Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure if I'm infected. Starting to have internet problems


  • This topic is locked This topic is locked
15 replies to this topic

#1 CannonVol

CannonVol

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 03 April 2009 - 10:53 PM

My problem is that some pages (and the number appears to be increasing) on the internet either won't load or are extremely slow. For instance, I had to use a different computer to post this message because it simply wouldn't post using the computer that is having the problems. I have tried a number of different ideas, including removing add-ons on my browser of choice, Firefox, removing or disabling some programs, clearing the cache and deleting cookies, as well as going through CCleaner and a system defrag.

The problem is isolated to one computer on a three computer home network. It also affects all browsers. I have tried IE8, Firefox Orca, and Opera. The problem continues on whichever browser I try. Since I can't seem to find the solution using the forum research method, I thought I would ask for help here.

I am using a DIY computer with an AMD Athlon 64X2 5400+, an ECS A770M-A mobo, with 3GBs of RAM and running Windows XP Home SP3.

I'm not sure if I have an infection or not. I have Avast 4 and have run a scan. Have also run scans using Spybot S&D, Malwarebytes Anti Malware, and Super AntiSpyware4.24.1004. None have detected any problems. I'm about at the point where I'm going to re-format and try a fresh install. Help?

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:30 PM, on 4/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\LJ\Application Data\UpdateStar\UpdateStar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206381743875
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - (no file)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 9529 bytes

Thanks in advance,

Jim

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:01:40 PM

Posted 13 April 2009 - 11:22 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 CannonVol

CannonVol
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 13 April 2009 - 05:06 PM

Thank you for getting back with me. No the problem is not resolved. I have tried various anti-virus and spy-ware/malware programs to no avail. If anything the problem is worse. I still have selective internet pages which are extremely slow to load or do not load at all (Hotmail is one of these.). In addition this computer has suddenly started freezing/locking up for no apparent reason. I was beginning to think that this might be related to the use of Spyware Terminator. This "lock-up" happened most recently earlier today when I was attempting to remove some programs from the computer. When this happens the only way to get past the problem has been to do a hard reset, which, for obvious reasons, I do not like to do.

Additionally, I had to use another computer to post this log because it simply would not post on the "problem" computer

I have copied the DDS log and attached the "attach" log.

Your assistance is greatly appreciated.

I will be out until later this evening so if you are able to look at this soon, I will respond as soon as I return.

Jim



DDS (Ver_09-03-16.01) - NTFSx86
Run by LJ at 16:48:53.32 on Mon 04/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2444 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090413-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\YourWare Solutions\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Documents and Settings\LJ\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: {73C7D5B0-7B03-444A-84C7-CE1BA03B5573} - No File
uRun: [FreeRAM XP] "c:\program files\yourware solutions\FreeRAM XP Pro.exe" -win
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [PDUiP6000DMon] c:\program files\canon\memory card utility\pixma ip6000d\PDUiP6000DMon.exe
mRun: [PDUiP6000DTskbr] c:\program files\canon\memory card utility\pixma ip6000d\PDUiP6000DTskbr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: Crawler Search - tbr:iemenu
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: secunia.com
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206381743875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lj\applic~1\mozilla\firefox\profiles\ieb09ien.default\
FF - prefs.js: browser.startup.homepage -

hxxp://www.utladyvols.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://www.stumbleupon.com/firefox_start.php|http://www.nitropdf.com/pdfdownload/welcome.asp
FF - component: c:\program files\crawler\toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xshared.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xwsg.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\lj\application data\mozilla\firefox\profiles\ieb09ien.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\documents and settings\lj\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npexview.dll
FF - plugin: c:\program files\opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\npOctPlr.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 ahci8086;ahci8086;c:\windows\system32\drivers\ahci8086.sys [2008-1-11 119808]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2009-1-3 96384]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-4 114768]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-12-27 16048]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-4-6 142592]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2009-1-17 61424]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-25 425080]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-11-21 138680]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-23 210216]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-11-21 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-11-21 352920]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-3-27 1129344]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\drivers\hcwPVRP2.sys [2008-3-27 824512]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2008-3-27 815104]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2009-1-2 7548]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]

