0

I have been reading some of the other posts because about a month ago I had the "free spyware" program that popped up on my computer and took over. I remember reading that it was some type of rootkit. I used several of the suggestions that were listed in other logs. I have Windows XP, SP3 and I run Trend Micro. I have added spybot and windows defender and I have not been able to download hijack this until today. I previously ran combofix once on 3/19 and I posted the log here a few days ago, but I got no response. Please help me figure out if there are still any remnants of any virus/malware on my system. Here is the Hijack this log I just ran:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:03 PM, on 4/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
C:\Documents and Settings\Jill\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MMklkl - {1428A472-5260-404E-9977-7ECDF1DAF936} - C:\WINDOWS\system32\mukmil.dll
O2 - BHO: (no name) - {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: Free WebSite Tools.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk.disabled
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183932664531
O20 - Winlogon Notify: bbfedbbfedfccdbee - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe

--
End of file - 8322 bytes


Also, please let me know if there is anything else I need to run or do to give you more information. Thanks!

3
Contributors
28
Replies
29
Views
8 Years
Discussion Span
Last Post by jholland1964
0

First of a a big word...CAUTION...you should never run Combofix unless first directed to do so by a helper. It can do severe damage to the computer if run at the wrong time.
First thing to do now is
Disable Spybot's TeaTimer as it will interfere with fixes done.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Next do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.
Run a new HJT scan and save the log. Post back here with the MBA-M log and the HJT log.
Judy

0

Here is the Malwarebytes log. I'm going to restart and then run hijack this and then post that log. Thanks! Jill

Malwarebytes' Anti-Malware 1.36
Database version: 1970
Windows 5.1.2600 Service Pack 3

4/12/2009 9:38:30 PM
mbam-log-2009-04-12 (21-38-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146195
Time elapsed: 1 hour(s), 44 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 29
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ddsme.kl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ddsme.kl.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mmkl.kl (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8f054dfd-c8b5-450b-99c9-f2c5d7e33ac3} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a88271fd-3162-4789-b742-ccc7f78abcd3} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1428a472-5260-404e-9977-7ecdf1daf936} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1428a472-5260-404e-9977-7ecdf1daf936} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1428a472-5260-404e-9977-7ecdf1daf936} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mmkl.kl.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{624f9012-d73b-11dd-95af-61c156d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{52cde0e4-d73b-11dd-9b90-fcc056d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\mukmil.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\fdcebceaaf.dll (Trojan.Agent) -> Quarantined and deleted successfully.

0

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:09 PM, on 4/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
C:\Documents and Settings\Jill\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183932664531
O20 - Winlogon Notify: bbfedbbfedfccdbee - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe

--
End of file - 6662 bytes

0

Looks much better. One of the items found was MyWebSearch. You need to do the following just to be certain there are no remainders:
Go to Start, Control Panel, Add/Remove and look for any of the following:

My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way
FunWebProducts.
Uninstall Any of the above items you may find there. If you DON'T find any that is fine. We just want to be certain.

Once you have done the uninstalls then run HJT again and place a check mark next to the following entries if they remain:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

O20 - Winlogon Notify: bbfedbbfedfccdbee - C:\WINDOWS\

Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot the computer and run a new HJT scan and post that log back here.
Judy

0

Your Hijackthis log looks clean, there's just one thing i found..

O20 - Winlogon Notify: bbfedbbfedfccdbee - C:\WINDOWS\

Fix it by checking the box next to the entry and clicking 'fix checked'...search for a file named bbfedbbfedfccdbee.dll inside C:/Windows/system32 if it exists and delete it, restart and run hijackthis...If you still see that file exists then download the application below and delete the file using it..

UltraShredder

0

Your Hijackthis log looks clean, there's just one thing i found..

O20 - Winlogon Notify: bbfedbbfedfccdbee - C:\WINDOWS\

Fix it by checking the box next to the entry and clicking 'fix checked'...search for a file named bbfedbbfedfccdbee.dll inside C:/Windows/system32 if it exists and delete it, restart and run hijackthis...If you still see that file exists then download the application below and delete the file using it..

UltraShredder

The HJT log is NOT completely clean. There are three items noted by me in the previous instructions which should be fixed using HJT.

The file you noted was removed earlier when the poster ran combofix listed in a previous thread. There is NO NEED to download another program for removal. Removal of the HJT entry with HJT will be sufficient.

0

The HJT log is NOT completely clean. There are three items noted by me in the previous instructions which should be fixed using HJT.

The file you noted was removed earlier when the poster ran combofix listed in a previous thread. There is NO NEED to download another program for removal. Removal of the HJT entry with HJT will be sufficient.

