Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something...Computer running VERY slow


  • This topic is locked This topic is locked
2 replies to this topic

#1 rdr8887

rdr8887

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 13 February 2009 - 09:32 AM

I have run Spybot S&D and Adaware and found several items. The programs appear to have eliminated the threats. I rebooted the computer each time before I re-scanned. I'm not sure what the computer is infected with. Mouse just jumps around and will not click anything.


DDS (Ver_09-02-01.01) - NTFSx86
Run by rrawlings at 9:00:45.09 on Fri 02/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1150.554 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
c:\program files\timberline\shared\sage.servicehost.host.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Nortel\Shared Files\BCMCCProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPage15\Opware15.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Optus\FACSys Desktop Client\facsys.exe
C:\Program Files\ScanSoft\PaperPort\xdcla.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Nortel\Shared Files\NTSPInit.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rrawlings\Local Settings\Temporary Internet Files\Content.IE5\36XDZK0E\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [HPLJ Config] c:\program files\hewlett-packard\hp laserjet 1010 series\SetConfig.exe -c Direct -p PCAW: -pn "HP LaserJet 1012" -n 0 -l 1033 -sl 120000
mRun: [vptray] "c:\program files\navnt\vptray.exe"
mRun: [InstantAccess] "c:\progra~1\textbr~1.0\bin\INSTAN~1.EXE" /h
mRun: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [Opware15] "c:\program files\scansoft\omnipage15\Opware15.exe"
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\RegistryController.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
dRun: [Microsoft Services] lsrv.exe
dRun: [ttask] c:\windows\system32\msc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\facsys~1.lnk - c:\program files\optus\facsys desktop client\facsys.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imager~1.lnk - c:\program files\scansoft\paperport\xdcla.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tsplau~1.lnk - c:\program files\nortel\shared files\NTSPInit.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.1 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.isqft.com/Applets/ScriptX/ScriptX.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {22568012-E3CB-4427-BF21-3060D4A9847B} = 192.168.100.230
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: <NO NAME> - - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-12 64160]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 NEOFLTR_600_13319;Juniper Networks TDI Filter Driver (NEOFLTR_600_13319);c:\windows\system32\drivers\NEOFLTR_600_13319.sys [2008-6-24 64160]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-5-8 212992]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-10-31 106496]
R2 BCMCCPROXY;BCMCCPROXY Service;c:\program files\nortel\shared files\BCMCCProxy.exe [2008-12-17 86016]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2003-5-2 30208]
R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [2002-5-7 39680]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\navnt\rtvscan.exe [2003-5-21 610304]
R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [2002-5-7 23744]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline\shared\Sage.ServiceHost.Host.exe [2007-1-19 81920]
R2 SC0CLPT;SC0CLPT;c:\windows\system32\SC0CLPT.SYS [2005-3-7 54456]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R3 NAVAP;NAVAP;c:\progra~1\navnt\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090212.003\NAVENG.sys [2009-2-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090212.003\NAVEX15.sys [2009-2-13 876112]
S3 dordodrv;dordodrv;\??\c:\windows\system32\f0r0r\dordo.sys --> c:\windows\system32\f0r0r\dordo.sys [?]
S4 alog;Alert Log;"c:\winnt\system\svchost.exe" /service --> c:\winnt\system\svchost.exe [?]
S4 nt_service;nt_service;c:\progra~1\common~1\identi~1\{1037f~1\com1\aux\inhere\srunner.exe --> c:\progra~1\common~1\identi~1\{1037f~1\com1\aux\inhere\srunner.exe [?]
S4 ntservice;ntservice;c:\progra~1\common~1\identi~1\{1037f~1\com1\aux\inhere\srunner.exe --> c:\progra~1\common~1\identi~1\{1037f~1\com1\aux\inhere\srunner.exe [?]
S4 nwclnt;Network Client;c:\windows\system32\netclnt.exe --> c:\windows\system32\netclnt.exe [?]
S4 Smg;Server Management;c:\windows\winmgr.exe --> c:\windows\winmgr.exe [?]

=============== Created Last 30 ================

2009-02-12 15:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-12 13:48 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-12 13:45 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-12 11:35 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-02-10 11:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-28 10:01 <DIR> --d----- c:\documents and settings\rrawlings\.thinupload

==================== Find3M ====================

2009-02-10 10:22 8,224 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2007-02-05 11:22 137,712 ac--h--- c:\docume~1\rrawli~1\applic~1\GDIPFONTCACHEV1.DAT
2002-10-17 07:51 8,981,440 ac------ c:\program files\ar505enu.exe
2007-06-08 14:13 1,812,200 ac-sh--- c:\windows\system32\fhhkj.bak2
2008-04-13 19:12 57,344 a--sh--- c:\windows\system32\msvcirt.dll
2008-04-13 19:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 19:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-08-25 08:59 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 9:01:42.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rdr8887

rdr8887
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 13 February 2009 - 10:36 AM

I do believe everything is working fine now. After further investigation into the process, everthing seemed to be running normally. It appears that a few of my USB ports are not working correctly. I have moved the mouse to a different port and the functions seem to work right.

The main problem was with using the mouse...but, the fact that I found many spyware threats had me worried. I would still like someone to review the log to see what you think, but I think the issue has been corrected.

Thanks in advance.

#3 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:06:29 PM

Posted 25 February 2009 - 04:14 PM

Welcome to the forum.

Download and install CleanUp

This will clean up junk files. When it completes, it will tell you to log off, but that isn't necessary.

Next, download and install Malwarebytes

Be sure update is checked when you install it.

Run a full scan, fix what it recommends, post the log and then restart your computer and post a new Hijack This log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users