=============== Created Last 30 ================

2009-04-13 11:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-04-11 11:34 515 a------- c:\windows\system32\BIN_STRSBW.SPT
2009-04-11 01:02 13,576 a------- c:\windows\system32\WNASPI2K.BAK
2009-04-10 23:37 <DIR> --d----- C:\adaptec
2009-04-07 17:38 <DIR> --d----- c:\program files\WinClamAVShield
2009-04-06 22:49 <DIR> --d----- c:\program files\Crawler
2009-04-06 22:49 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-04-06 22:49 <DIR> --d----- c:\docume~1\lj\applic~1\Spyware Terminator
2009-04-06 22:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-04-06 22:49 <DIR> --d----- c:\program files\Spyware Terminator
2009-04-04 13:33 <DIR> --dsh--- c:\windows\ftpcache
2009-04-03 12:51 <DIR> --d----- c:\docume~1\lj\applic~1\Blitware
2009-03-30 17:07 <DIR> --dsh--- c:\documents and settings\lj\PrivacIE
2009-03-27 18:53 <DIR> --dsh--- c:\documents and settings\lj\IETldCache
2009-03-27 17:37 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-27 16:22 <DIR> --d----- c:\windows\ie8updates
2009-03-27 16:20 <DIR> -cd-h--- c:\windows\ie8
2009-03-27 16:18 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-03-27 16:15 <DIR> --d----- c:\program files\common files\DivX Shared
2009-03-27 16:11 <DIR> --d----- c:\program files\filehippo.com
2009-03-25 23:37 <DIR> --d----- c:\windows\OPTIONS
2009-03-25 22:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-03-25 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-03-25 20:55 <DIR> --d----- c:\docume~1\lj\applic~1\DriverCure
2009-03-25 20:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-03-25 20:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverCure
2009-03-25 18:35 <DIR> --d----- c:\program files\Hawaiian Explorer Lost Island
2009-03-25 15:50 <DIR> --d----- c:\windows\system32\ActiveX
2009-03-25 15:49 <DIR> --d----- c:\program files\Hawaiian Explorer Pearl Harbor
2009-03-22 12:11 <DIR> --d----- c:\docume~1\lj\applic~1\Orca Profiles
2009-03-22 12:09 <DIR> --d----- c:\program files\Orca Browser
2009-03-21 16:01 <DIR> --d----- c:\docume~1\lj\applic~1\Uniblue
2009-03-20 17:43 1,753,088 a------- c:\windows\system32\ExGrid.dll
2009-03-20 17:43 614,400 a------- c:\windows\system32\ExButton.dll
2009-03-20 17:43 602,112 a------- c:\windows\system32\ExMenu.dll
2009-03-20 17:43 516,096 a------- c:\windows\system32\ExTab.dll
2009-03-20 17:43 368,912 a------- c:\windows\system32\vbar332.dll
2009-03-20 17:43 356,352 a------- c:\windows\system32\eSellerateEngine.dll
2009-03-20 17:43 307,200 a------- c:\windows\system32\ExPMenu.dll
2009-03-20 17:43 118,784 a------- c:\windows\system32\eWebControl.dll
2009-03-20 17:43 <DIR> --d----- c:\program files\AnswersThatWork
2009-03-16 20:09 <DIR> --d----- c:\program files\common files\McAfee
2009-03-16 17:01 <DIR> --d----- c:\docume~1\lj\applic~1\Malwarebytes
2009-03-16 17:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-16 17:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-16 17:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 00:47 <DIR> --d----- c:\program files\CCleaner
2009-03-15 23:46 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-03-27 17:37 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-26 21:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-26 21:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-26 21:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-26 21:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-26 21:34 684,032 a------- c:\windows\system32\DivX.dll
2008-06-16 22:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061620080617\index.dat
2008-08-18 20:46 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:49:15.12 ===============

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:40 PM

Posted 14 April 2009 - 08:33 AM

Hello, CannonVol

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Judging by your log, I'd say userinit is infected. Let's proceed with ComboFix:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 CannonVol

CannonVol
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 14 April 2009 - 09:06 AM

Thanks for your prompt responses and the help. As before, I had to run the program on the "problem" computer and then copy the log to another computer to post it here because I can't seem to post on this site on the "problem".

Here's the ComboFix log:

ComboFix 09-04-14.09 - LJ 04/14/2009 9:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2347 [GMT -4:00]
Running from: c:\documents and settings\LJ\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090414-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-13 15:46 . 2009-04-13 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-04-11 15:34 . 2009-04-11 15:34 515 ----a-w c:\windows\system32\BIN_STRSBW.SPT
2009-04-11 14:45 . 2009-04-11 15:26 -------- d-----w c:\program files\RegCure
2009-04-11 05:02 . 2008-06-25 11:14 13576 ----a-w c:\windows\system32\WNASPI2K.BAK
2009-04-11 03:37 . 2009-04-11 03:37 -------- d-----w C:\adaptec
2009-04-07 21:38 . 2009-04-14 13:42 -------- d-----w c:\program files\WinClamAVShield
2009-04-07 02:49 . 2009-04-07 02:50 -------- d-----w c:\program files\Crawler
2009-04-07 02:49 . 2009-04-14 13:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-04-07 02:49 . 2009-04-13 16:33 -------- d-----w c:\documents and settings\LJ\Application Data\Spyware Terminator
2009-04-07 02:49 . 2009-04-07 02:49 142592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-04-07 02:49 . 2009-04-13 15:13 -------- d-----w c:\program files\Spyware Terminator
2009-04-04 17:33 . 2009-04-04 17:33 -------- d-sh--w c:\windows\ftpcache
2009-04-03 18:22 . 2009-04-03 18:22 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-03 16:51 . 2009-04-13 15:16 -------- d-----w c:\documents and settings\LJ\Application Data\Blitware
2009-03-30 21:07 . 2009-03-30 21:07 -------- d-sh--w c:\documents and settings\LJ\PrivacIE
2009-03-27 22:54 . 2009-03-27 22:54 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-03-27 22:53 . 2009-03-27 22:53 -------- d-sh--w c:\documents and settings\LJ\IETldCache
2009-03-27 21:37 . 2009-03-27 21:37 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-03-27 20:22 . 2009-03-27 20:22 -------- d-----w c:\windows\ie8updates
2009-03-27 20:21 . 2009-03-27 20:21 1374 ----a-w c:\windows\imsins.BAK
2009-03-27 20:20 . 2009-03-27 20:21 -------- dc-h--w c:\windows\ie8
2009-03-27 20:18 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-03-27 20:15 . 2009-03-27 20:15 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-27 20:11 . 2009-03-27 20:11 -------- d-----w c:\program files\filehippo.com
2009-03-26 03:37 . 2009-03-26 03:37 -------- d-----w c:\windows\OPTIONS
2009-03-26 02:11 . 2009-03-26 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-03-26 01:59 . 2009-03-26 01:59 -------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-03-26 01:59 . 2009-03-26 01:59 -------- d-----w c:\documents and settings\LJ\Local Settings\Application Data\Downloaded Installations
2009-03-26 01:40 . 2009-03-26 01:40 -------- d-----w c:\documents and settings\LJ\Local Settings\Application Data\RadarSync
2009-03-26 00:55 . 2009-03-26 00:56 -------- d-----w c:\documents and settings\LJ\Application Data\DriverCure
2009-03-26 00:55 . 2009-03-26 02:19 -------- d-----w c:\documents and settings\All Users\Application Data\DriverCure
2009-03-26 00:55 . 2009-03-26 00:55 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-26 00:37 . 2009-03-26 04:15 -------- d-----w c:\documents and settings\LJ\Local Settings\Application Data\eSupport.com
2009-03-25 22:35 . 2009-03-27 18:04 -------- d-----w c:\program files\Hawaiian Explorer Lost Island
2009-03-25 19:50 . 2009-03-25 22:36 -------- d-----w c:\windows\system32\ActiveX
2009-03-25 19:49 . 2009-04-02 20:54 -------- d-----w c:\program files\Hawaiian Explorer Pearl Harbor
2009-03-22 16:11 . 2009-03-22 16:11 -------- d-----w c:\documents and settings\LJ\Application Data\Orca Profiles
2009-03-22 16:09 . 2009-03-22 16:09 -------- d-----w c:\program files\Orca Browser
2009-03-21 20:01 . 2009-03-26 02:15 -------- d-----w c:\documents and settings\LJ\Application Data\Uniblue
2009-03-20 21:43 . 2007-06-08 16:53 1753088 ----a-w c:\windows\system32\ExGrid.dll
2009-03-20 21:43 . 2007-06-05 13:20 602112 ----a-w c:\windows\system32\ExMenu.dll
2009-03-20 21:43 . 2007-06-05 13:19 516096 ----a-w c:\windows\system32\ExTab.dll
2009-03-20 21:43 . 2007-04-03 19:51 614400 ----a-w c:\windows\system32\ExButton.dll
2009-03-20 21:43 . 2007-04-03 19:51 307200 ----a-w c:\windows\system32\ExPMenu.dll
2009-03-20 21:43 . 2005-10-11 17:40 356352 ----a-w c:\windows\system32\eSellerateEngine.dll
2009-03-20 21:43 . 2005-10-04 11:11 118784 ----a-w c:\windows\system32\eWebControl.dll
2009-03-20 21:43 . 1998-04-24 03:00 368912 ----a-w c:\windows\system32\vbar332.dll
2009-03-20 21:43 . 2009-03-20 21:43 -------- d-----w c:\program files\AnswersThatWork
2009-03-17 13:49 . 2009-03-17 13:49 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-17 00:09 . 2009-03-17 00:09 -------- d-----w c:\program files\Common Files\McAfee
2009-03-16 21:01 . 2009-03-16 21:01 -------- d-----w c:\documents and settings\LJ\Application Data\Malwarebytes
2009-03-16 21:01 . 2009-03-26 20:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-16 21:01 . 2009-03-26 20:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 21:01 . 2009-03-16 21:01 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-16 21:01 . 2009-03-27 20:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-16 04:47 . 2009-03-16 04:47 -------- d-----w c:\program files\CCleaner
2009-03-16 03:46 . 2009-03-16 03:46 -------- d-----w c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 16:32 . 2008-01-11 23:53 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-13 16:30 . 2008-11-08 18:48 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-04-13 15:58 . 2009-02-27 22:19 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-13 15:12 . 2008-01-12 14:24 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-12 03:53 . 2008-01-11 23:48 -------- d-----w c:\program files\WinTV