Yeah sure i agree, i saw ur post and the other two entries and realised i unknowingly overlooked them, my bad :)

0

Godsp3ed, you really need to do some better research before posting information

Yeah i surely do my research before posting, i respect the fact that you are more senior than me here but that doesn't provide you priority to judge at what level i am, i have provided what i feel and you have done what you feel, noone is perfect. Thank You and yeah Seriously no offence or hard feelings :)

0

Here is the new log. I did not find any of the MyWay programs in my add/remove programs menu. Thanks so much for your help Judy! - Jill

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:33 PM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jill\Desktop\HiJackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\tsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183932664531
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe

--
End of file - 6444 bytes

0

Hi Jill, Looks good. Couple recommendations and I think you are good to go.
First of all, keep the MBA-M program and update and run a Quick Scan with it at least weekly. Be sure to Remove items found.
If anything IS found during the Quick scan then immediately run a Full Scan with it and Remove all found.
Also a MUST have program, FREE also is SpywareBlaster. I wouldn't run a computer without it. Blocks malicious ActiveX installs by implementing a “kill bit” to prevent those ActiveX programs with known CLSIDs from being executed.
And unlike many other anti-spy apps, SpywareBlaster does not have to remain running in the background. Very highly recommended! From Javacool Software. Download, install, update and then Enable All protection, including the Restricted Sites portion. Works with both IE and Firefox. Then close the program. Just check weekly for updates and enable any new updates.
Now you should also set a new, clean Restore Point on the computer. To do this Right Click My Computer. Choose Properties. When System Properties opens click the System Restore Tab. Put a check mark in Turn Off system restore. Windows will warn you that you are turning it off. Click ok. It will then turn off. Wait a moment and then turn it back on.
Judy

0

Hey there Judy. Thank you so much for all your help. I do have a few questions still...I have a backups folder that appeared on my desktop and appears to be a backup from the files that I deleted/fixed from the hijack this log. Can I delete that? Also, I noticed that there are several programs running on my log that I tried to remove through the windows add/remove programs. If I do not want them to automatically start up, can I also remove them from the hijack this log screen? Also, can or should I turn teatimer back on? One more...I am now running spybot, trend micro, windows defender, and I have the malwarebytes antimalware and the spyware blaster...is this too much? Is there anything else I should add? I use the windows XP firewall, but should I add another firewall and will any of these programs interfere with each other?

Thanks again for your help! I really appreciate all your time.

Jill

0

Yes Jill, you can get rid of that backup folder. As far as the security programs, the one I would actually Uninstall would be Windows Defender. It is just not as powerful or as reliable as MBA-M or Spybot and once in awhile it interferes. As far as the TeaTimer, leave it disabled. It truly doesn't do much, as you have seen. Spybot itself is an EXCELLENT program and definitely keep that one and scan with it weekly. Same goes for MBA-M, but be sure you update both programs before doing scans. MBA-M especially actually has updates daily, sometimes more than once a day so always be sure to update before running.

Also, I noticed that there are several programs running on my log that I tried to remove through the windows add/remove programs.

Which programs are those? Rather than stop programs using HiJackThis I would recommend using this Free program Codestuff Starter. You can stop auto starting programs and also unnecessary auto starting Services using it. It also has a Processes Tab which works much like Task Manager to show you running processes on the computer but it shows much more than Task Manager shows you.
Looking at your HJT log I see the following which can easily be run manually when needed and are not required by the computer or operating system.
BCMSMMSG-this is a voice modem driver. Only required if you are on dial-up
UserFaultCheck-Used in connection with memory dumps
NvCplDaemon-System Tray icon used to change display settings, change the clock rate and memory speed for nVidia based graphics cards.
Adobe Photo Downloader-From Adobe Photoshop Album
Those are really the only ones I see that are auto starting that are not required. All of those showing in auto starting Services ARE required to run.
You asked about a Firewall, you all ready have a Firewall with your Trend Micro Internet Security. You don't need another. If you have the Windows Firewall turned on then it should be turned off. The rule is only ONE anti-virus program and ONE firewall on a system.

0

Hello Judy. Thanks so much for all your help. I did download codestuff starter and disabled only the 3 programs you recommended. I uninstalled Windows Defender and turned off the Windows Firewall (making sure that my trend Firewall was on first). However, I think there is still something going on with my computer.

