Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't know what I have


  • This topic is locked This topic is locked
15 replies to this topic

#1 IMissMyMac

IMissMyMac

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 05 August 2009 - 06:05 PM

Hi everybody. Please don't take offense to my handle, I was lamenting over my problems, I guess. The problems seemed to start over the weekend when I used the Task Manager after shutting down FireFox & saw it was still on. I didn't know what to make of it, so I ran a few errands & returned to find it was still running, so I ended the process. Things seemed pretty normal, except that sometimes entire words wouldn't appear after I typed them while posting on a site, so I'd have to re-type it. I had 2-3 crashes after I updated to FF 3.5 over the course of a week. Two nights ago, FF crashed three times in three hours. I went to the Mozilla site to find a big warning about a vulnerability in Flash player & to go to Adobe to update right away. I do that & restart to find Avast updating for the second time that night, then FF tells me they have a new update... I restart & run Avast, then Defender only to find nothing. Then I get Hijack this & here we are.

I thank you in advance, very much, for the help. Here's the DDS.




DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 18:31:31.61 on Wed 08/05/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.827 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Windowssystem32rundll32.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:Windowssystem32WLANExt.exe
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesSMINSTBLService.exe
C:Program FilesGoogleUpdate1.2.183.7GoogleCrashHandler.exe
C:Program FilesCyberLinkShared filesRichVideo.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Windowssystem32DRIVERSxaudio.exe
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesHPQuickPlayQPService.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:Program FilesHewlett-PackardHP Wireless AssistantHPWAMain.exe
C:Program FilesAlwil SoftwareAvast4ashDisp.exe
C:WindowsSystem32rundll32.exe
C:Program FilesHewlett-PackardSharedhpqwmiex.exe
C:Program FilesiTunesiTunesHelper.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowssystem32wbemunsecapp.exe
C:Program FilesHewlett-PackardHP wireless AssistantWiFiMsg.EXE
C:Program FilesOpenOffice.org 2.0programsoffice.exe
C:Program FilesHewlett-PackardSharedHpqToaster.exe
C:Program FilesOpenOffice.org 2.0programsoffice.BIN
C:Program FilesiPodbiniPodService.exe
C:Program FilesSynapticsSynTPSynTPHelper.exe
c:Program FilesHewlett-PackardHP Health Checkhphc_service.exe
c:program fileswindows defenderMpCmdRun.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Windowssystem32NOTEPAD.EXE
C:Program FilesMozilla Firefoxfirefox.exe
C:WindowsservicingTrustedInstaller.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:UsersMikeDownloadsdds.scr
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:progra~1yahoo!companioninstallscpnyt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:progra~1yahoo!companioninstallscpnyt.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:program filesaskbardisbarbinaskBar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.3572swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:program filesmsntoolbar3.0.0541.0msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:progra~1yahoo!companioninstallscpnYTSingleInstance.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:program filesmsntoolbar3.0.0541.0msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:progra~1yahoo!companioninstallscpnyt.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:program filesaskbardisbarbinaskBar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [QPService] "c:program fileshpquickplayQPService.exe"
mRun: [UpdateLBPShortCut] "c:program filescyberlinklabelprintmuitransfermuistartmenu.exe" "c:program filescyberlinklabelprint" updatewithcreateonce "softwarecyberlinklabelprint2.5"
mRun: [UpdatePSTShortCut] "c:program filescyberlinkdvd suitemuitransfermuistartmenu.exe" "c:program filescyberlinkdvd suite" updatewithcreateonce "softwarecyberlinkPowerStarter"