2009-04-11 17:27 . 2008-12-24 00:09 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-11 15:26 . 2009-01-25 23:00 -------- d-----w c:\program files\a-squared Free
2009-04-11 02:29 . 2008-12-27 20:33 -------- d-----w c:\program files\lg_fwupdate
2009-03-30 21:59 . 2008-01-11 23:53 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-27 21:38 . 2008-01-11 23:52 -------- d-----w c:\program files\QuickTime
2009-03-27 21:37 . 2008-12-19 00:11 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-27 21:36 . 2008-01-11 23:47 -------- d-----w c:\program files\SpeedFan
2009-03-27 20:16 . 2008-01-11 23:45 -------- d-----w c:\program files\DivX
2009-03-27 20:00 . 2008-01-11 23:46 -------- d-----w c:\program files\Java
2009-03-27 19:43 . 2008-01-11 23:49 -------- d-----w c:\program files\Foxit Software
2009-03-26 04:18 . 2008-10-17 15:44 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-26 04:15 . 2008-10-16 23:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-26 03:37 . 2008-01-11 23:25 -------- d-----w c:\program files\Realtek
2009-03-26 03:37 . 2008-01-11 23:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 16:14 . 2008-01-11 23:48 -------- d-----w c:\program files\Avant Browser
2009-03-21 02:09 . 2008-08-29 02:14 495 ----a-w C:\log.txt
2009-03-20 03:08 . 2008-09-18 00:47 848 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-17 12:39 . 2008-12-23 23:44 -------- d-----w c:\program files\McAfee
2009-03-16 05:46 . 2008-01-12 04:02 -------- d-----w c:\documents and settings\LJ\Application Data\SiteAdvisor
2009-03-16 03:59 . 2009-01-07 22:10 -------- d-----w c:\program files\GRETECH
2009-03-16 03:58 . 2008-11-08 18:06 -------- d-----w c:\program files\Ext2Fsd
2009-03-12 03:51 . 2008-01-18 04:47 43128 ----a-w c:\documents and settings\LJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-11 21:12 . 2008-06-17 00:19 -------- d-----w c:\program files\Opera
2009-03-11 03:56 . 2009-03-11 03:56 -------- d-----w c:\program files\JRE
2009-03-11 03:56 . 2009-03-11 03:56 -------- d-----w c:\program files\OpenOffice.org 3
2009-03-11 03:51 . 2008-01-12 14:34 -------- d-----w c:\documents and settings\LJ\Application Data\OpenOffice.org2
2009-03-08 08:34 . 2006-02-28 11:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2006-02-28 11:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2006-02-28 11:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2006-02-28 11:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2006-02-28 11:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2006-02-28 11:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2006-02-28 11:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2006-02-28 11:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2006-02-28 11:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2006-02-28 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-26 19:47 . 2008-03-24 18:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 01:25 . 2009-02-21 01:25 -------- d-----w c:\program files\AskBarDis
2009-02-21 01:25 . 2009-02-21 01:25 -------- d-----w c:\documents and settings\LJ\Application Data\Foxit
2009-02-11 23:23 . 2009-02-11 23:23 0 ----a-w C:\HDDVD.txt
2009-02-09 11:13 . 2006-02-28 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2008-11-08 23:34 . 2008-11-08 23:34 125 ----a-w c:\documents and settings\LJ\Local Settings\Application Data\fusioncache.dat
2008-03-24 17:59 . 2008-03-24 17:59 97560 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\opera\program\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\opera\program\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 17:58 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-28 1953792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"PDUiP6000DMon"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 57344]
"PDUiP6000DTskbr"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-04-07 2176000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-08-10 16384000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-11-20 15:06 178688 ----a-w c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-04 03:07 133104 ----atw c:\documents and settings\LJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-27 21:37 148888 ----a-w c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"Alcmtr"=ALCMTR.EXE
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" blrun
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"BDRegion"=c:\program files\Cyberlink\Shared Files\brs.exe
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\TheLaw.net\\TLN.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 SASDIFSV;SASDIFSV; [x]
R1 SASKUTIL;SASKUTIL; [x]
R3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2006-01-06 7548]
R3 SASENUM;SASENUM; [x]
S0 ahci8086;ahci8086;c:\windows\system32\DRIVERS\ahci8086.sys [2006-10-20 119808]
S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2008-08-12 96384]
S1 aswSP;avast! Self Protection; [x]
S1 CLBStor;InstantBurn Storage Helper Driver; [x]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-04-07 142592]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-10-07 19:54 61424]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-10-01 1129344]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48245630-77c0-11dd-99c1-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ccce38-40b0-11dd-988f-001e906f8bc3}]
\Shell\AutoRun\command - h:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{73C7D5B0-7B03-444A-84C7-CE1BA03B5573} - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-InCD - c:\program files\Ahead\InCD\InCD.exe


