Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I am infected and it keeps adding images to my computer!


  • This topic is locked This topic is locked
46 replies to this topic

#1 Mawquis

Mawquis

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 29 October 2009 - 10:27 AM

Hello and thanks in advance for all the help and assistance that you provide. I understand that you all are very busy. I hope you can get around to me as soon as you can!

I have to be infected with something on my computer..some kind of malware or spyware. First off, I can't access my Google search. Everytime I punch something into my search tool bar, I get a Unknown File Type Security Warning asking if I "want to save the file, or find a program online to open it?" If i click 'Find', the another window opens up giving me information about the MIME type. ghtml, and saying that windows doesn't recognize the file type. I've never had a problem searching Google before.

Then In searching in my pictures, i found in my'Recently Changed' folder..any, many JPEG images that are not mine but that are continually just loading up into my folder! I don't know exactly what is going on but I know I am definately infected! I have Trend Micro. I tried it and got nothing. I scaned with Ad Aware and it showed up nothing. What's wrong? here's my HiJackThis! Thanks

I have Windows Vista.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:21 AM, on 10/29/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\hp\kbd\kbd.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 13128 bytes

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:48 AM

Posted 05 November 2009 - 05:42 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Mawquis

Mawquis
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 06 November 2009 - 12:11 AM

Hi, and thanks for replying.

I tried to click on the link that says "This is THE Mirror" and My computer identified the site as Dangerous and contained this message:

"This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information."

Is there a way to avoid proceeding to this site? I'm kinda worried about going through the warnings especially when my computer is warning me of the site like this.

So this is exactly what's going on:
I can't access my Google search. Everytime I punch something into my search tool bar, I get a Unknown File Type Security Warning asking if I "want to save the file, or find a program online to open it?" If i click 'Find', the another window opens up giving me information about the MIME type. ghtml, and saying that windows doesn't recognize the file type. I've never had a problem searching Google before.

Then In searching in my pictures, i found in my'Recently Changed' folder..any, many JPEG images that are not mine but that are continually just loading up into my folder! I don't know exactly what is going on but I know I am definately infected! I have Trend Micro. I tried it and got nothing. I scaned with Ad Aware and it showed up nothing. I've tried system restore to a few days before I noticed the problems and that didn't work, and I tried to use my Internet eraser to clean my registry.

Please help. I'm worried I might be infiltrated.

#4 Mawquis

Mawquis
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 06 November 2009 - 12:29 AM

I Found something else..

I just pulled up my history and in the history there is a folder for COMPUTER and when I clicked on it it brings up something called SAVEDUSERS but I don't know what it is! I've never seen this before and I'm worried about what that could mean. How much trouble is my computer in??

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:48 AM

Posted 06 November 2009 - 04:57 AM

Hi,

geekstogo is a well respected forum providing help just like bleepingcomputer. One of its users has provided a tool to scan your PC for startup entries. The tool and the site are perfectly safe, however some anti virus programs are detecting them as evil.

If you do not want to run that program, then please try to run DDS instead:
Please run a scan with DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Mawquis

Mawquis
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 06 November 2009 - 07:50 AM

Hi and thanks for your quick response. I'm going to try to be on hand with this all day so I can respond quickly and we can get this thing done.

I decided to run the DDS instead if that's ok.