Today I got a pop up from trend telling me that more than 8,000 changes were made to my computer. I tried to dis-allow, but I got something from Trend that said that it could not make the changes (back to the original). I have run HJT, but I can't find any of the programs I took off earlier. Also, I went back and deleted the logs (I had remembered that logs could cause problems). I have run Malwarebytes quick and full scan and I ran spyware blaster, but nothing showed up on either of those. I just went back to trend and looked in my changes folder and tried to undo the changes that were made earlier today and when I closed I got another pop up that said that it could not make the changes and then trend closed. Here is my latest HJT log (before I added codestuff started and made changes):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:34 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PCCMAIN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~4\PccHCMS.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PccLog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jill\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183932664531
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe

--
End of file - 7100 bytes


One thing that keeps popping out to me is this DSBroker Service. It's listed under Dell Support, but it has an unknown owner...is that strange? Also, I was trying to go to trend and get a screen shot of the changes that were made, but it hung up again, so I closed it. I'm getting ready to restart and see if I can get trend working normally. Do you have any suggestions as to what is going on? What have I missed? Is there anything I should look for?

Thanks!
Jill

0

What changes did Trend Micro say had been made? Is there a log available, if so post it. Was this the anti-virus program? Are you sure it said 8000? Don't forget there were a lot of infected files on there. Plus you turned off auto starts and also removed Defender, plus turned off Windows Firewall.

DSBroker Service. It's listed under Dell Support, but it has an unknown owner...is that strange?

No, you see that often.
You DON'T run a scan with SpywareBlaster, it is not a scanner program. Are you certain you downloaded the correct program? It is a protection program ONLY. Don't forget it also has 12,299 items it BLOCKS. Maybe Trend noticed some of those. Did you actually run a scan with Trend Micro...do so please.

0

Yes, Spyware blaster is set to protect all, I didn't run a scan. The trend micro changes were all in Internet explorer (5684 changes made to IE) and they were all icky website places. So, I checked them to undo the changes in trend. My system is running VERY slow. I have been trying to run a scan with trend, but it locks up...well, let me clarify...it appears to be scanning, but after over an hour, zero targets were scanned. Also, I had this trojan_NOTTY that appeared and one of the things that has happened is that there appears to be a virus on my F: drive - that's the USB port that my printer, camera card reader and iPod go into on the front of my computer. I am going to see what I can find in my trend after I post this.

0

Yes, Spyware blaster is set to protect all, I didn't run a scan. The trend micro changes were all in Internet explorer (5684 changes made to IE) and they were all icky website places. So, I checked them to undo the changes in trend. My system is running VERY slow. I have been trying to run a scan with trend, but it locks up...well, let me clarify...it appears to be scanning, but after over an hour, zero targets were scanned. Also, I had this trojan_NOTTY that appeared and one of the things that has happened is that there appears to be a virus on my F: drive - that's the USB port that my printer, camera card reader and iPod go into on the front of my computer. I am going to see what I can find in my trend after I post this.

Tell you what...I am somewhat confused here because SpywareBlaster BLOCKS all nasty websites, you have a firewall, why suddenly would all these sites appear in IE? Are you absolutely CERTAIN that these sites had not been ADDED to be blocked web sites in IE? OR are you certain these were not removed cookies in IE? I really would like to see the actual wording of these warnings and maybe I will better understand.
The other thing...a trojan on your F drive...it doesn't mean the USB port, it means whatever is plugged into it at the moment. What was plugged in there when this trojan was found? It would not be the printer it would have to be either the iPod or the camera card.
Whatever it is, leave it in there. Stop the Trend Micro scan and update and run a full system scan with MBA-M, INCLUDING whatever is plugged into that F drive, because with your last Full Scan with MBA-M there was no scanning done on this F drive.

0

5684 changes made to IE) and they were all icky website places.

SpywareBlaster secures your browser against potentially unwanted software and sites this is why I am wondering if these were the changes that Trend Micro saw, which would actually been GOOD changes. If so, by undoing them then SpywareBlaster has been disabled.
There shouldn't be websites LISTED in IE unless they were either listed as GOOD or BLOCKED, otherwise there aren't sites listed in IE.
With the latest updates SpywareBlaster has 4826 Restricted sites. Meaning if enabled this many sites are BLOCKED in IE.
It also has a total of 7243 activeX and Cookies BLOCKED in IE.
I really do think that it is very possible that this is what Trend Micro saw. Can you check SpywareBlaster again and be certain that it is 100% enabled and shows NO protection disabled.