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [UpdateP2GoShortCut] "c:program filescyberlinkpower2gomuitransfermuistartmenu.exe" "c:program filescyberlinkpower2go" updatewithcreateonce "softwarecyberlinkpower2go6.0"
mRun: [UpdatePDIRShortCut] "c:program filescyberlinkpowerdirectormuitransfermuistartmenu.exe" "c:program filescyberlinkpowerdirector" updatewithcreateonce "softwarecyberlinkpowerdirector7.0"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [hpWirelessAssistant] c:program fileshewlett-packardhp wireless assistantHPWAMain.exe
mRun: [avast!] c:progra~1alwils~1avast4ashDisp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
StartupFolder: c:usersmikeappdataroamingmicros~1windowsstartm~1programsstartupopenof~1.lnk - c:program filesopenoffice.org 2.0programquickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:progra~1micros~3office12EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~3office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office12REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:usersmikeappdataroamingmozillafirefoxprofilesqzei15p9.default
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:usersmikeappdataroamingmozillafirefoxprofilesqzei15p9.defaultextensions{463f6ca5-ee3c-4be1-b7e6-7fee11953374}platformwinntcomponentsFoxyTunes.dll
FF - plugin: c:program filesgooglegoogle earth pluginnpgeplugin.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1536.6592npCIDetect13.dll
FF - plugin: c:program filesgoogleupdate1.2.183.7npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpFoxitReaderPlugin.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:program filesmozilla firefoxgreprefsall.js - pref("media.enforce_same_site_origin", false);
c:program filesmozilla firefoxgreprefsall.js - pref("media.cache_size", 51200);
c:program filesmozilla firefoxgreprefsall.js - pref("media.ogg.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.wave.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.autoplay.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.urlbar.autocomplete.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("dom.storage.default_quota", 5120);
c:program filesmozilla firefoxgreprefsall.js - pref("content.sink.event_probe_rate", 3);
c:program filesmozilla firefoxgreprefsall.js - pref("network.http.prompt-temp-redirect", true);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.dpi", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.devPixelsPerPx", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("gestures.enable_single_finger_input", true);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.max_chrome_script_run_time", 0);
c:program filesmozilla firefoxgreprefsall.js - pref("network.tcp.sendbuffer", 131072);
c:program filesmozilla firefoxgreprefsall.js - pref("geo.enabled", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.blocklist.level", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.restrict.typed", "~");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.default.behavior", 0);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.ssl_override_behavior", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.autostart", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [2009-3-31 114768]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2009-3-31 20560]
R2 aswMonFlt;aswMonFlt;c:windowssystem32driversaswMonFlt.sys [2009-3-31 51792]
R2 Recovery Service for Windows;Recovery Service for Windows;c:program filessminstBLService.exe [2008-10-25 365952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:windowssystem32driversnvhda32v.sys [2009-6-26 66080]
S2 gupdate1c9b426ae78fe4b;Google Update Service (gupdate1c9b426ae78fe4b);c:program filesgoogleupdateGoogleUpdate.exe [2009-4-3 133104]
S4 Norton Internet Security;Norton Internet Security;"c:program filesnorton internet securityengine16.0.0.125ccsvchst.exe" /s "norton internet security" /m "c:program filesnorton internet securityengine16.0.0.125dimaster.dll" /prefetch:1 --> c:program filesnorton internet securityengine16.0.0.125ccSvcHst.exe [?]

