysmain.dll
2008-06-12 07:15	502,784	----a-w	C:\Windows\System32\wlansvc.dll
2008-06-12 07:15	47,104	----a-w	C:\Windows\System32\wlanapi.dll
2008-06-12 07:15	297,984	----a-w	C:\Windows\System32\wlansec.dll
2008-06-12 07:15	290,816	----a-w	C:\Windows\System32\wlanmsm.dll
2008-06-12 07:15	2,923,520	----a-w	C:\Windows\explorer.exe
2008-06-12 07:14	194,560	----a-w	C:\Windows\System32\WebClnt.dll
2008-06-12 07:14	110,080	----a-w	C:\Windows\system32\drivers\mrxdav.sys
2008-06-12 07:12	49,664	----a-w	C:\Windows\System32\csrsrv.dll
2008-06-12 07:12	376,320	----a-w	C:\Windows\System32\winsrv.dll
2008-06-12 07:07	41,984	----a-w	C:\Windows\system32\drivers\monitor.sys
2008-06-12 07:07	1,060,920	----a-w	C:\Windows\system32\drivers\ntfs.sys
2008-06-12 07:05	374,456	----a-w	C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-06-12 07:03	414,208	----a-w	C:\Windows\System32\msscp.dll
2008-06-12 07:02	8,147,968	----a-w	C:\Windows\System32\wmploc.DLL
2008-06-12 07:02	7,680	----a-w	C:\Windows\System32\spwmp.dll
2008-06-12 07:01	4,096	----a-w	C:\Windows\System32\dxmasf.dll
2008-06-12 07:01	356,864	----a-w	C:\Windows\System32\MediaMetadataHandler.dll
2008-06-12 07:00	86,016	----a-w	C:\Windows\System32\icfupgd.dll
2008-06-12 07:00	63,488	----a-w	C:\Windows\system32\drivers\mpsdrv.sys
2008-06-12 07:00	61,952	----a-w	C:\Windows\System32\cmifw.dll
2008-06-12 07:00	396,800	----a-w	C:\Windows\System32\MPSSVC.dll
2008-06-12 07:00	392,192	----a-w	C:\Windows\System32\FirewallAPI.dll
2008-06-12 07:00	23,040	----a-w	C:\Windows\system32\drivers\tunnel.sys
2008-06-12 07:00	178,688	----a-w	C:\Windows\System32\iphlpsvc.dll
2008-06-12 07:00	16,896	----a-w	C:\Windows\System32\wfapigp.dll
2008-06-12 07:00	15,360	----a-w	C:\Windows\system32\drivers\TUNMP.SYS
2008-06-12 06:57	45,112	----a-w	C:\Windows\system32\drivers\pciidex.sys
2008-06-12 06:57	3,504,696	----a-w	C:\Windows\System32\ntkrnlpa.exe
2008-06-12 06:57	3,470,392	----a-w	C:\Windows\System32\ntoskrnl.exe
2008-06-12 06:57	211,000	----a-w	C:\Windows\system32\drivers\volsnap.sys
2008-06-12 06:57	21,560	----a-w	C:\Windows\system32\drivers\atapi.sys
2008-06-12 06:57	154,624	----a-w	C:\Windows\system32\drivers\nwifi.sys
2008-06-12 06:57	15,928	----a-w	C:\Windows\system32\drivers\pciide.sys
2008-06-12 06:57	109,624	----a-w	C:\Windows\system32\drivers\ataport.sys
2008-06-12 06:55	104,448	----a-w	C:\Windows\System32\DWWIN.EXE
2008-06-12 06:54	2,048	----a-w	C:\Windows\System32\msxml3r.dll
2008-06-12 06:54	1,191,936	----a-w	C:\Windows\System32\msxml3.dll
2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hcrstco.dll
2008-06-12 06:53	8,704	----a-w	C:\Windows\System32\hccoin.dll
2008-06-12 06:53	73,216	----a-w	C:\Windows\system32\drivers\usbccgp.sys
2008-06-12 06:53	5,888	----a-w	C:\Windows\system32\drivers\usbd.sys
2008-06-12 06:53	38,400	----a-w	C:\Windows\system32\drivers\usbehci.sys
2008-06-12 06:53	224,768	----a-w	C:\Windows\system32\drivers\usbport.sys
2008-06-12 06:53	192,000	----a-w	C:\Windows\system32\drivers\usbhub.sys
2008-06-12 06:53	19,456	----a-w	C:\Windows\system32\drivers\usbohci.sys
2008-06-12 06:50	806,400	----a-w	C:\Windows\system32\drivers\tcpip.sys
2008-06-12 06:50	24,064	----a-w	C:\Windows\System32\netcfg.exe
2008-06-12 06:50	22,016	----a-w	C:\Windows\System32\netiougc.exe
2008-06-12 06:50	217,144	----a-w	C:\Windows\system32\drivers\netio.sys
2008-06-12 06:50	167,424	----a-w	C:\Windows\System32\tcpipcfg.dll
2008-06-12 06:41	1,585,664	----a-w	C:\Windows\System32\setupapi.dll
2008-06-12 06:39	613,888	----a-w	C:\Windows\System32\wpd_ci.dll
2008-06-12 06:39	40,960	----a-w	C:\Windows\System32\srclient.dll
