Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer and popups


  • Please log in to reply
7 replies to this topic

#1 mjstemen

mjstemen

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 21 March 2009 - 12:19 PM

My computer has been running slow all week, and this morning I got a popup for Windows Defender. Please help. I've attached the DDS log.

Attached Files

  • Attached File  DDS.txt   9.25KB   9 downloads


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:09 AM

Posted 21 March 2009 - 12:33 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • A second report, Attach.txt will open next.
  • Save both reports to your desktop.
Please copy and paste both logs into your next reply.


=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 mjstemen

mjstemen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 21 March 2009 - 09:38 PM

Here are the 3 logs


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/1/2006 2:51:40 PM
System Uptime: 3/21/2009 12:33:44 PM (0 hours ago)

Motherboard: Dell Computer Corporation | | 0D2125
Processor: Intel® Celeron® M processor 1.30GHz | Microprocessor | 1298/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 24.954 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP425: 12/22/2008 7:52:13 PM - System Checkpoint
RP426: 12/22/2008 8:06:12 PM - Software Distribution Service 3.0
RP427: 12/22/2008 8:37:58 PM - Avg8 Update
RP428: 12/23/2008 11:45:14 PM - System Checkpoint
RP429: 12/25/2008 4:07:08 PM - System Checkpoint
RP430: 12/26/2008 5:48:25 PM - System Checkpoint
RP431: 12/29/2008 7:37:04 PM - System Checkpoint
RP432: 12/31/2008 7:06:57 AM - System Checkpoint
RP433: 1/6/2009 7:26:03 PM - System Checkpoint
RP434: 1/7/2009 8:13:42 PM - System Checkpoint
RP435: 1/13/2009 6:57:26 PM - System Checkpoint
RP436: 1/13/2009 11:06:39 PM - Software Distribution Service 3.0
RP437: 1/20/2009 7:16:44 PM - System Checkpoint
RP438: 1/21/2009 7:44:46 PM - System Checkpoint
RP439: 1/22/2009 8:14:31 PM - System Checkpoint
RP440: 1/24/2009 9:13:37 AM - System Checkpoint
RP441: 1/26/2009 8:13:28 PM - System Checkpoint
RP442: 1/27/2009 8:14:14 PM - System Checkpoint
RP443: 1/28/2009 9:14:12 PM - System Checkpoint
RP444: 1/29/2009 10:14:12 PM - System Checkpoint
RP445: 1/30/2009 10:56:58 PM - System Checkpoint
RP446: 1/31/2009 11:10:50 PM - System Checkpoint
RP447: 2/2/2009 7:47:55 PM - System Checkpoint
RP448: 2/3/2009 6:10:52 PM - Avg8 Update
RP449: 2/3/2009 6:15:36 PM - Avg8 Update
RP450: 2/10/2009 9:32:49 PM - System Checkpoint
RP451: 2/10/2009 10:14:27 PM - Software Distribution Service 3.0
RP452: 2/12/2009 7:07:12 AM - System Checkpoint
RP453: 2/12/2009 9:07:28 AM - Avg8 Update
RP454: 2/13/2009 8:47:12 PM - Avg8 Update
RP455: 2/14/2009 2:21:21 PM - Cleaned registry with Windows Live OneCare safety scanner
RP456: 2/15/2009 3:14:11 PM - System Checkpoint
RP457: 2/16/2009 4:07:47 PM - System Checkpoint
RP458: 2/18/2009 9:03:16 PM - System Checkpoint
RP459: 2/19/2009 9:06:44 PM - System Checkpoint
RP460: 2/20/2009 9:11:36 PM - System Checkpoint
RP461: 2/22/2009 8:13:00 PM - System Checkpoint
RP462: 2/25/2009 6:00:16 AM - Software Distribution Service 3.0
RP463: 2/26/2009 7:12:33 AM - Software Distribution Service 3.0
RP464: 2/28/2009 2:03:15 PM - System Checkpoint
RP465: 3/2/2009 1:17:47 PM - System Checkpoint
RP466: 3/5/2009 5:50:02 AM - Avg8 Update
RP467: 3/6/2009 6:49:26 PM - System Checkpoint
RP468: 3/8/2009 2:44:14 PM - System Checkpoint
RP469: 3/10/2009 3:59:17 PM - System Checkpoint
RP470: 3/10/2009 6:37:31 PM - Software Distribution Service 3.0
RP471: 3/11/2009 5:00:36 AM - Software Distribution Service 3.0
RP472: 3/12/2009 6:15:47 AM - System Checkpoint
RP473: 3/14/2009 7:00:42 AM - Software Distribution Service 3.0
RP474: 3/14/2009 8:01:59 AM - Printer Driver Microsoft XPS Document Writer Installed
RP475: 3/15/2009 6:45:52 PM - System Checkpoint
RP476: 3/15/2009 9:14:58 PM - Software Distribution Service 3.0
RP477: 3/17/2009 6:55:28 AM - System Checkpoint
RP478: 3/18/2009 6:32:10 PM - Avg8 Update
RP479: 3/21/2009 8:40:55 AM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat 6.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free 8.0
Bonjour
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
CCScore
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Dell Wireless WLAN Card
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
FRx 6.7 Supplemental Files
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
iTunes
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Mystery Stories: Island of Hope
netbrdg
Notifier
O2Micro Smartcard Driver
OfotoXMI
PCDADDIN
PCDHELP
PowerDVD 5.1
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SFR
SHASTA
SigmaTel AC97 Audio Drivers
SKIN0001
SKINXSDK
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
staticcr
tooltips
Unity Web Player
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VBA (2720)
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows NT Messaging
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WIRELESS

