Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected but not sure what with !


  • This topic is locked This topic is locked
2 replies to this topic

#1 brin57

brin57

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 01 January 2009 - 05:45 PM

Hi, New here.

I've recently downloaded a program which has infected my computer. A few of the symptoms:

1 When I tried to run the program it crashed the computer and I had to restart.
2 On restarting a new comment was included at bootup "K8 NPT Data Change .. Installing new DMI!"
3 My AVG virus checker will not update - it seems as though its being blocked
4 On googling, it seems to go via a site ecata.info before sometimes giving me the right google result, sometimes other websites
5 I'm getting some pop ups even though IE is set not to allow them

Hope that's enough for someone to recognise what I've got.

I've read the "how to use combofix.exe" forum and the "How to install the Windows Recovery Console" and "preparation Guide" forum.

I can't load the Recovery Console. I am running XP Pro Service Pack 3 and every time I try to loan the console from my CD it states its too old a version and I can't seem to find anything on Microsoft to see how to download a Service Pack 3 version. So I need help with this please.

I have run dds.scr and set out below its report and have attached the attach.txt as a zip file.

I think that's about as much as I can do for now. I would be very grateful for any assistance you can give on how I should proceed from here.

THanks

Brin57.


DDS (Version 1.1.0) - NTFSx86
Run by Brian at 22:31:20.35 on 01/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1403 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Second Copy] "c:\program files\seccopy\SecCopy.exe" /InitialWait=5
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [<NO NAME>]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\labtec~1.lnk - c:\program files\labtec laser mouse software\MulMouse.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: cottagesdirect.co.uk\www
Trusted Zone: cottagesdirect.com\www
Trusted Zone: nationet.com\olb2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\7uhiw597.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{231d7d17-4f1b-4933-ab61-e502db82fd11}\components\FFTransSend.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-7-31 20616]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2006-10-8 16640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-17 96520]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-17 26824]
R1 MUsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\MUsbFltr.sys [2007-5-9 9088]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-9 394952]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-17 873752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-17 231192]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-17 76040]
R2 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2008-11-1 143467]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2006-10-12 472644]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
R3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2008-12-8 3768]
R3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [2001-10-19 928266]
S0 MFX;MFX;c:\windows\system32\drivers\MFX.sys [2006-9-1 52108]
S0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.sys [2006-10-10 52108]
S1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys []
S3 SoundMovieServer;SoundMovieServer;"c:\windows\system32\snmvtsvc.exe" [2008-12-8 200704]
S3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" []

=============== Created Last 30 ================

2009-01-01 19:35 <DIR> --d----- C:\fsaua.data
2009-01-01 19:08 <DIR> --dshr-- C:\resycled
2009-01-01 19:08 255 ---shr-- C:\autorun.inf
2008-12-29 23:05 <DIR> --d----- C:\Lyrics
2008-12-29 23:04 <DIR> --d----- c:\docume~1\brian\applic~1\MiniLyrics
2008-12-29 23:04 <DIR> --d----- c:\program files\Minilyrics
2008-12-26 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kinoma
2008-12-26 23:40 <DIR> --d----- c:\program files\Sony
2008-12-26 23:40 <DIR> --d----- c:\program files\common files\Sony Shared
2008-12-25 11:07 <DIR> --d----- c:\program files\CDex_170b2
2008-12-25 11:07 <DIR> --d----- c:\program files\Free Offers from Freeze.com
2008-12-24 19:45 532,480 a------- c:\windows\system32\FLIQLO.scr
2008-12-24 19:45 <DIR> --d----- c:\windows\system32\FLIQLO dir
2008-12-08 00:19 <DIR> --d----- C:\Converted
2008-12-08 00:09 200,704 a------- c:\windows\system32\snmvtsvc.exe
2008-12-08 00:09 23,096 a------- c:\windows\system32\SndTAudio.sys
2008-12-08 00:09 23,096 a------- c:\windows\system32\drivers\SndTAudio.sys
2008-12-08 00:09 19,099 a------- c:\windows\system32\SndTAudio.inf
2008-12-08 00:09 10,936 a------- c:\windows\system32\SndTVideo.dll
2008-12-08 00:09 3,768 a------- c:\windows\system32\SndTVideo.sys
2008-12-08 00:09 3,768 a------- c:\windows\system32\drivers\SndTVideo.sys
2008-12-08 00:09 2,577 a------- c:\windows\system32\SndTVideo.inf
2008-12-08 00:09 2,539 a------- c:\windows\system32\SndTVideo.cat
2008-12-08 00:09 2,100 a------- c:\windows\system32\SndTAudio.cat
2008-12-08 00:09 <DIR> --d----- c:\program files\SoundTaxi

==================== Find3M ====================

2009-01-01 21:43 96,520 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-11 20:50 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-02 20:21 446,464 a------- c:\windows\system32\HActiveX.dll
2008-12-01 21:55 4,234 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-11-30 16:33 680,960 a------- c:\windows\is-5IUKQ.exe
2008-11-01 09:33 9,728 a------- c:\windows\system32\BsMonUI.dll
2008-11-01 09:33 18,432 a------- c:\windows\system32\BsMonSvr.dll
2008-11-01 09:32 405,589 a------- c:\windows\system32\BsUI.dll
2008-11-01 09:32 57,430 a------- c:\windows\system32\btfunc.dll
2008-11-01 09:32 278,647 a------- c:\windows\system32\outlookAddin.dll
2008-11-01 09:32 53,248 a------- c:\windows\system32\HtmPrintHelper.dll
2008-11-01 09:32 114,774 a------- c:\windows\system32\versit.dll
2008-11-01 09:32 622,693 a------- c:\windows\system32\BSShell.dll
2008-11-01 09:31 557,142 a------- c:\windows\system32\Bscdlg.dll
2008-11-01 09:31 114,788 a------- c:\windows\system32\BsProfileFunc.dll
2008-11-01 09:31 151,642 a------- c:\windows\system32\BsCommon.dll
2008-11-01 09:31 553,075 a------- c:\windows\system32\BlueSoleilCSps.dll
2008-11-01 09:31 94,314 a------- c:\windows\system32\BsHelpCSps.dll
2008-11-01 09:30 28,766 a------- c:\windows\system32\PlayerCtrl.dll
2008-11-01 09:29 98,403 a------- c:\windows\system32\Bs2Res.dll
2008-11-01 09:29 237,652 a------- c:\windows\system32\BsSDK.dll
2008-11-01 09:29 122,976 a------- c:\windows\system32\BsMobileSDK.dll
2008-11-01 09:29 28,672 a------- c:\windows\system32\BsMobileCSps.dll
2008-11-01 09:29 28,760 a------- c:\windows\system32\BsTrace.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-22 15:30 81,920 a------- c:\windows\system32\BsVistaCommon.dll
2008-10-22 12:33 15,368 a------- c:\windows\system32\btinstall.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-05 23:32 1,880 a------- c:\windows\AUTOLNCH.REG
2006-11-18 22:32 1,519 ---shr-- c:\docume~1\brian\applic~1\SCPSS5.DLL
2006-11-04 22:27 88 ---shr-- c:\windows\system32\5779515231.sys
2008-05-09 23:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051020080511\index.dat
2008-08-15 14:03 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-08-15 14:03 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-15 14:03 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:31:58.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:07 PM

Posted 13 January 2009 - 03:05 PM

Hello brin57,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:07 PM

Posted 23 January 2009 - 05:02 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users