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Crawler Search - tbr:iemenu
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
Trusted Zone: secunia.com
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\LJ\Application Data\Mozilla\Firefox\Profiles\ieb09ien.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.utladyvols.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://www.stumbleupon.com/firefox_start.php|http://www.nitropdf.com/pdfdownload/welcome.asp
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\LJ\Application Data\Mozilla\Firefox\Profiles\ieb09ien.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\documents and settings\LJ\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\npexview.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 09:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1637723038-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F531C65B-2CD4-0DAF-87EC-57C3FF359EA1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3628)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 13:52

Pre-Run: 15,012,241,408 bytes free
Post-Run: 15,259,844,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

287 --- E O F --- 2009-03-20 05:03

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:40 PM

Posted 14 April 2009 - 11:34 AM

Let's perform an online scan to identify the infection.

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 CannonVol

CannonVol
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 14 April 2009 - 04:16 PM

Jat90,

Here is the eset log (or at least I think it is, it's the only one I could find that was named as you stated. There are a number of other files, type unknown which are named nod32.000, .002 , etc which I assume are operating files), there doesn't seem to be anything that it found.

eset log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4007 (20090414)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=7a29f0200ded244fb2fafc8acba4040a
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-04-14 08:58:47
# local_time=2009-04-14 04:58:47 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=859659
# found=0
# scan_time=5218


Again, thanks for your efforts so far.

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:40 PM

Posted 14 April 2009 - 04:30 PM

Hello,

What exactly are the symptoms you are experiencing now?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 CannonVol

CannonVol
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 14 April 2009 - 07:52 PM

Well, I'll try to give you a comprehensive report. This started with a few web sites being slow to load. Hotmail and the ESPN sites, for example. Then some web sites would refuse to load at all. The first I noticed was a Samsung products/downloads site.Then in the last few days things have gotten a little more drastic. Firefox has resized at odd times. My home page has been changed, but not to something weird. First it simply changed to the Mozilla homepage and then it changed to the Google search page. Then last night and today I suddenly had three tabs opening as home pages, one the Mozilla home page and two for add-ons (PDF download and the StumbleUpon homepage) Simple to fix, but annoying.

More problematic in the last day or two has been the sudden "freezing" of the computer. I'll try to open an app and will get the hourglass indicator that something is working and then nothing. Nothing opens and I can't get any other program or function to work. Interestingly, the mouse pointer continues to move/work but clicking on something produces no result. The most recent occurrence of this problem was last evening when we attempted to open a photo printing program that came with the printer and that we've been using without problem for about two years now. So far the only way to recover from one of these freezes has been to push the reset button. I tried waiting the first time this occurred, but after about two hours I decided that it really wasn't going to suddenly start working again.

More web pages are becoming unworkable every day or so. For instance, as I indicated before, I'm having to transfer things from the "problem" computer and use another one to post this info because the "problem" simply won't post on the Bleeping Computer site. As I key this in i have been attempting a scan on the "problem" using TrendMicro Housecall online scanner. At first it didn't seem to want to scn and then I was able to get it started. Things seemed to be progressing and now it seems stuck with about 4 3/4 minutes left in the process. It's been reading 4 3/4 minutes for about 1 1/2 hours now.

I should mention that this is one of two regular computers on a home network with a laptop being added as a third on occasion. Neither of the other two computers exhibits any of the symptoms that I am describing.

Oh, and yesterday the "problem" suddenly stopped recognizing my optical drive saying that the drivers were missing or corrupt and I discovered that the aspi files had been deleted. I had to use a system restore point to get the machine to even recognize rivers after they had been re-installed.

Any other suggestions you might have would be greatly appreciated.

#10 CannonVol

CannonVol
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 14 April 2009 - 08:04 PM

And one more thing. In my attempts to solve this problem I was prompted to check something on Windows Update. I found to my surprise that Windows Update was unable to download anything to the computer. And in thinking about it, I haven't noticed any security updates coming through in the past few weeks. I have seen the icon indicating that updates were "ready for download" but that then stayed at 0% for an extended period and then the icon disappeared. I have Windows Update set so that it will have to get my permission to install updates because I like to know what is going onto my computer , but no such updates have come through recently.

Jim

#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:40 PM

Posted 15 April 2009 - 05:16 AM

Hello, Let me know if this makes a difference, we will also check for hidden process and drivers:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Reglock::
[HKEY_USERS\S-1-5-21-448539723-1637723038-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F531C65B-2CD4-0DAF-87EC-57C3FF359EA1}*]

Regnull::
[HKEY_USERS\S-1-5-21-448539723-1637723038-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F531C65B-2CD4-0DAF-87EC-57C3FF359EA1}*]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.


In your next reply, please post:
  • ComboFix log
  • Gmer log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#12 CannonVol

CannonVol
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 15 April 2009 - 04:05 PM

Sorry about the delay. I had to run the gmer scan 3 times the first two times the computer froze after the scan and I wasn't able to save the results. Here are the logs.

ComboFix first and then gmer. By the way, I also noticed that when the computer freezes, everything, including the time freezes. When I restart it the clock resets to the right time.