==== Event Viewer Messages From Past Week ========

3/21/2009 10:56:48 AM, error: PlugPlayManager [12] - The device 'SAMSUNG CDRW/DVD SN-324S' (IDE\CdRomSAMSUNG_CDRW/DVD_SN-324S________________U303____\5&1109ea34&0&0.0.0) disappeared from the system without first being prepared for removal.
3/21/2009 12:07:44 PM, error: PlugPlayManager [12] - The device 'Optiarc DVD+-RW AD-5560A' (IDE\CdRomOptiarc_DVD+-RW_AD-5560A________________DD11____\4e4347303250373738363638373541393130374f) disappeared from the system without first being prepared for removal.
3/21/2009 10:48:53 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
3/21/2009 10:53:40 AM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certmap.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
3/21/2009 10:53:42 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is User.
3/21/2009 10:55:17 AM, information: Windows File Protection [64021] - The system file c:\windows\system32\ftpsapi2.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
3/21/2009 12:03:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

==== End Of File ===========================


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/1/2006 2:51:40 PM
System Uptime: 3/21/2009 12:33:44 PM (0 hours ago)

Motherboard: Dell Computer Corporation | | 0D2125
Processor: Intel® Celeron® M processor 1.30GHz | Microprocessor | 1298/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 24.954 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP425: 12/22/2008 7:52:13 PM - System Checkpoint
RP426: 12/22/2008 8:06:12 PM - Software Distribution Service 3.0
RP427: 12/22/2008 8:37:58 PM - Avg8 Update
RP428: 12/23/2008 11:45:14 PM - System Checkpoint
RP429: 12/25/2008 4:07:08 PM - System Checkpoint
RP430: 12/26/2008 5:48:25 PM - System Checkpoint
RP431: 12/29/2008 7:37:04 PM - System Checkpoint
RP432: 12/31/2008 7:06:57 AM - System Checkpoint
RP433: 1/6/2009 7:26:03 PM - System Checkpoint
RP434: 1/7/2009 8:13:42 PM - System Checkpoint
RP435: 1/13/2009 6:57:26 PM - System Checkpoint
RP436: 1/13/2009 11:06:39 PM - Software Distribution Service 3.0
RP437: 1/20/2009 7:16:44 PM - System Checkpoint
RP438: 1/21/2009 7:44:46 PM - System Checkpoint
RP439: 1/22/2009 8:14:31 PM - System Checkpoint
RP440: 1/24/2009 9:13:37 AM - System Checkpoint
RP441: 1/26/2009 8:13:28 PM - System Checkpoint
RP442: 1/27/2009 8:14:14 PM - System Checkpoint
RP443: 1/28/2009 9:14:12 PM - System Checkpoint
RP444: 1/29/2009 10:14:12 PM - System Checkpoint
RP445: 1/30/2009 10:56:58 PM - System Checkpoint
RP446: 1/31/2009 11:10:50 PM - System Checkpoint
RP447: 2/2/2009 7:47:55 PM - System Checkpoint
RP448: 2/3/2009 6:10:52 PM - Avg8 Update
RP449: 2/3/2009 6:15:36 PM - Avg8 Update
RP450: 2/10/2009 9:32:49 PM - System Checkpoint
RP451: 2/10/2009 10:14:27 PM - Software Distribution Service 3.0
RP452: 2/12/2009 7:07:12 AM - System Checkpoint
RP453: 2/12/2009 9:07:28 AM - Avg8 Update
RP454: 2/13/2009 8:47:12 PM - Avg8 Update
RP455: 2/14/2009 2:21:21 PM - Cleaned registry with Windows Live OneCare safety scanner
RP456: 2/15/2009 3:14:11 PM - System Checkpoint
RP457: 2/16/2009 4:07:47 PM - System Checkpoint
RP458: 2/18/2009 9:03:16 PM - System Checkpoint