=============== Created Last 30 ================

2009-08-04 22:06 <DIR> --d----- c:program filesTrend Micro
2009-08-02 00:54 <DIR> --d----- c:program filesiPod
2009-08-02 00:54 <DIR> --d----- c:program filesiTunes
2009-08-02 00:53 <DIR> --d----- c:program filesBonjour
2009-07-29 20:33 766 a------- c:windowssystemCRIcon.ico
2009-07-16 14:57 289,792 a------- c:windowssystem32atmfd.dll
2009-07-16 14:57 156,672 a------- c:windowssystem32t2embed.dll
2009-07-16 14:57 72,704 a------- c:windowssystem32fontsub.dll
2009-07-16 14:57 23,552 a------- c:windowssystem32lpk.dll
2009-07-16 14:57 10,240 a------- c:windowssystem32dciman32.dll

==================== Find3M ====================

2009-07-29 20:34 51,200 a------- c:windowsinfinfpub.dat
2009-07-29 20:34 143,360 a------- c:windowsinfinfstrng.dat
2009-07-29 20:33 86,016 a------- c:windowsinfinfstor.dat
2009-07-29 19:52 27,744 a------- c:programdatanvModes.dat
2009-07-29 19:52 27,744 a------- c:progra~2nvModes.dat
2009-07-21 17:52 915,456 a------- c:windowssystem32wininet.dll
2009-07-21 17:47 109,056 a------- c:windowssystem32iesysprep.dll
2009-07-21 17:47 71,680 a------- c:windowssystem32iesetup.dll
2009-07-21 16:13 133,632 a------- c:windowssystem32ieUnatt.exe
2009-06-30 15:36 18,696 a------- c:windowshelpoemscriptsHC_BatteryReplaceNew.exe
2009-06-30 15:10 18,696 a------- c:windowshelpoemscriptsHC_BatteryNoTravel.exe
2009-06-30 15:03 18,696 a------- c:windowshelpoemscriptsHC_BatteryAccessories.exe
2009-06-30 12:44 18,184 a------- c:windowshelpoemscriptsHC_BatteryWeakNew.exe
2009-06-26 22:55 66,080 a------- c:windowssystem32driversnvhda32v.sys
2009-06-26 22:54 57,344 a------- c:windowssystem32nvapo32v.dll
2009-06-26 22:54 19,456 a------- c:windowssystem32nvhdap32.dll
2009-06-26 18:36 18,184 a------- c:windowshelpoemscriptsHC_BatteryUpgrade.exe
2009-06-24 22:07 151,552 a------- c:windowssystem32nvcohda.dll
2009-06-24 22:07 485,920 a------- c:windowssystem32NVUNINST.EXE
2009-06-24 22:07 485,920 a------- c:windowssystem32nvuhda.exe
2009-06-03 02:05 665,600 a------- c:windowsinfdrvindex.dat
2009-05-17 00:20 99,965 a------- c:windowsUninstallFirefox.exe
2009-05-17 00:20 2,654 a------- c:windowsmozver.dat
2008-01-20 22:43 174 a--sh--- c:program filesdesktop.ini
2006-11-02 08:42 287,440 a------- c:windowsinfperflib0409perfi.dat
2006-11-02 08:42 287,440 a------- c:windowsinfperflib0409perfh.dat
2006-11-02 08:42 30,674 a------- c:windowsinfperflib0409perfd.dat
2006-11-02 08:42 30,674 a------- c:windowsinfperflib0409perfc.dat
2006-11-02 05:20 287,440 a------- c:windowsinfperflib0000perfi.dat
2006-11-02 05:20 287,440 a------- c:windowsinfperflib0000perfh.dat
2006-11-02 05:20 30,674 a------- c:windowsinfperflib0000perfd.dat
2006-11-02 05:20 30,674 a------- c:windowsinfperflib0000perfc.dat

============= FINISH: 18:32:01.14 ===============

I just remembered the details of the crashes, if it helps any. Basically, the screen would flicker, I'd get a glimpse of the infamous Blue Screen O' Death, then.... The comp would then restart with offers of booting modes.

Hope that helps, thanks again.

Mike.

Merged posts. ~ OB

Attached Files

  • Attached File  DDS.txt   17.83KB   1 downloads

Edited by Orange Blossom, 05 August 2009 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:47 PM

Posted 15 August 2009 - 06:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 IMissMyMac

IMissMyMac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 15 August 2009 - 06:26 PM

Thank you for your reply Elise, I do apreciate the help. I hope I attached "Attach" correctly.
The computer seems to be pretty normal lately, no crashes, but I still get some lind of keylogger effect when posting on sites like this. Actually, it just happened, the cursor disappeared & started I getting the "ding" sound. But in all fairness, my (the previous tenant's) ISP is slow & erratic, so it may cause lag & other problems. Avast & Defender scans still come out clean.



DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 18:50:34.14 on Sat 08/15/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.891 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\qzei15p9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\users\mike\appdata\roaming\mozilla\firefox\profiles\qzei15p9.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\mike\appdata\roaming\mozilla\firefox\profiles\qzei15p9.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-31 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-31 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-31 51792]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-25 365952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
S2 gupdate1c9b426ae78fe4b;Google Update Service (gupdate1c9b426ae78fe4b);c:\program files\google\update\GoogleUpdate.exe [2009-4-3 133104]
S4 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

=============== Created Last 30 ================

2009-08-11 22:00 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 22:00 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-11 22:00 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 22:00 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 22:00 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-11 22:00 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 22:00 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 22:00 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 17:07 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 17:07 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 17:07 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 17:07 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 17:07 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 17:07 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 17:07 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 17:06 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 17:06 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 17:06 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 17:06 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-04 22:06 <DIR> --d----- c:\program files\Trend Micro
2009-08-02 00:54 <DIR> --d----- c:\program files\iPod
2009-08-02 00:54 <DIR> --d----- c:\program files\iTunes
2009-08-02 00:53 <DIR> --d----- c:\program files\Bonjour
2009-07-29 20:33 766 a------- c:\windows\system\CRIcon.ico

==================== Find3M ====================

2009-07-29 20:34 51,200 a------- c:\windows\inf\infpub.dat
2009-07-29 20:34 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-29 20:33 86,016 a------- c:\windows\inf\infstor.dat
2009-07-29 19:52 27,744 a------- c:\programdata\nvModes.dat
2009-07-29 19:52 27,744 a------- c:\progra~2\nvModes.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-30 15:36 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryReplaceNew.exe
2009-06-30 15:10 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryNoTravel.exe
2009-06-30 15:03 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryAccessories.exe
2009-06-30 12:44 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryWeakNew.exe
2009-06-26 22:55 66,080 a------- c:\windows\system32\drivers\nvhda32v.sys
2009-06-26 22:54 57,344 a------- c:\windows\system32\nvapo32v.dll
2009-06-26 22:54 19,456 a------- c:\windows\system32\nvhdap32.dll
2009-06-26 18:36 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryUpgrade.exe
2009-06-24 22:07 151,552 a------- c:\windows\system32\nvcohda.dll
2009-06-24 22:07 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-06-24 22:07 485,920 a------- c:\windows\system32\nvuhda.exe
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-03 02:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:51:03.00 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 18 August 2009 - 08:25 PM

Hello.

Run a rootkit scan for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Re-run DDS and psot back with a new set of logs. Also, give me an update of the current situation of your system.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 IMissMyMac

IMissMyMac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 18 August 2009 - 10:49 PM

Thanks, Extremeboy. I'll have to run that scan tomorrow, it's getting pretty late. I'll post everything ASAP.

Everything seems OK, except for that keylogger effect. I've had to re-type several letters to finish words while writing this post.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 19 August 2009 - 10:44 AM

Ok.

Thanks for letting me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 23 August 2009 - 08:50 AM

Is everything okay?

Are you still with me?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 IMissMyMac

IMissMyMac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 23 August 2009 - 01:45 PM

I'm still with you, things got a little busy. Thanks for sticking with me. I'll be downloading the rootkit now & posting ASAP.

#9 IMissMyMac

IMissMyMac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 23 August 2009 - 02:17 PM

OK, I have the scans. I'll answer your question first & tell you that everyhting seems OK. I haven't done it much lately, but I haven't even had problems posting in forums. Both my Avast & Defender scans still come out clean.

GMER 1.0.15.15077 [3t0loys8.exe] - http://www.gmer.net
Rootkit scan 2009-08-23 15:05:08
Windows 6.0.6002 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----




DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 15:05:57.22 on Sun 08/23/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.988 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Downloads\dds(3).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\qzei15p9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\users\mike\appdata\roaming\mozilla\firefox\profiles\qzei15p9.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\mike\appdata\roaming\mozilla\firefox\profiles\qzei15p9.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-31 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-31 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-31 51792]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-25 365952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-26 66080]
S2 gupdate1c9b426ae78fe4b;Google Update Service (gupdate1c9b426ae78fe4b);c:\program files\google\update\GoogleUpdate.exe [2009-4-3 133104]
S4 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

