Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is there a government spy in my computer?


  • This topic is locked This topic is locked
33 replies to this topic

#1 somchaigirl

somchaigirl

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 16 April 2009 - 11:15 PM

Hi, lately I've the worldwide problem of a slow running computer, lots of windows not responding. Here's my HJ log. I've ran many spyware finders and AVs including S & D, but no joy.

Any problems?

:mellow: :whistle:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:04, on 4/17/2009
Platform: Windows Vista SP2, v.113 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.16497)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\kmw_run.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\Windows\regx32.exe
C:\Windows\vsnpstd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [TrialReset] C:\Windows\regx32.exe
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKL

BC AdBot (Login to Remove)

 


#2 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 23 April 2009 - 12:17 PM

:mellow: No answers? OK, here's my new log, below, in two parts,

Edited by somchaigirl, 23 April 2009 - 12:34 PM.


#3 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 23 April 2009 - 12:23 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:19:59, on 4/24/2009
Platform: Windows Vista SP2, v.113 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.16497)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\kmw_run.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\Windows\regx32.exe
C:\Windows\vsnpstd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [TrialReset] C:\Windows\regx32.exe
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.e

#4 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 23 April 2009 - 12:24 PM

Part 2 and a picture of me!

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{AED9D0CB-57F8-4238-9499-67C22FB29868}: NameServer = 203.144.207.49 203.144.207.29
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 6587 bytes

EDIT! Image removed as inappropriate

Edited by Pandy, 23 April 2009 - 02:32 PM.


#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 02 May 2009 - 03:58 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please [url=http://www.bleepingcomputer.com/forums/topic34773.html]refer to this page[/url and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 04 May 2009 - 12:31 PM

OK, I can't see any steps, but I guess you want a DDS scan, right? Here it is, with the attachment,



DDS (Ver_09-03-16.01) - NTFSx86
Run by XPUSA at 0:20:01.10 on Tue 05/05/2009
Internet Explorer: 7.0.6002.16497
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.511.71 [GMT 7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\System32\kmw_run.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\Windows\regx32.exe
C:\Windows\vsnpstd.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\XPUSA\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.th/
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [kmw_run.exe] kmw_run.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [hmonitor] c:\program files\hmonitor\hmonitor.exe
mRun: [TrialReset] c:\windows\regx32.exe
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [BtTray] "c:\program files\ivt corporation\bluesoleil\BtTray.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {AED9D0CB-57F8-4238-9499-67C22FB29868} = 203.144.207.49 203.144.207.29
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R3 DCamUSBET;ET USB 2760 Camera;c:\windows\system32\drivers\etDevice.sys [2007-7-20 471808]
R3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\drivers\fetnd6v.sys [2008-12-4 43520]
R3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [2007-6-14 201216]

=============== Created Last 30 ================

2009-04-24 00:28 <DIR> --dsh--- C:\Diskeeper
2009-04-23 22:21 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-04-23 22:21 <DIR> --d----- c:\programdata\Diskeeper Corporation
2009-04-23 22:21 <DIR> --d----- c:\progra~2\Diskeeper Corporation
2009-04-23 21:45 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-04-22 06:42 376,320 a------- c:\windows\system32\winhttp.dll
2009-04-20 19:50 <DIR> --dsh--- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-20 19:50 <DIR> --dsh--- c:\progra~2\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-18 20:10 <DIR> --d----- c:\programdata\WindowsSearch

==================== Find3M ====================

2009-05-05 00:00 51,200 a------- c:\windows\inf\infpub.dat
2009-05-05 00:00 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-03 20:26 50,688 a------- c:\program files\ATF-Cleaner.exe
2009-03-28 19:58 886,840 a------- c:\windows\system32\drivers\tcpip.sys
2009-03-22 17:08 86,016 a------- c:\windows\inf\infstor.dat
2009-03-14 21:48 34,312 a------- c:\windows\system32\drivers\blueletaudio.sys
2009-02-11 03:29 2,034,176 a------- c:\windows\system32\win32k.sys
2008-11-21 19:19 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 19:49 174 a--sh--- c:\program files\desktop.ini
2006-11-02 19:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 19:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 19:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 19:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 16:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 16:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 16:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 16:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-04-16 21:16 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-04-16 21:16 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-04-16 21:16 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-08-20 21:04 80 a--shr-- c:\windows\system32\C900869702.dll

============= FINISH: 0:27:51.07 ===============

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 04 May 2009 - 03:31 PM

Hello.

Sorry for the broken link. Accidently removed a "]" it seems.

Please answer this question:

If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 05 May 2009 - 12:55 AM

The new DDS logs are above. Yes, I still need help as computer start-up is very slow, Internet Explorer goes into 'not responding' mode quite often, now there's a striped, grey line/bar at the bottom of it (the line's not usually there) and the computer is generally very sluggish.

Thanks.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 05 May 2009 - 03:20 PM

Hello.

Could you provide a screenshot so I can see what you are talking about in IE.

Question: How much ram and memory does this computer have?

Please do the following afterwards.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\C900869702.dll
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 07 May 2009 - 09:05 AM

Could you provide a screenshot so I can see what you are talking about in IE.

It seema to have gone for now.

Question: How much ram and memory does this computer have?


1.5GBs of ram and 32GBs on drive C with 8GBs spare.