ComboFix 09-04-15.08 - LJ 04/15/2009 10:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2627 [GMT -4:00]
Running from: c:\documents and settings\LJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LJ\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090415-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-13 15:46 . 2009-04-13 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-04-11 15:34 . 2009-04-11 15:34 515 ----a-w c:\windows\system32\BIN_STRSBW.SPT
2009-04-11 14:45 . 2009-04-11 15:26 -------- d-----w c:\program files\RegCure
2009-04-11 05:02 . 2008-06-25 11:14 13576 ----a-w c:\windows\system32\WNASPI2K.BAK
2009-04-11 03:37 . 2009-04-11 03:37 -------- d-----w C:\adaptec
2009-04-07 21:38 . 2009-04-15 13:55 -------- d-----w c:\program files\WinClamAVShield
2009-04-07 02:49 . 2009-04-07 02:50 -------- d-----w c:\program files\Crawler
2009-04-07 02:49 . 2009-04-15 13:55 -------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-04-07 02:49 . 2009-04-13 16:33 -------- d-----w c:\documents and settings\LJ\Application Data\Spyware Terminator
2009-04-07 02:49 . 2009-04-07 02:49 142592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-04-07 02:49 . 2009-04-13 15:13 -------- d-----w c:\program files\Spyware Terminator
2009-04-04 17:33 . 2009-04-04 17:33 -------- d-sh--w c:\windows\ftpcache
2009-04-03 18:22 . 2009-04-03 18:22 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-03 16:51 . 2009-04-13 15:16 -------- d-----w c:\documents and settings\LJ\Application Data\Blitware
2009-03-30 21:07 . 2009-03-30 21:07 -------- d-sh--w c:\documents and settings\LJ\PrivacIE
2009-03-27 22:54 . 2009-03-27 22:54 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-03-27 22:53 . 2009-03-27 22:53 -------- d-sh--w c:\documents and settings\LJ\IETldCache
2009-03-27 21:37 . 2009-03-27 21:37 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-03-27 20:22 . 2009-03-27 20:22 -------- d-----w c:\windows\ie8updates
2009-03-27 20:21 . 2009-03-27 20:21 1374 ----a-w c:\windows\imsins.BAK
2009-03-27 20:20 . 2009-03-27 20:21 -------- dc-h--w c:\windows\ie8
2009-03-27 20:18 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-03-27 20:15 . 2009-03-27 20:15 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-27 20:11 . 2009-03-27 20:11 -------- d-----w c:\program files\filehippo.com
2009-03-26 03:37 . 2009-03-26 03:37 -------- d-----w c:\windows\OPTIONS
2009-03-26 02:11 . 2009-03-26 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-03-26 01:59 . 2009-03-26 01:59 -------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-03-26 01:59 . 2009-03-26 01:59 -------- d-----w c:\documents and settings\LJ\Local Settings\Application Data\Downloaded Installations
2009-03-26 01:40 . 2009-03-26 01:40 -------- d-----w c:\documents and settings\LJ\Local Settings\Application Data\RadarSync
2009-03-26 00:55 . 2009-03-26 00:56 -------- d-----w c:\documents and settings\LJ\Application Data\DriverCure
2009-03-26 00:55 . 2009-03-26 02:19 -------- d-----w c:\documents and settings\All Users\Application Data\DriverCure
2009-03-26 00:55 . 2009-03-26 00:55 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-03-26 00:37 . 2009-03-26 04:15 -------- d-----w c:\documents and settings\LJ\Local Settings\Application Data\eSupport.com
2009-03-25 22:35 . 2009-03-27 18:04 -------- d-----w c:\program files\Hawaiian Explorer Lost Island
2009-03-25 19:50 . 2009-03-25 22:36 -------- d-----w c:\windows\system32\ActiveX
2009-03-25 19:49 . 2009-04-02 20:54 -------- d-----w c:\program files\Hawaiian Explorer Pearl Harbor
2009-03-22 16:11 . 2009-03-22 16:11 -------- d-----w c:\documents and settings\LJ\Application Data\Orca Profiles
2009-03-22 16:09 . 2009-03-22 16:09 -------- d-----w c:\program files\Orca Browser
2009-03-21 20:01 . 2009-03-26 02:15 -------- d-----w c:\documents and settings\LJ\Application Data\Uniblue
2009-03-20 21:43 . 2007-06-08 16:53 1753088 ----a-w c:\windows\system32\ExGrid.dll
2009-03-20 21:43 . 2007-06-05 13:20 602112 ----a-w c:\windows\system32\ExMenu.dll
2009-03-20 21:43 . 2007-06-05 13:19 516096 ----a-w c:\windows\system32\ExTab.dll
2009-03-20 21:43 . 2007-04-03 19:51 614400 ----a-w c:\windows\system32\ExButton.dll
2009-03-20 21:43 . 2007-04-03 19:51 307200 ----a-w c:\windows\system32\ExPMenu.dll
2009-03-20 21:43 . 2005-10-11 17:40 356352 ----a-w c:\windows\system32\eSellerateEngine.dll
2009-03-20 21:43 . 2005-10-04 11:11 118784 ----a-w c:\windows\system32\eWebControl.dll
2009-03-20 21:43 . 1998-04-24 03:00 368912 ----a-w c:\windows\system32\vbar332.dll
2009-03-20 21:43 . 2009-03-20 21:43 -------- d-----w c:\program files\AnswersThatWork
2009-03-17 13:49 . 2009-03-17 13:49 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-17 00:09 . 2009-03-17 00:09 -------- d-----w c:\program files\Common Files\McAfee
2009-03-16 21:01 . 2009-03-16 21:01 -------- d-----w c:\documents and settings\LJ\Application Data\Malwarebytes
2009-03-16 21:01 . 2009-03-26 20:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-16 21:01 . 2009-03-26 20:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 21:01 . 2009-03-16 21:01 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-16 21:01 . 2009-03-27 20:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 22:01 . 2009-04-14 22:01 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-14 20:59 . 2009-04-14 19:27 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-13 16:32 . 2008-01-11 23:53 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-13 16:30 . 2008-11-08 18:48 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-04-13 15:58 . 2009-02-27 22:19 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-13 15:12 . 2008-01-12 14:24 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-12 03:53 . 2008-01-11 23:48 -------- d-----w c:\program files\WinTV
2009-04-11 17:27 . 2008-12-24 00:09 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-11 15:26 . 2009-01-25 23:00 -------- d-----w c:\program files\a-squared Free
2009-04-11 02:29 . 2008-12-27 20:33 -------- d-----w c:\program files\lg_fwupdate
2009-03-30 21:59 . 2008-01-11 23:53 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-27 21:38 . 2008-01-11 23:52 -------- d-----w c:\program files\QuickTime
2009-03-27 21:37 . 2008-12-19 00:11 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-27 21:36 . 2008-01-11 23:47 -------- d-----w c:\program files\SpeedFan
2009-03-27 20:16 . 2008-01-11 23:45 -------- d-----w c:\program files\DivX
2009-03-27 20:00 . 2008-01-11 23:46 -------- d-----w c:\program files\Java
2009-03-27 19:43 . 2008-01-11 23:49 -------- d-----w c:\program files\Foxit Software
