10 replies to this topic

[whitebobcat]

my browsers will act slow and then simply lock up.. i mostly use firefox and IE
some pop ups appear at times but not too much
this only started 2 days ago
here is my hijackthis file below




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:34 PM, on 10/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\xchat\xchat.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\sl\My Documents\Downloads\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\sl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wefi] C:\Program Files\WeFi\WeFi.exe
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US /HIDEBL
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8698 bytes

[Tomk]

Hi whitebobcat,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

• Download DDS and save it to your desktop from
• Here
• here or
• here.
  
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
• We Need to check for Rootkits with RootRepeal
  
  • Download RootRepeal from one of the following locations and save it to your desktop.
    
    • Here
    • Here
    • or Here
  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • In the Select Scan dialog, check
    
    
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
• Copy/paste the log (that you've previously saved to your desktop) from RootRepeal onto your post.
  
  
• Copy/paste the DDS.txt log (that you've previously saved to your desktop) onto your post.
  
  
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

[whitebobcat]

ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/19 23:29 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA87F1000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA634000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA7487000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: c:\windows\temp\perflib_perfdata_2a0.dat Status: Allocation size mismatch (API: 16384, Raw: 0) Path: c:\documents and settings\sl\local settings\temp\etilqs_6vqkyu8ecj7bc6n5c0kd Status: Allocation size mismatch (API: 32768, Raw: 0) Path: c:\documents and settings\all users\application data\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.33.crwl Status: Allocation size mismatch (API: 280, Raw: 144) ==EOF== and DDS (Ver_09-06-26.01) - NTFSx86 Run by sl at 23:16:19.56 on Mon 10/19/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2361 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Dell\DellDock\DockLogin.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\sl\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\sl\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\sl\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\sl\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://search.live.com uSearch Bar = hxxp://search.live.com/sphome.aspx mDefault_Page_URL = hxxp://www.dell.com mStart Page = hxxp://www.dell.com uInternet Settings,ProxyOverride = *.local mSearchAssistant = hxxp://search.live.com/sphome.aspx BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\sl\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [wefi] c:\program files\wefi\WeFi.exe uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US /HIDEBL uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: ckpNotify - ckpNotify.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\sl\applic~1\mozilla\firefox\profiles\uga0dgm1.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q= FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\sl\application data\move networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\sl\application data\mozilla\firefox\profiles\uga0dgm1.default\extensions\justintvpublisher@justin.tv\platform\winnt_x86-msvc\plugins\npjustintvpublish.dll FF - plugin: c:\documents and settings\sl\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-15 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-15 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-15 108552] R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2006-4-9 2234320] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-15 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-15 297752] R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2006-4-9 36400] R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-4-27 93960] R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2006-4-9 109072] R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2006-4-9 671472] R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392] =============== Created Last 30 ================ 2009-10-17 20:31 <DIR> --d----- c:\program files\X-Chat 2 2009-10-15 14:39 <DIR> --d----- c:\program files\Trend Micro 2009-10-15 12:49 102,664 a------- c:\windows\system32\drivers\tmcomm.sys 2009-10-15 12:49 <DIR> --d----- c:\documents and settings\sl\.housecall6.6 2009-10-14 16:59 <DIR> --d----- c:\program files\Yahoo! 2009-10-14 12:49 <DIR> --d----- c:\docume~1\sl\applic~1\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1 2009-10-06 16:29 <DIR> --d----- c:\program files\Veoh Networks 2009-10-01 09:15 107,368 a------- c:\windows\system32\GEARAspi.dll 2009-10-01 09:15 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-10-01 09:15 <DIR> --d----- c:\program files\iPod 2009-10-01 09:15 <DIR> --d----- c:\program files\iTunes 2009-10-01 09:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-10-01 09:14 <DIR> --d----- c:\program files\Bonjour 2009-10-01 02:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AIM 2009-10-01 01:59 <DIR> --d----- c:\program files\AIM 2009-10-01 01:59 <DIR> --d----- c:\program files\common files\Software Update Utility 2009-10-01 01:59 <DIR> --d----- c:\program files\common files\AOL 2009-10-01 01:58 462 a---h--- C:\IPH.PH ==================== Find3M ==================== 2009-09-25 00:37 667,136 a------- c:\windows\system32\wininet.dll 2009-09-25 00:37 81,920 a------- c:\windows\system32\ieencode.dll 2009-09-18 21:08 203,776 a------- c:\windows\system32\clrviddc.dll 2009-09-18 20:24 499,712 a------- c:\windows\system32\msvcp71.dll 2009-09-18 20:24 348,160 a------- c:\windows\system32\msvcr71.dll 2009-09-15 11:47 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-09-15 11:47 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-09-15 11:47 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-11 05:47 5,655 a------- c:\windows\system32\drivers\1028_Dell_INS_537S.mrk 2009-09-11 01:59 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-16 10:08 178,176 a------- c:\windows\system32\unrar.dll 2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-04 10:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe 2009-08-04 09:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe 2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll ============= FINISH: 23:16:31.00 ===============