#11 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 07 May 2009 - 09:14 AM

VirSCAN.org Scanned Report :
Scanned time : 2009/05/07 21:02:51 (ICT)
Scanner results: All Scanners reported not find malware!
File Name : C900869702.dll
File Size : 80 byte
File Type : data
MD5 : abfd35b626368c5b9fd5967a97f80b51
SHA1 : 1f85520b443db8344885e76acac97984a656d3e4
Online report : http://virscan.org/report/5acee7836db87681...88b0983034.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090507000335 2009-05-07 16.35 -
AhnLab V3 2009.05.07.02 2009.05.07 2009-05-07 2.81 -
AntiVir 8.2.0.160 7.1.3.169 2009-05-07 0.07 -
Antiy 2.0.18 20090507.2369451 2009-05-07 0.12 -
Arcavir 2009 200905061805 2009-05-06 0.02 -
Authentium 5.1.1 200905070226 2009-05-07 1.13 -
AVAST! 4.7.4 090505-0 2009-05-05 0.00 -
AVG 8.5.286 270.12.21/2102 2009-05-07 3.29 -
BitDefender 7.81008.2902156 7.25256 2009-05-07 2.70 -
CA (VET) 9.0.0.143 31.6.6493 2009-05-07 17.86 -
ClamAV 0.95 9338 2009-05-07 0.00 -
Comodo 3.8 1154 2009-05-06 2.09 -
CP Secure 1.1.0.715 2009.05.07 2009-05-07 9.04 -
Dr.Web 4.44.0.9170 2009.05.07 2009-05-07 4.54 -
F-Prot 4.4.4.56 20090506 2009-05-06 1.14 -
F-Secure 5.51.6100 2009.05.07.08 2009-05-07 0.04 -
Fortinet 2.81-3.117 10.361 2009-05-07 1.21 -
GData 19.5079/19.322 20090507 2009-05-07 22.52 -
ViRobot 20090507 2009.05.07 2009-05-07 1.61 -
Ikarus T3.1.01.49 2009.05.07.72680 2009-05-07 2.79 -
JiangMin 11.0.706 2009.05.07 2009-05-07 9.66 -
Kaspersky 5.5.10 2009.05.07 2009-05-07 0.02 -
KingSoft 2009.2.5.15 2009.5.7.18 2009-05-07 20.77 -
McAfee 5.3.00 5607 2009-05-06 3.21 -
Microsoft 1.4602 2009.05.07 2009-05-07 11.28 -
mks_vir 2.01 2009.05.07 2009-05-07 2.69 -
Norman 6.01.05 6.01.00 2009-05-06 4.01 -
Panda 9.05.01 2009.05.06 2009-05-06 4.11 -
Trend Micro 8.700-1004 6.114.03 2009-05-06 0.02 -
Quick Heal 10.00 2009.05.06 2009-05-06 9.12 -
Rising 20.0 21.28.32.00 2009-05-07 2.32 -
Sophos 2.86.0 4.41 2009-05-07 2.27 -
Sunbelt 5125 5125 2009-05-06 14.58 -
Symantec 1.3.0.24 20090506.002 2009-05-06 0.24 -
nProtect 20090506.01 3583152 2009-05-06 40.16 -
The Hacker 6.3.4.1 v00320 2009-05-06 1.99 -
VBA32 3.12.10.4 20090505.1100 2009-05-05 1.83 -
VirusBuster 4.5.11.10 10.105.17/1328820 2009-05-06 1.61 -

#12 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 07 May 2009 - 09:29 AM

Malwarebytes' Anti-Malware 1.36
Database version: 2088
Windows 6.0.6002 Service Pack 2, v.113

5/7/2009 21:25:58
mbam-log-2009-05-07 (21-25-58).txt

Scan type: Quick Scan
Objects scanned: 69303
Time elapsed: 8 minute(s), 34 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
C:\Windows\regx32.exe (Hacktool.Agent) -> Not selected for removal.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trialreset (Hacktool.Agent) -> Not selected for removal.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\libmcl-3.1.1.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\regx32.exe (Hacktool.Agent) -> Not selected for removal.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 08 May 2009 - 03:01 PM

Hello.

Why are thses not selected for removal? I would like to know.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trialreset (Hacktool.Agent) -> Not selected for removal.
C:\Windows\regx32.exe (Hacktool.Agent) -> Not selected for removal.


What symptoms do you still have?

Download and Run Rooter SD

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning
  • A black Command Windows will open saying: "Please Wait..."
  • A bunch of text will go past the screen very quickly (Don't worry, it is scanning)
  • It will now begin to scan, please be paitent. The scan should not take more than 2 minutes
  • A Notepad file containing the report will open soon. It can also be found at %systemdrive%\Rooter.txt
  • Please post that log here in your next reply please
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 somchaigirl

somchaigirl
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 10 May 2009 - 02:00 AM

Hello.

Why are thses not selected for removal? I would like to know.


Those are part of a program, which was installed many months before my problems started, and if I was to remove them, the program would no longer work.

What symptoms do you still have?


Slow running, slow startup and internet dail-up 'not responding'.


Please download Rooter.exe and save it to your desktop[list]


This program doesn't run. Keep getting this error,

Posted Image

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 10 May 2009 - 05:16 PM

Hello.

Those are part of a program, which was installed many months before my problems started, and if I was to remove them, the program would no longer work.

What program is that? :thumbup2:

Slow running, slow startup and internet dail-up 'not responding'.

Okay, but that may not be malware related.

Let's make sure.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Also update Java.

Update Java to Version 6 Update 13

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users