Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


DDS/txt info need help

  • This topic is locked This topic is locked
2 replies to this topic

#1 myk60


  • Members
  • 1 posts
  • Local time:08:11 AM

Posted 13 April 2009 - 11:21 AM

DDS (Ver_09-03-16.01) - NTFSx86
Run by mm at 9:13:01.59 on Mon 04/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.473 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\mm\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Easy Gif Animator Toolbar Helper: {96372ab6-15eb-4316-b497-71c741bc548c} - c:\program files\easy gif animator extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Easy Gif Animator Toolbar: {35065594-9169-4a34-b167-fc4865038e53} - c:\program files\easy gif animator extension\v3.3.0.1\EasyGifAnimator_Toolbar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [supervisor.exe] c:\windows\supervisor.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [EPSON Stylus Photo 1400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibua.exe /fu "c:\windows\temp\E_S10D.tmp" /EF "HKCU"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224371067250
DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239233657296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mm\applic~1\mozilla\firefox\profiles\6h9whulo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\mm\application data\mozilla\firefox\profiles\6h9whulo.default\extensions\npfax@microgaming.co.uk\platform\winnt_x86-msvc\plugins\npfax.dll

============= SERVICES / DRIVERS ===============

R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\KTC111.SYS [2008-10-18 19016]
S1 SuperMounter;SuperMounter; [x]

=============== Created Last 30 ================

2009-04-13 00:34 <DIR> --d----- c:\program files\Trend Micro
2009-04-12 11:05 <DIR> --d----- c:\docume~1\mm\applic~1\IObit
2009-04-12 11:05 <DIR> --d----- c:\program files\IObit
2009-04-07 20:18 <DIR> --dsh--- c:\documents and settings\mm\IECompatCache
2009-04-07 20:18 <DIR> --dsh--- c:\documents and settings\mm\PrivacIE
2009-04-07 20:17 <DIR> --dsh--- c:\documents and settings\mm\IETldCache
2009-04-07 20:14 <DIR> -cd-h--- c:\windows\ie8
2009-04-07 16:16 155 a------- c:\windows\system32\SelfDel.bat
2009-04-06 11:04 18,429 a------- c:\windows\system32\pic.jpg
2009-04-06 09:26 27,648 a------- c:\windows\system32\winsetupsm.exe
2009-04-06 06:40 484 a------- c:\windows\system32\303365.exe
2009-04-03 23:58 20,480 a------- c:\windows\system32\nDler2.exe
2009-04-03 07:27 105,170 a------- c:\windows\system32\drivers\96c5aa42.sys
2009-04-02 16:03 <DIR> --d----- c:\program files\Bonjour
2009-04-02 15:58 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-04-02 00:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2009-04-02 00:00 <DIR> --d----- c:\program files\EPSON
2009-04-01 21:28 0 a------- c:\windows\system32\drivers\ovfsth.sys
2009-04-01 21:25 18,432 a------- c:\windows\system32\ovfsthjhhyjftvbxhpcrbirsrnlbexgykokwgy.dll
2009-04-01 21:24 43 a------- c:\windows\system32\ovfsthgyprnfltwsgvewltevdjqxqjuedhpfqt.dat
2009-04-01 21:23 <DIR> --d----- c:\program files\1 Click PC Fix
2009-04-01 21:23 66,452 a------- c:\windows\system32\ovfsthetpqgphigsktbvmkkjsvfycnkhpnmbrv.dat
2009-04-01 21:23 60,928 a------- c:\windows\system32\ovfsthlkvjletlobotxmksjiueuynxnjeyrnld.dll
2009-04-01 21:23 18,944 a------- c:\windows\system32\ovfsthlwuwwbpvykoxqrmkguyiasnejhrdlnaw.dll
2009-04-01 21:23 18,432 a------- c:\windows\system32\ovfsthmvdyoifmeforbayhlfthgyjwefdbtybc.dll
2009-04-01 17:50 <DIR> --d-h--- C:\BJPrinter
2009-03-22 20:59 <DIR> --d----- c:\docume~1\mm\applic~1\Proxima Software
2009-03-22 20:58 <DIR> --d----- c:\program files\FontExpert
2009-03-18 10:27 <DIR> --d--r-- c:\program files\Skype
2009-03-14 14:26 20,480 a------- c:\windows\system32\PteVideo.dll
2009-03-14 14:26 <DIR> --d----- c:\program files\WnSoft PicturesToExe
2009-03-14 14:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PicturesToExe

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-11-19 20:36 87,608 a------- c:\docume~1\mm\applic~1\inst.exe
2008-11-19 20:36 47,360 a------- c:\docume~1\mm\applic~1\pcouffin.sys
2008-10-23 18:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101320081020\index.dat
2008-10-23 18:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat

============= FINISH: 9:13:13.66 ===============

BC AdBot (Login to Remove)


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware

  • Malware Response Team
  • 1,088 posts
  • Gender:Male
  • Location:USA
  • Local time:09:11 AM

Posted 20 April 2009 - 02:52 PM

Hello myk60 and welcome to Bleepingcomputer forums.

Is your system still having issues? or has this been fixed elsewhere?

It has been a week since your initial post. These boards do get super-busy.
The system has a rootkit infection and it's a serious issue needing guide help.
If you wish to proceed here, please get started with the following.

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.
Next, Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Next, please run a new DDS run. I need a fresh copy of DDS.txt

reply with copy of contents of MBAM scan log
and the new DDS.txt

There will be more to do.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware

  • Malware Response Team
  • 1,088 posts
  • Gender:Male
  • Location:USA
  • Local time:09:11 AM

Posted 26 April 2009 - 07:28 AM

It has been more than 12 days since your last post. I am marking this as closed, due to lack of response.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users