Attached Files

•  Attach.txt   13.13KB   469 downloads

[Tomk]

whitebobcat,


Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

[whitebobcat]

-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, October 20, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, October 20, 2009 13:34:37 Records in database: 3038089 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 45987 Threats found: 2 Infected objects found: 5 Suspicious objects found: 0 Scan duration: 00:39:21 File name / Threat / Threats count C:\Documents and Settings\sl\.housecall6.6\Quarantine\DNTU.v6.8.0.0.111.rar.bac_a03168 Infected: Backdoor.Win32.SdBot.iwv 1 C:\Documents and Settings\sl\.housecall6.6\Quarantine\DNTU.v6.8.0.0.111.rar.bac_a03632 Infected: Backdoor.Win32.SdBot.iwv 1 C:\Documents and Settings\sl\Local Settings\Temp\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1 C:\RECYCLER\S-1-5-21-1473991072-3829973469-1075336041-1005\Dc2.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1 C:\RECYCLER\S-1-5-21-1473991072-3829973469-1075336041-1005\Dc3.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1 Selected area has been scanned.

[Tomk]

whitebobcat,

Everything there has already been dealt with. However, Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response.

If you want to continue, let's do this to make sure there aren't remnants lurking.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[whitebobcat]

ComboFix 09-10-19.02 - sl 10/20/2009 10:48.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2085 [GMT -5:00]
Running from: c:\documents and settings\sl\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sl\Local Settings\Temporary Internet Files\TestBrowser.html
c:\windows\system32\clrviddc.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.