2009-03-26 04:18 . 2008-10-17 15:44 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-26 04:15 . 2008-10-16 23:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-26 03:37 . 2008-01-11 23:25 -------- d-----w c:\program files\Realtek
2009-03-26 03:37 . 2008-01-11 23:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 16:14 . 2008-01-11 23:48 -------- d-----w c:\program files\Avant Browser
2009-03-21 02:09 . 2008-08-29 02:14 495 ----a-w C:\log.txt
2009-03-20 03:08 . 2008-09-18 00:47 848 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-17 12:39 . 2008-12-23 23:44 -------- d-----w c:\program files\McAfee
2009-03-16 05:46 . 2008-01-12 04:02 -------- d-----w c:\documents and settings\LJ\Application Data\SiteAdvisor
2009-03-16 04:47 . 2009-03-16 04:47 -------- d-----w c:\program files\CCleaner
2009-03-16 03:59 . 2009-01-07 22:10 -------- d-----w c:\program files\GRETECH
2009-03-16 03:58 . 2008-11-08 18:06 -------- d-----w c:\program files\Ext2Fsd
2009-03-16 03:46 . 2009-03-16 03:46 -------- d-----w c:\program files\Trend Micro
2009-03-12 03:51 . 2008-01-18 04:47 43128 ----a-w c:\documents and settings\LJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-11 21:12 . 2008-06-17 00:19 -------- d-----w c:\program files\Opera
2009-03-11 03:56 . 2009-03-11 03:56 -------- d-----w c:\program files\JRE
2009-03-11 03:56 . 2009-03-11 03:56 -------- d-----w c:\program files\OpenOffice.org 3
2009-03-11 03:51 . 2008-01-12 14:34 -------- d-----w c:\documents and settings\LJ\Application Data\OpenOffice.org2
2009-03-08 08:34 . 2006-02-28 11:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2006-02-28 11:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2006-02-28 11:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2006-02-28 11:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2006-02-28 11:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2006-02-28 11:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2006-02-28 11:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2006-02-28 11:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2006-02-28 11:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2006-02-28 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-26 19:47 . 2008-03-24 18:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-21 01:25 . 2009-02-21 01:25 -------- d-----w c:\program files\AskBarDis
2009-02-21 01:25 . 2009-02-21 01:25 -------- d-----w c:\documents and settings\LJ\Application Data\Foxit
2009-02-11 23:23 . 2009-02-11 23:23 0 ----a-w C:\HDDVD.txt
2009-02-09 11:13 . 2006-02-28 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2008-11-08 23:34 . 2008-11-08 23:34 125 ----a-w c:\documents and settings\LJ\Local Settings\Application Data\fusioncache.dat
2008-03-24 17:59 . 2008-03-24 17:59 97560 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\opera\program\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\opera\program\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-14_13.52.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 13:51 . 2009-04-15 13:51 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
+ 2009-04-15 13:51 . 2009-04-15 13:51 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
+ 2008-02-05 12:48 . 2008-02-05 12:48 77824 c:\windows\system32\OnlineScannerUninstaller.exe
+ 2008-02-08 17:53 . 2008-02-08 17:53 110592 c:\windows\system32\OnlineScannerLang.dll
+ 2008-02-11 13:39 . 2008-02-11 13:39 237568 c:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-11 13:39 . 2008-02-11 13:39 253952 c:\windows\system32\OnlineScannerDLLA.dll
+ 2005-12-05 16:37 . 2005-12-05 16:37 106496 c:\windows\system32\lnod32upd.dll
+ 2005-12-05 23:25 . 2005-12-05 23:25 139264 c:\windows\system32\lnod32umc.dll
+ 2007-07-27 18:49 . 2007-07-27 18:49 225355 c:\windows\system32\lnod32apiW.dll
+ 2007-07-27 18:49 . 2007-07-27 18:49 196683 c:\windows\system32\lnod32apiA.dll
+ 2009-04-14 22:01 . 2009-04-14 22:01 102664 c:\windows\system32\drivers\tmcomm.sys
+ 2008-12-24 19:38 . 2008-12-24 19:38 386048 c:\windows\Downloaded Program Files\Housecall_ActiveX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 17:58 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-28 1953792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"PDUiP6000DMon"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 57344]
"PDUiP6000DTskbr"="c:\program files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-04-07 2176000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-08-10 16384000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-11-20 15:06 178688 ----a-w c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-04 03:07 133104 ----atw c:\documents and settings\LJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-27 21:37 148888 ----a-w c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"Alcmtr"=ALCMTR.EXE
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" blrun
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"BDRegion"=c:\program files\Cyberlink\Shared Files\brs.exe
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\TheLaw.net\\TLN.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 SASDIFSV;SASDIFSV; [x]
R1 SASKUTIL;SASKUTIL; [x]
R3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2006-01-06 7548]
R3 SASENUM;SASENUM; [x]
S0 ahci8086;ahci8086;c:\windows\system32\DRIVERS\ahci8086.sys [2006-10-20 119808]
S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2008-08-12 96384]
S1 aswSP;avast! Self Protection; [x]
S1 CLBStor;InstantBurn Storage Helper Driver; [x]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-04-07 142592]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-10-07 19:54 61424]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-10-01 1129344]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48245630-77c0-11dd-99c1-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ccce38-40b0-11dd-988f-001e906f8bc3}]
\Shell\AutoRun\command - h:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Crawler Search - tbr:iemenu
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
Trusted Zone: secunia.com
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\LJ\Application Data\Mozilla\Firefox\Profiles\ieb09ien.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.utladyvols.com/
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\LJ\Application Data\Mozilla\Firefox\Profiles\ieb09ien.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\documents and settings\LJ\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\npexview.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 10:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2068)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-15 10:14
ComboFix-quarantined-files.txt 2009-04-15 14:14
ComboFix2.txt 2009-04-14 13:52