DDS (Ver_09-10-26.01) - NTFSX64
Run by PHAROAH at 4:44:59.59 on Fri 11/06/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3964.1933 [GMT -8:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RAVCpl64.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\hp\kbd\kbd.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\PHAROAH\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D3OM5VCM\dds[1].pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net/
uDefault_Page_URL = hxxp://www.msn.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mLocal Page = c:\windows\syswow64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files (x86)\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~2\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files (x86)\aim toolbar\aimtb.dll
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~2\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files (x86)\aim toolbar\aimtb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files (x86)\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files (x86)\msn toolbar\platform\4.0.0205.2\npwinext.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~2\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~2\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files (x86)\aim toolbar\aimtb.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files (x86)\msn toolbar\platform\4.0.0205.2\npwinext.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [HPAdvisor] c:\program files (x86)\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [Messenger (Yahoo!)] "c:\program files (x86)\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre1.6.0_01\bin\jusched.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files (x86)\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [MSN Toolbar] "c:\program files (x86)\msn toolbar\platform\4.0.0205.2\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files (x86)\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files (x86)\java\jre1.6.0_01\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files (x86)\aim toolbar\aimtb.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files (x86)\yahoo!\common\Yinsthelper20073151.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: AIM Toolbar: {61539ECD-CC67-4437-A03C-9AACCBD14326} -
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun-x64: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-29 69152]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-7-30 199696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 SeaPort;SeaPort;c:\program files (x86)\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-8-7 242048]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2008-9-11 593864]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-7-15 42000]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-9-11 900360]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-7-30 305680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files (x86)\viewpoint\common\ViewpointService.exe [2009-2-1 24652]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 2297216]
R3 CAXHWBS3;CAXHWBS3;c:\windows\system32\drivers\CAXHWBS3.sys [2008-5-6 286208]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-9-17 89920]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2009-11-04 13:28:28 5939712 ----a-w- c:\windows\syswow64\mshtml.dll
2009-11-04 13:28:27 1638912 ----a-w- c:\windows\syswow64\mshtml.tlb
2009-11-04 13:28:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-03 06:47:28 0 d-----w- c:\program files\iTunes
2009-11-03 06:47:28 0 d-----w- c:\program files (x86)\iTunes
2009-10-29 14:27:04 0 d-----w- c:\program files (x86)\Trend Micro
2009-10-29 14:20:08 92672 ----a-w- c:\windows\syswow64\UIAnimation.dll
2009-10-29 14:20:08 103424 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-29 14:20:00 3815424 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-29 14:20:00 1164800 ----a-w- c:\windows\syswow64\UIRibbonRes.dll
2009-10-29 14:20:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-29 14:19:59 3023360 ----a-w- c:\windows\syswow64\UIRibbon.dll
2009-10-29 08:50:55 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-29 08:50:51 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-29 08:39:46 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-29 08:39:34 0 d-----w- c:\programdata\Lavasoft
2009-10-29 08:39:34 0 d-----w- c:\program files (x86)\Lavasoft
2009-10-29 02:34:04 10626560 ----a-w- c:\windows\syswow64\wmp.dll
2009-10-29 02:34:00 372736 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-29 02:34:00 310784 ----a-w- c:\windows\syswow64\unregmp2.exe
2009-10-29 02:33:53 8147456 ----a-w- c:\windows\syswow64\wmploc.DLL
2009-10-29 02:33:52 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-29 02:16:38 65536 --sha-w- c:\users\pharoah\ntuser.dat{00c098c4-c410-11de-ba71-001fe203fcc2}.TM.blf
2009-10-29 02:16:38 524288 --sha-w- c:\users\pharoah\ntuser.dat{00c098c4-c410-11de-ba71-001fe203fcc2}.TMContainer00000000000000000002.regtrans-ms
2009-10-29 02:16:38 524288 --sha-w- c:\users\pharoah\ntuser.dat{00c098c4-c410-11de-ba71-001fe203fcc2}.TMContainer00000000000000000001.regtrans-ms
2009-10-15 23:56:03 4698168 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-15 23:55:45 818688 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-15 23:55:45 604672 ----a-w- c:\windows\syswow64\WMSPDMOD.DLL
2009-10-15 23:55:42 269312 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-15 23:55:42 218624 ----a-w- c:\windows\syswow64\msv1_0.dll
2009-10-15 23:55:38 174592 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-15 23:55:35 82944 ----a-w- c:\windows\system32\msasn1.dll
2009-10-15 23:55:35 60928 ----a-w- c:\windows\syswow64\msasn1.dll
2009-10-12 15:15:43 0 d-----w- c:\windows\syswow64\vi-VN
2009-10-12 15:15:43 0 d-----w- c:\windows\syswow64\eu-ES
2009-10-12 15:15:43 0 d-----w- c:\windows\syswow64\ca-ES
2009-10-12 15:15:43 0 d-----w- c:\windows\system32\eu-ES
2009-10-12 15:15:43 0 d-----w- c:\windows\system32\ca-ES
2009-10-12 15:15:42 0 d-----w- c:\windows\system32\vi-VN
2009-10-12 14:11:50 0 d-----w- c:\windows\system32\EventProviders
2009-10-08 18:00:18 0 d-----w- c:\users\pharoah\Tracing
2009-10-08 17:59:02 0 d-----w- c:\program files (x86)\Windows Live SkyDrive
2009-10-08 17:58:29 0 d-----w- c:\windows\PCHEALTH
2009-10-08 17:52:19 0 d-----w- c:\program files (x86)\common files\Windows Live