RP459: 2/19/2009 9:06:44 PM - System Checkpoint
RP460: 2/20/2009 9:11:36 PM - System Checkpoint
RP461: 2/22/2009 8:13:00 PM - System Checkpoint
RP462: 2/25/2009 6:00:16 AM - Software Distribution Service 3.0
RP463: 2/26/2009 7:12:33 AM - Software Distribution Service 3.0
RP464: 2/28/2009 2:03:15 PM - System Checkpoint
RP465: 3/2/2009 1:17:47 PM - System Checkpoint
RP466: 3/5/2009 5:50:02 AM - Avg8 Update
RP467: 3/6/2009 6:49:26 PM - System Checkpoint
RP468: 3/8/2009 2:44:14 PM - System Checkpoint
RP469: 3/10/2009 3:59:17 PM - System Checkpoint
RP470: 3/10/2009 6:37:31 PM - Software Distribution Service 3.0
RP471: 3/11/2009 5:00:36 AM - Software Distribution Service 3.0
RP472: 3/12/2009 6:15:47 AM - System Checkpoint
RP473: 3/14/2009 7:00:42 AM - Software Distribution Service 3.0
RP474: 3/14/2009 8:01:59 AM - Printer Driver Microsoft XPS Document Writer Installed
RP475: 3/15/2009 6:45:52 PM - System Checkpoint
RP476: 3/15/2009 9:14:58 PM - Software Distribution Service 3.0
RP477: 3/17/2009 6:55:28 AM - System Checkpoint
RP478: 3/18/2009 6:32:10 PM - Avg8 Update
RP479: 3/21/2009 8:40:55 AM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat 6.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free 8.0
Bonjour
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
CCScore
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Dell Wireless WLAN Card
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
FRx 6.7 Supplemental Files
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
iTunes
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Mystery Stories: Island of Hope
netbrdg
Notifier
O2Micro Smartcard Driver
OfotoXMI
PCDADDIN
PCDHELP
PowerDVD 5.1
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SFR
SHASTA
SigmaTel AC97 Audio Drivers
SKIN0001
SKINXSDK
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
staticcr
tooltips
Unity Web Player
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VBA (2720)
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows NT Messaging
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WIRELESS

==== Event Viewer Messages From Past Week ========

3/21/2009 10:56:48 AM, error: PlugPlayManager [12] - The device 'SAMSUNG CDRW/DVD SN-324S' (IDE\CdRomSAMSUNG_CDRW/DVD_SN-324S________________U303____\5&1109ea34&0&0.0.0) disappeared from the system without first being prepared for removal.
3/21/2009 12:07:44 PM, error: PlugPlayManager [12] - The device 'Optiarc DVD+-RW AD-5560A' (IDE\CdRomOptiarc_DVD+-RW_AD-5560A________________DD11____\4e4347303250373738363638373541393130374f) disappeared from the system without first being prepared for removal.
3/21/2009 10:48:53 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
3/21/2009 10:53:40 AM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certmap.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
3/21/2009 10:53:42 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is User.
3/21/2009 10:55:17 AM, information: Windows File Protection [64021] - The system file c:\windows\system32\ftpsapi2.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
3/21/2009 12:03:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

