Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91803 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Internet slow, some webpages can't load


  • This topic is locked This topic is locked
8 replies to this topic

#1 phesters

phesters

    Authentic Member

  • Authentic Member
  • PipPip
  • 49 posts

Posted 11 October 2009 - 08:41 AM

Late last week, my internet slowed down and some pages (google, for instance) couldn't even load. I'm also getting a lot of "Error on page" remarks when visiting websites. I don't know if this virus related.

My antivirus/antispyware program (Trend Micro) couldn't come up with anything. I ran both an HJT log and a Malwarebytes log. They are listed below. I was going to run a Kaspersky scan, but the webiste said it was unavailable. What do you think?

Thanks.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:18 AM, on 10/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: MRI_DISABLED
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5685BC20-FBE6-11D2-885F-00A0243C2C64} (iVantage Remote Data Control) - https://ivantage.the...SpectrumRDC.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.k..._2/axofupld.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://ivantage.the...mmon/iemenu.cab
O16 - DPF: {A7A61128-0EAA-11D1-B22F-0000C08C00C4} (SSDBCombo Control 3.1 - A) - https://ivantage.the...on/Ssdw3b32.cab
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} (FootPedalCtl Class) - http://sten-tel1.mtt...d/footpedal.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://ivantage.the...veXViewer80.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8650 bytes

Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/9/2009 9:51:17 PM
mbam-log-2009-10-09 (21-51-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182390
Time elapsed: 1 hour(s), 23 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ik679.ik679mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ik679.ik679mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rt586.rt586mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rt586.rt586mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2267f93c-600c-420e-a229-3317aadd3951} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

    Advertisements

Register to Remove


#2 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 12 October 2009 - 07:29 PM

Posted Image

Hi, welcome to the WTT Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.

1) DDS
Posted Image
Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

2) RR
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...
  • Right click on RootRepeal.zip and select "Extract All"....
  • Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
  • Click on the Browse...button, then click on Desktop, then click OK.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Before running RootRepeal:
    • Disconnect from the Internet as your system will be unprotected while using this tool.
      Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
    Posted Image
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
    The scan can take some time to finish. Do not use the computer while the scan is running.
    When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
  • Close and exit RootRepeal
  • Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.

Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".

3) What You Will Need To Post:
  • DDS logs
  • RR log

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 phesters

phesters

    Authentic Member

  • Authentic Member
  • PipPip
  • 49 posts

Posted 13 October 2009 - 05:33 PM

Below are the two DDS logs.

As for the RootRepeal, I followed the instructions, launched the executable, and for one hour I got an "Initializing,please wait...." popup. So I rebooted.

Anything else you can recommend? Thanks.

DDS:
DDS (Ver_09-10-13.01) - NTFSx86
Run by Owner at 18:01:41.78 on Tue 10/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.94 [GMT -4:00]

AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\mri_di~1\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\*.update
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {5685BC20-FBE6-11D2-885F-00A0243C2C64} - hxxps://ivantage.thermo.com/ivantagetec/Common/SpectrumRDC.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://targetphoto.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://ivantage.thermo.com/ivantagetec/Common/iemenu.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38044.7709143519
DPF: {A7A61128-0EAA-11D1-B22F-0000C08C00C4} - hxxps://ivantage.thermo.com/ivantagetec/Common/Ssdw3b32.cab
DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} - hxxp://sten-tel1.mttest.com/Shared/footpedal.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxps://ivantage.thermo.com/ivantagetec/Reports/ActiveXViewer80.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8w316dsj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-1-5 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-17 36368]
R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2004-6-12 45568]
R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-6-12 91797]

=============== Created Last 30 ================

2009-09-19 10:28 <DIR> --d----- c:\program files\iPod
2009-09-19 10:28 <DIR> --d----- c:\program files\iTunes
2009-09-19 10:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-10-05 19:59 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 11:42 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2001-07-21 22:45 94,784 -c-sh--- c:\windows\twain.dll
2008-04-13 20:12 50,688 -c-sh--- c:\windows\twain_32.dll
2008-04-13 20:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 20:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2009-06-04 12:03 16,384 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-06-04 12:03 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-08-02 08:15 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080220080803\index.dat
2009-06-04 12:03 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 18:05:25.81 ===============

Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-13.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/4/2001 3:54:48 PM
System Uptime: 10/13/2009 5:53:25 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4B-LA
Processor: Intel® Pentium® 4 CPU 1.50GHz | PGA 478 | 1494/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 33 GiB total, 3.681 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_03\4&122329E2&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_03\4&122329E2&0&40F0
Service: E100B

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMSAMSUNG_DVD-ROM_SD-616F_________________F100____\5&84A87B8&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: SAMSUNG DVD-ROM SD-616F
PNP Device ID: IDE\CDROMSAMSUNG_DVD-ROM_SD-616F_________________F100____\5&84A87B8&0&0.1.0
Service: cdrom