0

I checked spywareblaster again and everything is protected. I have seen these changes before with the same site listed (just before I realized I had a virus...I thought then that the firewall was blocking these sites), I allowed the changes (the trend firewall thing popped up with suspicious changes to IE), and then I started having the "free spyware scan" thing on my internet explorer pages. I have tried to do an attachment because I took a screen shot of my running processes, but I can't seem to get the attachment to work (the button does not want to give me options...again things are running slow, so that could be part of the problem). I am running a MBA-M full scan right now with the iPod plugged in to make sure there is nothing there. The computer is running VERY slow, so I am going to let it run and call it a night. I was able to get the logs from trend from my firewall and virus or spyware scan, but again, I couldn't get the attachment to work. I looked in my regedit files and even though I have denied the changes the sites are listed under My Computer\HKEY_Local_Machine\Software\Microsoft\windows\currentversion\internet settings\zonemap\domains\007guard.com

0

Don't attach the logs, we prefer to have them copy/pasted. Prevents possible infection of our computer by having to download and open files from possibly infected computers.
Paste the MBA-M log here when complete. Then do a new HJT scan and post the log here also.
Judy

0

The MBA-M log was clean. Here is a copy:
Malwarebytes' Anti-Malware 1.36
Database version: 1992
Windows 5.1.2600 Service Pack 3

4/17/2009 5:02:09 AM
mbam-log-2009-04-17 (05-02-09).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 145065
Time elapsed: 3 hour(s), 20 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the HJT I just ran:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:23 AM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Jill\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183932664531
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~4\tmproxy.exe

--
End of file - 6794 bytes

It looks clean to me...The first two items on the Trend IE changes are the following (I am unable to cut and past, so I am just retyping what it says:

We have detected the following suspicious changes in your system. Mark the checkboxes beside items you want cleaned or added to your blocked or safe list, then click the appropriate button.

Internet Explorer settings (6056 changes detected)
(Arrow down)http://red.clientapps.yahoo.com/customize/ie/defaults/sbcydsl/*http://www/yahoo.... (I can't see the rest, the window won't let me make it into a full screen and I can't drag the window open any more)

When I hilite the item, the screen below says:
System Change, Risk Level: Low
Description: The search feature in Internet Explorer has changed. The correct page may no longer open when you click the search button or type the address of a web site in the address bar.
Details: Value: (Lists the web address above with .com after yahoo.)

Since my logs appear to be coming up clean is it possible that Trend is picking this up from one of the old log files? Do I need to delete everything from all my log files (virus logs, etc) and quarantined files and restart?

0

Since my logs appear to be coming up clean is it possible that Trend is picking this up from one of the old log files? Do I need to delete everything from all my log files (virus logs, etc) and quarantined files and restart?

What Trend Micro is telling you is there have been changes made to default settings on Internet Explorer, and there have been. We have removed those bad settings which appeared in your logs....this one that you noted:

Internet Explorer settings (6056 changes detected)
(Arrow down)http://red.clientapps.yahoo.com/cust...tp://www/yahoo....

was one that we removed. This was actually NOT yahoo but a "click through" search engine I guess you would call it. What it did was begin to take you to Yahoo search but instead direct you someplace else. It was listed in your 2nd log as this:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

The R1 in front of it indicates this is the default search for your Internet Explorer and the red.clientapps listed before the yahoo indicates it really wasn't yahoo. So this was a BAD one.
I really believe that there is NOTHING on the computer, at least these latest logs are clean. I believe that Trend Micro was notifying you of changes made...it will do this whether the changes are good or bad, it really doesn't know if they are good or bad, just that changes were made.
Now I was concerned because you said this earlier:

I tried to dis-allow, but I got something from Trend that said that it could not make the changes (back to the original).

now re-reading what you said I see that Trend Micro would not let you revert back. That is GOOD. The changes made were the removals of all the infections and Trend Micro would not allow you to go back to the bad settings, so it did it's job.
I firmly believe that your system is clean, especially with the scan results. You were very wise to heed these warnings but I want to caution you, when you DO receive these warnings, investigate them thoroughly BEFORE reverting back. But don't ignore them either. If you can and if it would be easier, print them out. Do a google search for items noted to investigate whether the changes should be allowed. But I do believe now these changes noted were the removals we did here.

0

I'm glad I was just being paranoid. Thank you so much for all your help Judy!

0

One more thing...would it still be a good idea to delete all my trend quarantine/scan logs?

0

One last question Judy. I have shut down and restarted at least once and the 6K+ changes are still in trend and I think it's the trend that is causing my system to be so slow. My trend firewall is showing 3 unknown computers connecting to my network plus one offline (I think that's the router...we switched from DSL to FIOS yesterday, so now we have wireless internet access, but even before we made the switch, I was getting these firewall popups.) Here are the logs from today and yesterday, can you tell me if there is anything suspicious, if I should block anything, or if I am once again just being paranoid? Thanks!