==== End Of File ===========================


Here is the GMER log

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 22:37:27
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1652] kernel32.dll!LoadLibraryExW + 36 7C801B2B 5 Bytes JMP 0239C8B4 C:\Program Files\Common\_helper.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1652] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 02931088 C:\WINDOWS\system32\mst123.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1652] USER32.dll!LoadCursorFromFileA + 5F6 7E4542C1 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[1652] USER32.dll!LoadCursorFromFileA + 8CD 7E454598 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] kernel32.dll!LoadLibraryExW + 36 7C801B2B 5 Bytes JMP 0361C8B4 C:\Program Files\Common\_helper.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!LoadCursorFromFileA + 5F6 7E4542C1 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!LoadCursorFromFileA + 8CD 7E454598 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2492] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:09 AM

Posted 22 March 2009 - 09:44 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 mjstemen

mjstemen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 22 March 2009 - 08:02 PM

The results of Combofix are attached

ComboFix 09-03-22.01 - User 2009-03-22 20:54:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.298 [GMT -4:00]
Running from: c:\documents and settings\ITD\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\_helper.dll
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig

.
((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-21 12:03 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-21 12:03 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2009-03-21 12:03 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-21 12:03 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-03-21 12:03 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2009-03-21 12:02 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2009-03-21 12:02 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2009-03-21 12:02 . 2008-04-13 14:46 19,200 --a--c--- c:\windows\system32\dllcache\wstcodec.sys
2009-03-21 12:02 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2009-03-21 12:02 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2009-03-21 12:02 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-03-21 12:01 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys
2009-03-21 12:01 . 2004-08-03 22:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys
2009-03-21 12:01 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2009-03-21 12:01 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\wiamsmud.dll
2009-03-21 12:01 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys
2009-03-21 12:01 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2009-03-21 11:59 . 2001-08-17 13:28 765,884 --a--c--- c:\windows\system32\dllcache\usrti.sys
2009-03-21 11:59 . 2001-08-17 13:28 687,999 --a--c--- c:\windows\system32\dllcache\usrwdxjs.sys
2009-03-21 11:59 . 2001-08-17 13:28 604,253 --a--c--- c:\windows\system32\dllcache\vmodem.sys
2009-03-21 11:59 . 2001-08-17 13:28 397,502 --a--c--- c:\windows\system32\dllcache\vpctcom.sys
2009-03-21 11:59 . 2001-08-17 12:14 249,402 --a--c--- c:\windows\system32\dllcache\vinwm.sys
2009-03-21 11:59 . 2001-08-17 13:28 113,762 --a--c--- c:\windows\system32\dllcache\usrpda.sys
2009-03-21 11:59 . 2001-08-17 13:28 64,605 --a--c--- c:\windows\system32\dllcache\vvoice.sys
2009-03-21 11:59 . 2008-04-13 20:12 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2009-03-21 11:59 . 2001-08-17 13:49 24,576 --a--c--- c:\windows\system32\dllcache\viairda.sys
2009-03-21 11:59 . 2008-04-13 14:40 5,376 --a--c--- c:\windows\system32\dllcache\viaide.sys
2009-03-21 11:58 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2009-03-21 11:58 . 2001-08-17 13:28 794,399 --a--c--- c:\windows\system32\dllcache\usr1806v.sys