Pre-Run: 15,096,651,776 bytes free
Post-Run: 15,088,926,720 bytes free

289 --- E O F --- 2009-03-20 05:03


GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-15 16:57:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xA0E5088E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xA0E500EC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xA0E4FDCE]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xA0E51938]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xA0E4FED8]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xA0E4FFC2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA0D9B14C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xA0E50BBC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xA0E503F4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA0D9B64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA0D9B08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA0D9B0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA0D9B76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA0D9B72E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetInformationFile [0xA0E50526]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xA0E4FBFC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xA0E50B04]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xA0E5070C]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----


Once again thank you for your assistance. If this becomes too much and you think I should just re-format the drive and reinstall, let me know.

Jim

#13 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:40 PM

Posted 15 April 2009 - 04:14 PM

Hello,

Gmer, online scans and ComboFix reports have all come back clean. I can therefore conclude the symptoms you are having are not malware related at all, and I really couldn't tell you what the root of this problem is, it could well be a hardware issue.

Just a question about your computer freezing, did this symptom begin after the latest run of ComboFix? If not then when did it?

Edited by Jat90, 15 April 2009 - 04:35 PM.
Find out more info

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#14 CannonVol

CannonVol
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 15 April 2009 - 05:06 PM

The freezing actually began about a week ago, shortly before we started this attempt to locate the problem. It doesn't happen often, but is annoying when it does. The only hardware I've added lately has been an LG GGW-H20L Blu-ray/DVD burner and that was added the end of December. It came with some HD software from Cyberlink which I also installed. I also use a NexStar Hard drive dock from Vantec to be able to use hard drives for video editing that I do, but I haven't had it turned on for about three to four weeks. I did have a little problem with that at first. It would alter my boot sequence in my Bios if I left it running when I shut the computer down.

Maybe I should contact ECS and see if they have a Bios firmware update that would help me at all.

Jat, thank you for all the effort you put into this. At the very least, you have set my mind to rest about a possible infection and someone trying to steal personal information from my computers.

Jim

#15 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:40 PM

Posted 15 April 2009 - 05:15 PM

Hello,

No problem. You say that you have added new hardware recently and since then it has caused freezing. I think this may be the link. I have had some difficult with hardware in the past, a graphics card which was not correctly installed caused similar issues for me. Though, my knowledge with hardware is somewhat lacking and I therefore cannot assist you any a further. A firmware upgrade seems like a good idea.

You may also want to try the Windows XP Forum, as you may receive help there. In your initial post you may want to say you have had your computer checked and it is definitely malware free as someone will likely suggest it.

Good Luck.

Edited by Jat90, 15 April 2009 - 05:16 PM.
typo

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users