"Personal Firewall Logs","2009/04/18","BOTTOFFICE"
"Type","Time","Protocol","Source IP Address","Source Port","Destination IP Address","Destination Port","Application Path","Application Description","Description"
"Firewall","07:53:48","ICMP","192.168.1.3","n/a","192.168.1.1","n/a","---","---","Destination Unreachable"
"Firewall","08:16:16","ICMP","192.168.1.3","n/a","192.168.1.1","n/a","---","---","Destination Unreachable"
"Exception List Rule","08:38:45","TCP","---","n/a","192.168.1.3","139","SYSTEM","---","NetBIOS (Incoming, Fixed)"
"Firewall","08:38:45","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","08:38:45","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","08:38:46","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","08:48:22","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:23","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:25","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:26","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:28","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:29","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:31","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:32","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","08:48:34","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:11","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:12","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:14","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:17","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:17","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:19","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:20","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:22","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","09:19:23","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:15","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:16","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:18","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:19","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:21","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:22","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:24","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:25","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:24:27","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:55:12","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:55:13","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:55:15","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:55:16","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:55:18","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","12:55:19","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:25:51","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:25:52","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:25:54","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:25:55","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:25:57","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:25:58","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:26:00","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:26:01","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","13:26:03","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","16:30:55","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","16:30:56","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","16:30:57","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","16:30:59","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","16:31:01","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","16:31:02","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:41","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:42","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:44","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:46","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:47","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:49","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:50","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:52","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","17:01:53","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"

"Personal Firewall Logs","2009/04/17","BOTTOFFICE"
"Type","Time","Protocol","Source IP Address","Source Port","Destination IP Address","Destination Port","Application Path","Application Description","Description"
"Exception List Rule","00:20:13","TCP","BOTTOFFICE","1037","17.149.160.45","80","C:\PROGRAM FILES\ITUNES\ITUNES.EXE","iTunes","iTunes"
"Exception List Rule","00:20:13","TCP","BOTTOFFICE","1038","17.251.200.74","80","C:\PROGRAM FILES\ITUNES\ITUNES.EXE","iTunes","iTunes"
"Exception List Rule","12:50:31","TCP","BOTTOFFICE","1037","17.149.160.45","80","C:\PROGRAM FILES\ITUNES\ITUNES.EXE","iTunes","iTunes"
"Exception List Rule","12:50:31","TCP","BOTTOFFICE","1038","17.251.200.74","80","C:\PROGRAM FILES\ITUNES\ITUNES.EXE","iTunes","iTunes"
"Firewall","19:27:37","ICMP","192.168.1.3","n/a","192.168.1.1","n/a","---","---","Destination Unreachable"
"Firewall","19:27:37","ICMP","192.168.1.3","n/a","192.168.1.1","n/a","---","---","Destination Unreachable"
"Exception List Rule","19:27:39","TCP","---","n/a","192.168.1.3","139","SYSTEM","---","NetBIOS (Incoming, Fixed)"
"Firewall","19:27:39","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","19:27:40","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","19:27:41","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","19:28:21","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:28:23","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:28:24","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:11","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:12","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:14","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:15","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:17","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:18","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:20","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:21","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","19:59:23","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:22:08","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","20:22:08","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","20:22:09","IGMP","192.168.1.3","n/a","224.0.0.22","n/a","---","---","Security Rule Matched"
"Firewall","20:30:01","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:02","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:04","ICMP","192.168.1.1","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:05","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:07","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:08","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:10","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:11","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:13","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:14","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:16","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","20:30:17","ICMP","192.168.1.101","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:01","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:02","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:04","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:05","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:07","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:08","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:10","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:11","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","21:00:13","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","22:31:41","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","22:31:42","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","22:31:44","ICMP","192.168.1.102","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","22:31:45","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","22:31:47","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"
"Firewall","22:31:48","ICMP","192.168.1.100","n/a","192.168.1.3","n/a","---","---","Destination Unreachable"

Trend is showing that the 192..1 is trusted (but no computer name shows up) and that unknown computer .1.130 and unknown computer .1.212 are both connected to my network. If these are indeed my components, is there any way that I can name them, so I know that they are mine or is there anything I should block access to? Thanks!

0

It appears to me the firewall is doing it's job. Those ISP numbers are unknown. Can you connect to the internet without difficulty?
Frankly if you feel Trend Micro is slowing the system you might try another set of security programs, both FREE.
Online Armor Firewall is Excellent. Avira Free antivirus is also excellent. Neither one is overwhelming with excessive activity or usage amounts either. I use both, or have used both (right now I am using the Windows Firewall and am also very pleased with it) and have been quite pleased with the results.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.