2009-03-21 11:58 . 2001-08-17 13:28 793,598 --a--c--- c:\windows\system32\dllcache\usr1806.sys
2009-03-21 11:58 . 2001-08-17 13:28 224,802 --a--c--- c:\windows\system32\dllcache\usr1807a.sys
2009-03-21 11:58 . 2001-08-17 22:36 94,720 --a--c--- c:\windows\system32\dllcache\umaxud32.dll
2009-03-21 11:58 . 2008-04-13 14:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2009-03-21 11:58 . 2004-08-03 22:31 32,384 --a--c--- c:\windows\system32\dllcache\usb101et.sys
2009-03-21 11:58 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-21 11:58 . 2001-08-17 22:36 28,160 --a--c--- c:\windows\system32\dllcache\umaxu40.dll
2009-03-21 11:58 . 2008-04-13 14:45 26,112 --a--c--- c:\windows\system32\dllcache\usbser.sys
2009-03-21 11:58 . 2008-04-13 14:45 17,152 --a--c--- c:\windows\system32\dllcache\usbohci.sys
2009-03-21 11:58 . 2001-08-17 13:28 7,556 --a--c--- c:\windows\system32\dllcache\usroslba.sys
2009-03-21 11:57 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll
2009-03-21 11:57 . 2001-08-17 22:36 211,968 --a--c--- c:\windows\system32\dllcache\um54scan.dll
2009-03-21 11:57 . 2001-08-17 22:36 69,632 --a--c--- c:\windows\system32\dllcache\umaxu12.dll
2009-03-21 11:57 . 2001-08-17 22:36 50,688 --a--c--- c:\windows\system32\dllcache\umaxscan.dll
2009-03-21 11:57 . 2001-08-17 22:36 50,176 --a--c--- c:\windows\system32\dllcache\umaxp60.dll
2009-03-21 11:57 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\umaxcam.dll
2009-03-21 11:57 . 2001-08-17 13:52 36,736 --a--c--- c:\windows\system32\dllcache\ultra.sys
2009-03-21 11:57 . 2001-08-17 22:36 26,624 --a--c--- c:\windows\system32\dllcache\umaxu22.dll
2009-03-21 11:57 . 2001-08-17 13:58 22,912 --a--c--- c:\windows\system32\dllcache\umaxpcls.sys
2009-03-21 11:57 . 2001-08-17 13:48 11,520 --a--c--- c:\windows\system32\dllcache\twotrack.sys
2009-03-21 11:56 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2009-03-21 11:56 . 2001-08-17 14:56 440,576 --a--c--- c:\windows\system32\dllcache\tridkb.dll
2009-03-21 11:56 . 2001-08-17 14:56 315,520 --a--c--- c:\windows\system32\dllcache\trid3d.dll
2009-03-21 11:56 . 2001-08-17 12:51 222,336 --a--c--- c:\windows\system32\dllcache\trid3dm.sys
2009-03-21 11:56 . 2001-08-17 12:51 166,784 --a--c--- c:\windows\system32\dllcache\tridxpm.sys
2009-03-21 11:56 . 2001-08-17 12:51 159,232 --a--c--- c:\windows\system32\dllcache\tridkbm.sys
2009-03-21 11:56 . 2008-04-13 20:12 82,944 --a--c--- c:\windows\system32\dllcache\tp4mon.exe
2009-03-21 11:56 . 2001-08-17 22:35 42,496 --a--c--- c:\windows\system32\dllcache\tp4res.dll
2009-03-21 11:56 . 2001-08-17 12:12 34,375 --a--c--- c:\windows\system32\dllcache\tpro4.sys
2009-03-21 11:56 . 2001-08-17 22:36 31,744 --a--c--- c:\windows\system32\dllcache\tp4.dll
2009-03-21 11:55 . 2001-08-17 14:01 241,664 --a--c--- c:\windows\system32\dllcache\tosdvd02.sys
2009-03-21 11:55 . 2001-08-17 14:02 230,912 --a--c--- c:\windows\system32\dllcache\tosdvd03.sys
2009-03-21 11:55 . 2008-04-13 14:40 149,376 --a--c--- c:\windows\system32\dllcache\tffsport.sys
2009-03-21 11:55 . 2001-08-17 12:51 138,528 --a--c--- c:\windows\system32\dllcache\tgiulnt5.sys
2009-03-21 11:55 . 2001-08-17 12:14 123,995 --a--c--- c:\windows\system32\dllcache\tjisdn.sys
2009-03-21 11:55 . 2001-08-17 14:56 81,408 --a--c--- c:\windows\system32\dllcache\tgiul50.dll
2009-03-21 11:55 . 2001-08-17 12:13 37,961 --a--c--- c:\windows\system32\dllcache\tdk100b.sys
2009-03-21 11:55 . 2001-08-17 12:10 28,232 --a--c--- c:\windows\system32\dllcache\tos4mo.sys
2009-03-21 11:55 . 2001-08-17 12:13 17,129 --a--c--- c:\windows\system32\dllcache\tdkcd31.sys
2009-03-21 11:55 . 2001-08-17 13:51 4,992 --a--c--- c:\windows\system32\dllcache\toside.sys
2009-03-21 11:54 . 2001-08-17 14:56 172,768 --a--c--- c:\windows\system32\dllcache\t2r4disp.dll
2009-03-21 11:54 . 2001-08-17 12:50 36,640 --a--c--- c:\windows\system32\dllcache\t2r4mini.sys
2009-03-21 11:54 . 2001-08-17 14:07 32,640 --a--c--- c:\windows\system32\dllcache\symc8xx.sys