2009-10-20 02:53 . 2009-10-20 04:13 -------- d-----w- c:\documents and settings\sl\Application Data\FileZilla
2009-10-20 02:52 . 2009-10-20 02:52 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-18 01:31 . 2009-10-18 01:31 -------- d-----w- c:\program files\X-Chat 2
2009-10-17 04:10 . 2009-10-17 04:10 -------- d-----w- c:\documents and settings\sl\Application Data\CyberLink
2009-10-17 04:10 . 2009-10-17 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-10-15 20:38 . 2009-10-15 21:28 -------- d-----w- c:\windows\BDOSCAN8
2009-10-15 19:39 . 2009-10-15 19:39 -------- d-----w- c:\program files\Trend Micro
2009-10-15 17:49 . 2009-10-15 17:49 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-15 17:49 . 2009-10-15 17:50 -------- d-----w- c:\documents and settings\sl\.housecall6.6
2009-10-14 22:02 . 2009-10-14 22:02 -------- d-----w- c:\documents and settings\sl\Local Settings\Application Data\Yahoo
2009-10-14 22:00 . 2009-10-14 22:00 -------- d-----w- c:\documents and settings\sl\Application Data\Yahoo!
2009-10-14 21:59 . 2009-10-14 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-14 21:59 . 2009-10-15 17:07 -------- d-----w- c:\program files\Yahoo!
2009-10-14 17:49 . 2009-10-14 17:49 -------- d-----w- c:\documents and settings\sl\Application Data\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1
2009-10-13 15:44 . 2009-10-13 15:51 -------- d-----w- c:\documents and settings\sl\Application Data\Move Networks
2009-10-06 21:29 . 2009-10-06 21:29 -------- d-----w- c:\program files\Veoh Networks
2009-10-02 02:21 . 2009-10-02 02:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-01 14:15 . 2009-10-01 14:17 -------- d-----w- c:\documents and settings\sl\Application Data\Apple Computer
2009-10-01 14:15 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-01 14:15 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-01 14:15 . 2009-10-01 14:15 -------- d-----w- c:\program files\iPod
2009-10-01 14:15 . 2009-10-01 14:15 -------- d-----w- c:\program files\iTunes
2009-10-01 14:15 . 2009-10-01 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-01 14:14 . 2009-10-01 14:14 -------- d-----w- c:\program files\Bonjour
2009-10-01 14:14 . 2009-10-01 14:14 -------- d-----w- c:\program files\QuickTime
2009-10-01 14:14 . 2009-10-01 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-01 14:14 . 2009-10-01 14:14 -------- d-----w- c:\documents and settings\sl\Local Settings\Application Data\Apple
2009-10-01 14:14 . 2009-10-01 14:14 -------- d-----w- c:\program files\Apple Software Update
2009-10-01 14:13 . 2009-10-01 14:15 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 14:13 . 2009-10-01 14:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-01 14:13 . 2009-10-01 14:18 -------- d-----w- c:\documents and settings\sl\Local Settings\Application Data\Apple Computer
2009-10-01 07:00 . 2009-10-01 07:00 -------- d-----w- c:\documents and settings\sl\Application Data\acccore
2009-10-01 07:00 . 2009-10-01 07:00 -------- d-----w- c:\documents and settings\sl\Local Settings\Application Data\AOL
2009-10-01 07:00 . 2009-10-01 07:00 -------- d-----w- c:\documents and settings\sl\Local Settings\Application Data\AIM
2009-10-01 07:00 . 2009-10-01 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-01 06:59 . 2009-10-01 06:59 -------- d-----w- c:\program files\AIM
2009-10-01 06:59 . 2009-10-01 06:59 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-10-01 06:59 . 2009-10-01 06:59 -------- d-----w- c:\program files\Common Files\AOL
2009-09-21 13:22 . 2009-09-21 13:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 03:49 . 2009-09-18 04:08 -------- d-----w- c:\program files\WeFi
2009-10-20 01:50 . 2009-09-16 22:04 -------- d-----w- c:\documents and settings\sl\Application Data\X-Chat 2
2009-10-19 18:24 . 2009-09-15 16:24 -------- d-----w- c:\program files\Trillian
2009-10-19 16:34 . 2009-09-11 07:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 01:51 . 2009-09-11 07:11 39176 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-18 01:27 . 2009-09-16 22:03 -------- d-----w- c:\program files\xchat
2009-10-17 04:07 . 2009-09-15 20:44 -------- d-----w- c:\program files\WMCap
2009-10-14 23:07 . 2009-09-11 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 15:54 . 2009-09-15 20:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-10 01:08 . 2009-09-18 04:07 -------- d-----w- c:\documents and settings\sl\Application Data\Azureus
2009-10-07 23:12 . 2009-09-18 22:36 -------- d-----w- c:\documents and settings\sl\Application Data\mIRC
2009-09-25 14:36 . 2009-09-18 04:33 -------- d-----w- c:\documents and settings\sl\Application Data\Winamp
2009-09-25 05:37 . 2008-04-25 16:16 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-19 01:24 . 2009-09-15 16:30 -------- d-----w- c:\program files\Common Files\Real
2009-09-19 01:24 . 2009-09-19 01:24 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-19 01:24 . 2009-09-16 14:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-19 01:24 . 2009-09-16 14:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-19 01:24 . 2009-09-19 01:24 -------- d-----w- c:\program files\real
2009-09-18 15:00 . 2009-09-15 16:24 -------- d-----w- c:\documents and settings\sl\Application Data\Trillian
2009-09-18 14:51 . 2009-09-16 15:25 -------- d-----w- c:\documents and settings\sl\Application Data\DivX
2009-09-18 04:33 . 2009-09-18 04:33 -------- d-----w- c:\program files\Winamp
2009-09-18 04:07 . 2009-09-18 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-09-18 04:07 . 2009-09-18 04:07 -------- d-----w- c:\program files\Vuze
2009-09-17 08:21 . 2009-09-11 07:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-17 08:21 . 2009-09-11 07:03 -------- d-----w- c:\program files\Windows Desktop Search
2009-09-17 08:15 . 2009-09-11 07:10 -------- d-----w- c:\program files\Microsoft Works
2009-09-16 17:07 . 2009-09-11 07:12 -------- d-----w- c:\program files\Windows Live
2009-09-16 15:48 . 2009-09-16 15:48 -------- d-----w- c:\documents and settings\sl\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-09-16 15:25 . 2009-09-16 15:25 -------- d-----w- c:\program files\DivX
2009-09-16 15:25 . 2009-09-16 15:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-16 14:42 . 2009-09-16 14:42 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-16 12:26 . 2009-09-11 07:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-16 12:26 . 2009-09-16 12:26 -------- d-----w- c:\program files\Sling Media
2009-09-16 12:26 . 2009-09-16 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2009-09-15 18:19 . 2009-09-15 17:02 -------- d-----w- c:\program files\TechSmith