==================== Find3M ====================

2009-10-12 15:21:55 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-12 15:21:55 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-12 15:21:55 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-12 15:15:38 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-12 15:06:17 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-10-01 17:29:14 238960 ----a-w- c:\windows\system32\MpSigStub.exe
2009-08-29 02:42:33 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-29 00:50:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\syswow64\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\syswow64\Apphlpdm.dll
2009-08-27 05:52:18 1147904 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:47:24 132096 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:47:23 77312 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\syswow64\wininet.dll
2009-08-27 05:22:15 1208832 ----a-w- c:\windows\syswow64\urlmon.dll
2009-08-27 05:20:52 206848 ----a-w- c:\windows\syswow64\occache.dll
2009-08-27 05:18:37 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
2009-08-27 05:18:37 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-08-27 05:18:00 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2009-08-27 05:17:43 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2009-08-27 05:17:43 164352 ----a-w- c:\windows\syswow64\ieui.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2009-08-27 05:17:42 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2009-08-27 05:17:42 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2009-08-27 05:17:41 11069440 ----a-w- c:\windows\syswow64\ieframe.dll
2009-08-27 05:17:35 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-08-27 04:10:33 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 03:42:29 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2009-08-27 03:42:23 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2009-08-27 03:41:45 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2009-08-19 21:58:08 928 ----a-w- c:\users\pharoah\appdata\roaming\wklnhst.dat
2009-08-14 16:04:45 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 16:04:45 143360 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 15:53:34 17920 ----a-w- c:\windows\syswow64\netevent.dll
2009-08-14 14:10:25 10752 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:10:22 12800 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:10:21 32256 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:10:21 21504 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:10:20 23040 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:10:19 11264 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:10:19 10240 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:20 9728 ----a-w- c:\windows\syswow64\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\syswow64\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\syswow64\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\syswow64\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\syswow64\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\syswow64\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\syswow64\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\syswow64\netiohlp.dll
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-08-03 13:59:32 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-08-03 13:59:32 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-08-03 13:59:32 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-08-03 13:59:32 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 4:46:15.54 ===============

Thanks,

Maarq

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:48 AM

Posted 06 November 2009 - 08:15 AM

Hi,

the ghtml-warning might be a software issue, I will look into it. Do you have Internet Explorer only, or do you have alternative broswers such as Firefox, Opera, Safari installed? Do you get the same warning in those browsers?

Could you give me an example of the names of the photos that are created? Are the pictures you see familiar, or are they unknown to you? Do they all get created in the same folder?
Have you noticed a decrease/increase in available harddisk space?

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Mawquis

Mawquis
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 06 November 2009 - 08:54 AM

I didn't know I had safari! Ok, my google searches on Safari looked fine. And I just tried Internet Explorer now and that's working too!

As far as the JPEGs are concerned, what I'm ony finding them in the "Recently Changed' Folder in MY PICTURES. The types of pictures differ. Many are of celebrities or automobiles, and then others look like stills from news networks and news reports..they're uploaded just over and over again..
Heres an example

5cf5e75e-2234-46da-ab61-c411d0d9f37f Mosidied 11/5/2009 11:47AM JPEG image Size 10KB

They vary in sizes but they all modify at the same time and seem to update itself whenever I turn on my computer and sign on..give or take. Hundreds of them at a time.

In my recent documents folder I'm finding tons of XML Documents (Whatever those are) from The names vary from top_data, oil_date, nfl_data, art_data, vid_data and I guess these are what are loading these images into my recently changed folder.

Its very strange. Thanks.

Marq

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:48 AM

Posted 06 November 2009 - 09:31 AM

Hi,

are you on a network? Do other people have permission to change things in that folder?

The recently changed folder usually refers to searches recently done on the PC and lists the files that were found while this was done... I imagine you have dried deleting those files?

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :dir
    %userprofile%\Documents\my pictures\recently changed
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
    The log will ist all that is present in the recently changed folder, if the log is too long for posting, then please attach it to your reply.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Mawquis

Mawquis
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 06 November 2009 - 09:41 AM

I'm not on any kind of network. Only I am to have any kind of access to my computer.

This is what systemlook produced. Very puzzling.


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 06:38 on 06/11/2009 by PHAROAH (Administrator - Elevation successful)

========== dir ==========

C:\Users\PHAROAH\Documents\my pictures\recently changed - Unable to find folder.