2008-06-12 06:39	371,712	----a-w	C:\Windows\System32\srcore.dll
2008-06-12 06:39	313,856	----a-w	C:\Windows\System32\rstrui.exe
2008-06-12 06:39	16,384	----a-w	C:\Windows\System32\srdelayed.exe
2008-06-12 06:33	2,027,008	----a-w	C:\Windows\System32\win32k.sys
2008-06-12 06:32	---------	d-----w	C:\Program Files\CONEXANT
2008-06-12 06:31	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL
2008-06-12 06:31	296,448	----a-w	C:\Windows\System32\gdi32.dll
2008-06-12 06:31	223,232	----a-w	C:\Windows\System32\WMASF.DLL
2008-06-12 06:31	2,048	----a-w	C:\Windows\System32\asferror.dll
2008-06-12 06:29	57,856	----a-w	C:\Windows\System32\SLUINotify.dll
2008-06-12 06:29	566,784	----a-w	C:\Windows\System32\SLCommDlg.dll
2008-06-12 06:29	39,936	----a-w	C:\Windows\System32\slcinst.dll
2008-06-12 06:29	351,232	----a-w	C:\Windows\System32\SLUI.exe
2008-06-12 06:29	33,280	----a-w	C:\Windows\System32\slwmi.dll
2008-06-12 06:29	268,288	----a-w	C:\Windows\System32\mcbuilder.exe
2008-06-12 06:29	223,232	----a-w	C:\Windows\System32\SLC.dll
2008-06-12 06:29	2,605,568	----a-w	C:\Windows\System32\SLsvc.exe
2008-06-12 06:29	186,368	----a-w	C:\Windows\System32\SLLUA.exe
2008-06-12 06:28	2,048	----a-w	C:\Windows\System32\msxml6r.dll
2008-06-12 06:28	1,335,296	----a-w	C:\Windows\System32\msxml6.dll
2008-06-12 06:25	84,480	----a-w	C:\Windows\System32\INETRES.dll
2008-06-12 06:25	737,792	----a-w	C:\Windows\System32\inetcomm.dll
2008-06-12 06:24	14,848	----a-w	C:\Windows\System32\wshrm.dll
2008-06-12 06:24	113,664	----a-w	C:\Windows\system32\drivers\rmcast.sys
2008-06-12 06:24	11,776	----a-w	C:\Windows\System32\sbunattend.exe
2008-06-12 06:22	83,968	----a-w	C:\Windows\System32\dnsrslvr.dll
2008-06-12 06:22	24,576	----a-w	C:\Windows\System32\dnscacheugc.exe
2008-06-12 06:22	---------	d-----w	C:\Program Files\Common Files\Macromedia
2008-06-12 06:21	53,760	----a-w	C:\Windows\system32\drivers\hdaudbus.sys
2008-06-12 06:20	84,992	----a-w	C:\Windows\system32\drivers\srvnet.sys
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2008-02-15 07:38 103760]
 
[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-06-12 02:24 1232896]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 01:02 492808]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
 
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
 
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\system32\DRIVERS\tmlwf.sys [2008-02-16 01:01]
R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\system32\DRIVERS\tmwfp.sys [2008-02-16 01:01]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
 
*Newly Created Service* - CATCHME
.
**************************************************************************
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 19:39:14
Windows 6.0.6000  NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
Completion time: 2008-06-14 19:43:33
ComboFix-quarantined-files.txt  2008-06-14 23:43:29
 
      The system cannot find message text for message number 0x2379 in the message file for Application.
      The system cannot find message text for message number 0x2379 in the message file for Application.
 
172	--- E O F ---	2008-06-14 05:31:50

Open in new window

Hijack-This-Log-after-CF-Run.txt
I'm terribly sorry, please forgive my late reply. I've lost the alert of this somehow.

Hijackthis log is clean.
C:\Windows\DCEBoot.exe <-- this file can be deleted.


If you like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html

Also a couple of temp folder cleaners you can use if you haven't yet:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/

Again, I'm sorry for my late reply.

Thanks.
Happy and safe computing!