==== System Restore Points ===================

RP1355: 7/17/2009 7:48:23 PM - System Checkpoint
RP1356: 7/19/2009 8:13:24 AM - System Checkpoint
RP1357: 7/19/2009 7:37:52 PM - Removed Dorland's Electronic Medical Speller
RP1358: 7/20/2009 8:00:46 PM - System Checkpoint
RP1359: 7/21/2009 8:16:47 PM - System Checkpoint
RP1360: 7/23/2009 7:14:49 AM - System Checkpoint
RP1361: 7/24/2009 11:01:01 AM - System Checkpoint
RP1362: 7/25/2009 8:44:55 PM - System Checkpoint
RP1363: 7/27/2009 7:02:54 AM - System Checkpoint
RP1364: 7/28/2009 7:14:29 AM - System Checkpoint
RP1365: 7/29/2009 9:03:24 AM - Software Distribution Service 3.0
RP1366: 7/30/2009 12:52:12 PM - System Checkpoint
RP1367: 7/31/2009 8:24:13 PM - System Checkpoint
RP1368: 8/2/2009 6:34:33 PM - System Checkpoint
RP1369: 8/3/2009 6:50:33 PM - System Checkpoint
RP1370: 8/4/2009 9:12:58 PM - Installed Java™ 6 Update 15
RP1371: 8/6/2009 5:46:49 PM - System Checkpoint
RP1372: 8/9/2009 8:56:54 PM - System Checkpoint
RP1373: 8/11/2009 8:45:23 AM - System Checkpoint
RP1374: 8/12/2009 8:53:46 AM - System Checkpoint
RP1375: 8/13/2009 10:00:49 AM - Software Distribution Service 3.0
RP1376: 8/14/2009 10:32:35 AM - System Checkpoint
RP1377: 8/16/2009 7:09:34 AM - System Checkpoint
RP1378: 8/17/2009 6:29:30 PM - System Checkpoint
RP1379: 8/21/2009 3:41:38 PM - System Checkpoint
RP1380: 8/22/2009 8:16:42 PM - System Checkpoint
RP1381: 8/24/2009 6:37:59 AM - System Checkpoint
RP1382: 8/25/2009 4:49:09 PM - System Checkpoint
RP1383: 8/25/2009 8:41:02 PM - Software Distribution Service 3.0
RP1384: 8/28/2009 8:55:43 AM - System Checkpoint
RP1385: 8/29/2009 10:20:11 AM - System Checkpoint
RP1386: 8/30/2009 10:41:43 AM - System Checkpoint
RP1387: 9/1/2009 7:00:25 PM - System Checkpoint
RP1388: 9/3/2009 4:57:36 PM - System Checkpoint
RP1389: 9/4/2009 7:50:13 PM - System Checkpoint
RP1390: 9/6/2009 10:27:02 AM - System Checkpoint
RP1391: 9/7/2009 10:45:31 AM - System Checkpoint
RP1392: 9/9/2009 7:51:49 PM - System Checkpoint
RP1393: 9/10/2009 1:36:36 PM - Software Distribution Service 3.0
RP1394: 9/12/2009 7:48:10 AM - System Checkpoint
RP1395: 9/13/2009 3:30:54 PM - System Checkpoint
RP1396: 9/16/2009 7:11:11 PM - System Checkpoint
RP1397: 9/17/2009 7:21:26 PM - System Checkpoint
RP1398: 9/19/2009 12:28:04 PM - System Checkpoint
RP1399: 9/20/2009 12:28:37 PM - System Checkpoint
RP1400: 9/21/2009 12:36:32 PM - System Checkpoint
RP1401: 9/22/2009 7:09:48 PM - System Checkpoint
RP1402: 9/24/2009 4:48:22 PM - System Checkpoint
RP1403: 9/26/2009 9:36:34 AM - System Checkpoint
RP1404: 9/27/2009 6:00:43 PM - System Checkpoint
RP1405: 9/28/2009 6:49:32 PM - System Checkpoint
RP1406: 10/2/2009 12:08:43 PM - System Checkpoint
RP1407: 10/4/2009 8:32:33 AM - System Checkpoint
RP1408: 10/6/2009 7:54:45 PM - System Checkpoint
RP1409: 10/8/2009 7:00:41 PM - System Checkpoint
RP1410: 10/11/2009 8:36:10 AM - System Checkpoint