2009-03-21 11:54 . 2001-08-17 14:07 30,688 --a--c--- c:\windows\system32\dllcache\sym_u3.sys
2009-03-21 11:54 . 2001-08-17 13:49 30,464 --a--c--- c:\windows\system32\dllcache\tbatm155.sys
2009-03-21 11:54 . 2001-08-17 14:07 16,256 --a--c--- c:\windows\system32\dllcache\symc810.sys
2009-03-21 11:54 . 2001-08-17 13:52 7,040 --a--c--- c:\windows\system32\dllcache\tandqic.sys
2009-03-21 11:53 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2009-03-21 11:53 . 2001-08-17 22:36 155,648 --a--c--- c:\windows\system32\dllcache\stlnprop.dll
2009-03-21 11:53 . 2001-08-17 13:50 103,936 --a--c--- c:\windows\system32\dllcache\sx.sys
2009-03-21 11:53 . 2001-08-17 22:36 94,293 --a--c--- c:\windows\system32\dllcache\sxports.dll
2009-03-21 11:53 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\sw_wheel.dll
2009-03-21 11:53 . 2001-08-17 22:36 53,248 --a--c--- c:\windows\system32\dllcache\stlncoin.dll
2009-03-21 11:53 . 2001-08-17 22:36 41,472 --a--c--- c:\windows\system32\dllcache\sw_effct.dll
2009-03-21 11:53 . 2001-08-17 14:07 28,384 --a--c--- c:\windows\system32\dllcache\sym_hi.sys
2009-03-21 11:53 . 2008-04-13 14:46 15,232 --a--c--- c:\windows\system32\dllcache\streamip.sys
2009-03-21 11:53 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpidflt.dll
2009-03-21 11:53 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpdflt2.dll
2009-03-21 11:53 . 2001-08-17 14:02 3,968 --a--c--- c:\windows\system32\dllcache\swusbflt.sys
2009-03-21 11:52 . 2001-08-17 22:36 106,584 --a--c--- c:\windows\system32\dllcache\spdports.dll
2009-03-21 11:52 . 2001-08-17 22:36 99,328 --a--c--- c:\windows\system32\dllcache\srusd.dll
2009-03-21 11:52 . 2001-08-17 13:51 61,824 --a--c--- c:\windows\system32\dllcache\speed.sys
2009-03-21 11:52 . 2001-08-17 12:11 48,736 --a--c--- c:\windows\system32\dllcache\srwlnd5.sys
2009-03-21 11:52 . 2001-08-17 12:51 37,040 --a--c--- c:\windows\system32\dllcache\sonypi.sys
2009-03-21 11:52 . 2001-08-17 22:36 24,660 --a--c--- c:\windows\system32\dllcache\spxupchk.dll
2009-03-21 11:52 . 2001-08-17 14:07 19,072 --a--c--- c:\windows\system32\dllcache\sparrow.sys
2009-03-21 11:52 . 2001-08-17 13:51 16,896 --a--c--- c:\windows\system32\dllcache\stcusb.sys
2009-03-21 11:51 . 2001-08-17 22:36 114,688 --a--c--- c:\windows\system32\dllcache\sonypi.dll
2009-03-21 11:51 . 2001-08-17 12:51 20,752 --a--c--- c:\windows\system32\dllcache\sonync.sys
2009-03-21 11:51 . 2001-08-17 13:53 9,600 --a--c--- c:\windows\system32\dllcache\sonymc.sys
2009-03-21 11:51 . 2008-04-13 14:40 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys
2009-03-21 11:51 . 2001-08-17 13:53 7,040 --a--c--- c:\windows\system32\dllcache\snyaitmc.sys
2009-03-21 11:46 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll
2009-03-21 11:46 . 2001-08-17 12:51 58,368 --a--c--- c:\windows\system32\dllcache\smiminib.sys
2009-03-21 11:46 . 2001-08-17 22:36 45,568 --a--c--- c:\windows\system32\dllcache\smb3w.dll
2009-03-21 11:46 . 2001-08-17 12:10 35,913 --a--c--- c:\windows\system32\dllcache\smcirda.sys
2009-03-21 11:46 . 2001-08-17 22:36 33,792 --a--c--- c:\windows\system32\dllcache\smb0w.dll
2009-03-21 11:46 . 2001-08-17 12:12 25,034 --a--c--- c:\windows\system32\dllcache\smcpwr2n.sys
2009-03-21 11:46 . 2001-08-17 12:12 24,576 --a--c--- c:\windows\system32\dllcache\smc8000n.sys
2009-03-21 11:46 . 2008-04-13 14:36 16,000 --a--c--- c:\windows\system32\dllcache\smbbatt.sys
2009-03-21 11:46 . 2008-04-13 14:36 6,912 --a--c--- c:\windows\system32\dllcache\smbclass.sys
2009-03-21 11:46 . 2001-08-17 13:57 6,784 --a--c--- c:\windows\system32\dllcache\smbhc.sys
2009-03-21 11:45 . 2001-08-17 22:36 238,592 --a--c--- c:\windows\system32\dllcache\sisgrv.dll
2009-03-21 11:45 . 2001-08-17 14:56 157,696 --a--c--- c:\windows\system32\dllcache\sisv256.dll
2009-03-21 11:45 . 2001-08-17 12:50 104,064 --a--c--- c:\windows\system32\dllcache\sisgrp.sys
2009-03-21 11:45 . 2001-08-17 12:12 94,698 --a--c--- c:\windows\system32\dllcache\sk98xwin.sys