2009-09-15 17:54 . 2009-09-15 17:54 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-15 17:48 . 2009-09-15 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-09-15 17:05 . 2009-09-15 17:05 -------- d-----w- c:\program files\Xvid
2009-09-15 17:02 . 2009-09-15 17:02 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-09-15 16:47 . 2009-09-15 16:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-15 16:47 . 2009-09-15 16:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-15 16:47 . 2009-09-15 16:47 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-15 16:47 . 2009-09-15 16:47 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-15 16:47 . 2009-09-15 16:47 -------- d-----w- c:\program files\AVG
2009-09-15 16:47 . 2009-09-15 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 16:44 . 2009-09-15 16:44 -------- d-----w- c:\documents and settings\sl\Application Data\AVG8
2009-09-15 16:42 . 2009-09-15 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-15 16:27 . 2009-09-11 07:05 -------- d-----w- c:\program files\Java
2009-09-15 16:20 . 2009-09-11 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-15 16:03 . 2009-09-15 16:03 -------- d-----w- c:\program files\CheckPoint
2009-09-15 15:59 . 2009-09-15 15:59 0 ----a-w- c:\windows\nsreg.dat
2009-09-15 15:41 . 2009-09-15 15:41 -------- d-----w- c:\documents and settings\sl\Application Data\Windows Search
2009-09-15 15:33 . 2009-09-15 15:33 -------- d-----w- c:\documents and settings\sl\Application Data\Dell
2009-09-11 14:18 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:47 . 2009-09-11 10:47 5655 ----a-w- c:\windows\system32\drivers\1028_Dell_INS_537S.mrk
2009-09-11 07:20 . 2009-09-15 15:32 38768 ----a-w- c:\documents and settings\sl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 07:17 . 2009-09-11 07:17 -------- d-----w- c:\program files\Dell
2009-09-11 07:17 . 2009-09-11 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-09-11 07:17 . 2009-09-11 07:17 -------- d-----w- c:\program files\CyberLink
2009-09-11 07:17 . 2009-09-11 07:11 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-11 07:17 . 2009-09-11 07:17 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant
2009-09-11 07:16 . 2009-09-11 07:16 -------- d-----w- c:\program files\Microsoft.NET
2009-09-11 07:14 . 2009-09-11 07:14 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-11 07:14 . 2009-09-11 07:14 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-09-11 07:13 . 2009-09-11 07:13 -------- d-----w- c:\program files\Microsoft
2009-09-11 07:13 . 2009-09-11 07:13 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\program files\Dell DataSafe Online
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-11 07:11 . 2009-09-11 07:11 -------- d-----w- c:\program files\Roxio
2009-09-11 07:04 . 2009-09-15 15:32 -------- d-----w- c:\documents and settings\sl\Application Data\Windows Desktop Search
2009-09-11 07:04 . 2009-09-15 15:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Desktop Search
2009-09-11 07:04 . 2009-09-11 07:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-09-04 21:03 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2008-04-25 16:16 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 15:08 . 2009-09-15 17:54 178176 ----a-w- c:\windows\system32\unrar.dll
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-25 16:16 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-09-11 07:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-29 04:37 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-26 21:44 . 2009-07-26 21:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\sl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-16 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"wefi"="c:\program files\WeFi\WeFi.exe" [2009-08-23 509440]
"Aim"="c:\program files\AIM\aim.exe" [2009-09-16 3634024]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-10-06 2075384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-04 150040]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-04 18084864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-15 16:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2006-04-10 02:24 24674 ----a-w- c:\windows\system32\ckpNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^sl^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\sl\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\X-Chat 2\\xchat.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/15/2009 11:47 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/15/2009 11:47 AM 108552]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [4/9/2006 9:24 PM 2234320]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/15/2009 11:47 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/15/2009 11:47 AM 297752]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [4/9/2006 9:24 PM 36400]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 1:05 PM 155648]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [4/27/2009 6:09 PM 93960]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [4/9/2006 9:24 PM 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [4/9/2006 9:24 PM 671472]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ROOTREPEAL2
*Deregistered* - rootrepeal2
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1473991072-3829973469-1075336041-1005Core.job
- c:\documents and settings\sl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 13:50]

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1473991072-3829973469-1075336041-1005UA.job
- c:\documents and settings\sl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 13:50]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\sl\Application Data\Mozilla\Firefox\Profiles\uga0dgm1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\sl\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\sl\Application Data\Mozilla\Firefox\Profiles\uga0dgm1.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\sl\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.homepage.dontask, true.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-20 10:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-10-20 15:50

Pre-Run: 467,511,885,824 bytes free
Post-Run: 467,758,256,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F37C70D26B0B72960E923E3634584C33

[Tomk]

whitebobcat, I'm not seeing anything else. How are things running now? Any difference?

[whitebobcat]

seems to be doing better.. i havent been locking up like i was .. i got those deleted DNTU files off my pc .. thanks so much for your time and all your help

Edited by whitebobcat, 20 October 2009 - 11:14 AM.

[Tomk]

whitebobcat,

Then... Log looks good


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

Please re-enable any security that was disabled.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.