==== Installed Programs ======================


Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
AOL Instant Messenger
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Multimedia Email
ArcSoft PhotoImpression 5
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Coupon Printer for Windows
Creative WebCam Center
Creative WebCam Live! Driver (1.00.06.0414)
Creative WebCam Live! User's Guide (English)
Critical Update for Windows Media Player 11 (KB959772)
Detto Migration Kit
Get Yahoo! Messenger
getPlus® for Adobe
Google Toolbar for Internet Explorer
Highlight Viewer (Windows Live Toolbar)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hp center
HP Instant Support
HP Photo Printing Software
HP RecordNow
Inactive HP Printer Drivers (Remove only)
Inactive HP ScanJet Drivers (Remove only)
Intel® PRO Network Adapters and Drivers
InterVideo WinDVD
iTunes
Java™ 6 Update 15
Java™ 6 Update 3
Kaspersky Online Scanner
KBD
KODAK EASYSHARE Gallery Upload ActiveX Control
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Office 97, Professional Edition
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
MicroStaff WINASPI
Mozilla Firefox (2.0.0.12)
My Photo Center
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
Pinball Ten
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
QuickTime
Reader Drivers and Utilities
RealPlayer
Rhapsody Player Engine
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
Scrabble v2.0
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shockwave
Smart Menus (Windows Live Toolbar)
Studio
Supportsoft Web Controls
Symantec Network Drivers Update
Tcl 8.0.5 for Windows
The Game Of Life
Trend Micro AntiVirus
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VanDyke Software SecureCRT 4.0
Viewpoint Media Player
WebFldrs XP
Williams Pinball Classics
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Works Suite OS Pack

==== Event Viewer Messages From Past Week ========

10/8/2009 7:43:26 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 000D88261503 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

#4 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 14 October 2009 - 06:02 AM

Don't worry about RootRepeal, we'll try something else.

1) GMER
Please download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and put it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


2) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

3) What You Will Need To Post:
  • GMER log
  • ESET log

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#5 phesters

phesters

    Authentic Member

  • Authentic Member
  • PipPip
  • 49 posts

Posted 14 October 2009 - 06:44 PM

Below is the GMER log. I didn't have time to run the ESET scan yet.

Something that may be related --- I cycled my router and modem, and the problem seemed to go away. However, I have had to do this twice in the last five days.

GMER log:
GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-14 20:41:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxldypob.sys


---- System - GMER 1.0.15 ----

SSDT 82A9FC00 ZwCreateKey
SSDT 82A9F100 ZwCreateProcess
SSDT 82A9F3C0 ZwCreateProcessEx
SSDT 82AA0A60 ZwCreateThread
SSDT 82AA0180 ZwDeleteKey
SSDT 82AA0440 ZwDeleteValueKey
SSDT 82AA0C00 ZwLoadDriver
SSDT 82A9F680 ZwOpenProcess
SSDT 82A9FEC0 ZwSetValueKey
SSDT 82A9F940 ZwTerminateProcess
SSDT 82AA08C0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \FileSystem\Fastfat \Fat F28ADD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#6 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 15 October 2009 - 06:09 PM

Just waiting for the ESET scan. :)
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#7 phesters

phesters

    Authentic Member

  • Authentic Member
  • PipPip
  • 49 posts

Posted 16 October 2009 - 08:05 AM

And so you shall have it! :P C:\_OTM\MovedFiles\06032009_141110\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe probably a variant of Win32/Agent trojan C:\_OTM\MovedFiles\06032009_141110\hp\bin\AUTOPLAY.EXE probably a variant of Win32/Agent trojan

#8 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 16 October 2009 - 04:25 PM

Not seeing any signs of infections there, phesters.

If cycling the router & modem fix the problem, it is most likely either a problem with them, or a problem with your ISP. Either way, give them a call and explain the problem, telling them that you're sure you're not infected, and they'll point you in the right direction. :thumbsup:

You may remove the programs and associated logs generated from this fix.

Here's my usual all clean post, just to give you some tips!

How to reduce your chances of infection in the future

Web Browsers
Internet Explorer does come pre-installed with all Windows machines - but this doesn't necessarily mean you have to use it! Because it is the most widely used browser, it is targeted by more malware writers, making you more susceptible to infection. There are many other free alternatives out there that offer better security, take one of these for a spin and see if it takes your fancy.
Mozilla Firefox
Google Chrome
Opera

WOT - Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

If you are too attached to leave Internet Explorer, follow these additional steps to make the browser more secure.
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Additional Security Measures
Keep your software up-to-date - You should be manually performing updates of your software once a week to ensure that you are current with anti-virus definitions and patched for any security vulnerabilities. This does not just apply to your anti-virus/anti-malware software; malware authors rely on exploiting commonly used software such as Java and Adobe Reader, which need to be kept up to date as well.

Keep Windows up-to-date - Use Windows Update regularly to stay current with security patches and service packs.

MVPS Hosts File - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

Firewalls - Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient - but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.

What Not To Do
The Perils of P2P File Sharing - Even if a P2P application is on the 'safe' list, malware can still be downloaded through infected files - executables, zip files and even MP3s. It is just not worth the risk.

Fake Security/Optimization Software - Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Additional Reading
How to prevent Malware - I strongly recommend that you read Miekiemoses' good advice

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#9 Raktor

Raktor

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,114 posts

Posted 20 October 2009 - 07:05 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users