=============== Created Last 30 ================

2009-08-15 20:27 <DIR> --d----- c:\users\mike\appdata\roaming\FireShot
2009-08-11 22:00 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 22:00 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-11 22:00 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 22:00 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 22:00 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-11 22:00 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 22:00 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 22:00 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 17:07 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 17:07 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 17:07 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 17:07 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 17:07 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 17:07 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 17:07 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 17:06 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 17:06 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 17:06 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 17:06 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-04 22:06 <DIR> --d----- c:\program files\Trend Micro
2009-08-02 00:54 <DIR> --d----- c:\program files\iPod
2009-08-02 00:54 <DIR> --d----- c:\program files\iTunes
2009-08-02 00:53 <DIR> --d----- c:\program files\Bonjour
2009-07-29 20:33 766 a------- c:\windows\system\CRIcon.ico

==================== Find3M ====================

2009-08-21 01:23 27,744 a------- c:\programdata\nvModes.dat
2009-08-21 01:23 27,744 a------- c:\progra~2\nvModes.dat
2009-07-29 20:34 51,200 a------- c:\windows\inf\infpub.dat
2009-07-29 20:34 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-29 20:33 86,016 a------- c:\windows\inf\infstor.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-30 15:36 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryReplaceNew.exe
2009-06-30 15:10 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryNoTravel.exe
2009-06-30 15:03 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryAccessories.exe
2009-06-30 12:44 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryWeakNew.exe
2009-06-26 22:55 66,080 a------- c:\windows\system32\drivers\nvhda32v.sys
2009-06-26 22:54 57,344 a------- c:\windows\system32\nvapo32v.dll
2009-06-26 22:54 19,456 a------- c:\windows\system32\nvhdap32.dll
2009-06-26 18:36 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryUpgrade.exe
2009-06-24 22:07 151,552 a------- c:\windows\system32\nvcohda.dll
2009-06-24 22:07 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-06-24 22:07 485,920 a------- c:\windows\system32\nvuhda.exe
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-03 02:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:06:23.28 ===============


Thanks again for your time and your help!

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 23 August 2009 - 02:49 PM

Hello.

Uninstall this older version of Java via Programs and Features:

Java™ 6 Update 7

--

Let's run an online scan and see if there's anything left.

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 IMissMyMac

IMissMyMac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 23 August 2009 - 04:34 PM

OK, done & done. Scan comes out clean!

One problem though, I can't right-click anything. Should I go to Java for another update?

Edited by IMissMyMac, 23 August 2009 - 04:54 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 24 August 2009 - 11:37 AM

Hello.

Yes, you can update Java again to 6 update 16. Reason, I didn't mention updating Java here is since the current version (6 update 16) doesn't have any security vulnerabilities fixes.

What do you mean, you can't "right-click"? Where can't you right-click and what happens when you do so? Please provide some more details in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 IMissMyMac

IMissMyMac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 24 August 2009 - 08:32 PM

The only thing a right click on the mouse will get me, is sometimes a mini-window will appear teling me what the link is for. That's all. No list of options, I can't copy, paste, open new tabs, etc.

I think I get it now. I tried an older (probably USB 1.0) mouse & everything works fine. I just need to find the install disc for my mouse (even though I'm told the driver is OK) & re-install.

Edited by IMissMyMac, 24 August 2009 - 10:20 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 25 August 2009 - 10:06 AM

Hello.

Glad you figured it out. :)

We can cleanup on our side now.


Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :cool:

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 IMissMyMac

IMissMyMac
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 26 August 2009 - 07:11 PM

I'll be working some long hours for the next couple days, I'll try to do this before the weekend. Or Saturday at the latest.

I feel kind of silly about the mouse now, but with everything that's been going on with this PC, I just didn't know what to make of it!

I thank you again for all your help in this. I see you're going on vacation on Saturday, I hope you enjoy it. You can close this thread as far as I'm concerned, unless the un-install causes some catastrophic failure. I'll be at the library then, but you'll be hearing from me!! J/K.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users