2009-03-21 11:45 . 2001-08-17 12:12 91,294 --a--c--- c:\windows\system32\dllcache\skfpwin.sys
2009-03-21 11:45 . 2004-08-03 22:31 63,547 --a--c--- c:\windows\system32\dllcache\sla30nd5.sys
2009-03-21 11:45 . 2001-08-17 12:50 50,432 --a--c--- c:\windows\system32\dllcache\sisv.sys
2009-03-21 11:45 . 2004-08-03 22:31 32,768 --a--c--- c:\windows\system32\dllcache\sisnic.sys
2009-03-21 11:45 . 2001-08-17 22:36 28,672 --a--c--- c:\windows\system32\dllcache\sma0w.dll
2009-03-21 11:45 . 2001-08-17 22:36 28,160 --a--c--- c:\windows\system32\dllcache\sm91w.dll
2009-03-21 11:45 . 2008-04-13 14:46 11,136 --a--c--- c:\windows\system32\dllcache\slip.sys
2009-03-21 11:44 . 2001-08-17 22:36 386,560 --a--c--- c:\windows\system32\dllcache\sgiul50.dll
2009-03-21 11:44 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2009-03-21 11:44 . 2001-07-21 14:29 161,568 --a--c--- c:\windows\system32\dllcache\sgsmusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-13 10:41 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-27 10:58 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-14 15:27 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 23:15 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-03 23:15 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-03 23:15 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-03 23:15 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2007-07-18 18:00 36,864 ----a-w c:\documents and settings\ITD\atwbxdet.dll
2007-03-21 12:17 56 --sh--r c:\windows\system32\2E69AEDF4B.sys
2007-08-29 15:28 1,890 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-06-13 01:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061220080613\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-27 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 19:15 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-27 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-27 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-06 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-06 298264]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-12-04 92550]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-09 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16 []
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://10.1.110.246/officescan/console/html/AtxEnc.cab
DPF: {B20D9D6A-0DEC-4D76-9BEF-175896006B4A} - hxxps://esitc.express-scripts.com/wijsp/distribution/RptVieweren.cab
DPF: {F184A6DA-2B5A-4507-8555-C05C5C5C9A9B} - hxxps://10.1.110.45/itcclient.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 20:55:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-03-22 20:57:21
ComboFix-quarantined-files.txt 2009-03-23 00:57:15

Pre-Run: 26,688,307,200 bytes free
Post-Run: 26,751,877,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

256 --- E O F --- 2009-03-16 01:16:37

Attached Files

  • Attached File  log.txt   19.22KB   6 downloads

Edited by Buckeye_Sam, 23 March 2009 - 09:30 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:09 AM

Posted 23 March 2009 - 09:36 AM

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\2E69AEDF4B.sys


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html


How is your computer behaving? Are you still having the same issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 mjstemen

mjstemen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 23 March 2009 - 09:08 PM

Service load: 0% 100%

File: 2e69aedf4b.sys
Status: OK
MD5: a247a36aee425620b39c817cc7113c1f
Packers detected: -


IE performance is better and the popups have gone away. I think it's taken care of.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:09 AM

Posted 24 March 2009 - 01:24 PM

Excellent! :thumbup2:

Follow this process to uninstall Combofix. It will also restore a few settings and remove quarantined items.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image

===============



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:) :step4:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users