That can't be good.
Marq

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:48 AM

Posted 06 November 2009 - 10:31 AM

Hi,

it doesn't have to be bad. The folder name displayed on vista is not necessarily the same as the actual folder name.

Please try the following script for Systemlook:
:dir
%userprofile%

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Mawquis

Mawquis
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 06 November 2009 - 10:35 AM

Ok great. That produced more results. *Sigh of Relief* Here's what I have on systemlook.
Thanks again

Marq

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 07:32 on 06/11/2009 by PHAROAH (Administrator - Elevation successful)

========== dir ==========

C:\Users\PHAROAH - Parameters: "(none)"

---Files---
ntuser.dat --ahs- 2097152 bytes [14:43 04/09/2008] [15:32 06/11/2009]
ntuser.dat.LOG1 --ah-- 262144 bytes [14:43 04/09/2008] [15:32 06/11/2009]
ntuser.dat.LOG2 --ah-- 0 bytes [14:43 04/09/2008] [14:43 04/09/2008]
ntuser.dat_previous --ahs- 1835008 bytes [14:43 04/09/2008] [02:15 29/10/2009]
ntuser.dat{00c098c4-c410-11de-ba71-001fe203fcc2}.TM.blf --ahs- 65536 bytes [02:16 29/10/2009] [07:28 06/11/2009]
ntuser.dat{00c098c4-c410-11de-ba71-001fe203fcc2}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [02:16 29/10/2009] [07:28 06/11/2009]
ntuser.dat{00c098c4-c410-11de-ba71-001fe203fcc2}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [02:16 29/10/2009] [02:43 29/10/2009]
ntuser.dat{07697fe7-ab2a-11de-a567-001fe203fcc2}.TM.blf --ahs- 65536 bytes [05:55 27/09/2009] [02:15 29/10/2009]
ntuser.dat{07697fe7-ab2a-11de-a567-001fe203fcc2}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [05:55 27/09/2009] [02:15 29/10/2009]
ntuser.dat{07697fe7-ab2a-11de-a567-001fe203fcc2}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [05:55 27/09/2009] [18:10 27/09/2009]
ntuser.dat{1d92c5b4-9fd4-11dd-b252-001fe203fcc2}.TM.blf --ahs- 65536 bytes [00:55 22/10/2008] [19:59 03/11/2008]
ntuser.dat{1d92c5b4-9fd4-11dd-b252-001fe203fcc2}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [00:55 22/10/2008] [19:59 03/11/2008]
ntuser.dat{1d92c5b4-9fd4-11dd-b252-001fe203fcc2}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [00:55 22/10/2008] [01:08 22/10/2008]
ntuser.dat{46aaef04-a9ef-11dd-af59-001fe203fcc2}.TM.blf --ahs- 65536 bytes [21:35 03/11/2008] [01:23 22/12/2008]
ntuser.dat{46aaef04-a9ef-11dd-af59-001fe203fcc2}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [21:35 03/11/2008] [01:23 22/12/2008]
ntuser.dat{46aaef04-a9ef-11dd-af59-001fe203fcc2}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [21:35 03/11/2008] [22:14 03/11/2008]
ntuser.dat{9e155111-cfc9-11dd-bbe8-001fe203fcc2}.TM.blf --ahs- 65536 bytes [01:41 22/12/2008] [20:55 26/09/2009]
ntuser.dat{9e155111-cfc9-11dd-bbe8-001fe203fcc2}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [01:41 22/12/2008] [20:55 26/09/2009]
ntuser.dat{9e155111-cfc9-11dd-bbe8-001fe203fcc2}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [01:41 22/12/2008] [01:58 22/12/2008]
NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf --ahs- 65536 bytes [14:43 04/09/2008] [00:30 22/10/2008]
NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms --ahs- 524288 bytes [14:43 04/09/2008] [00:30 22/10/2008]
NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000002.regtrans-ms --ahs- 524288 bytes [14:43 04/09/2008] [15:12 04/09/2008]
ntuser.ini ---hs- 20 bytes [14:43 04/09/2008] [14:43 04/09/2008]

---Folders---
AppData d--h-- [14:43 04/09/2008]
Application Data d--hs- [14:43 04/09/2008]
Contacts dr---- [15:02 04/09/2008]
Cookies d--hs- [14:43 04/09/2008]
Desktop dr---- [14:43 04/09/2008]
Documents dr---- [14:43 04/09/2008]
Downloads dr---- [14:43 04/09/2008]
Favorites dr---- [14:43 04/09/2008]
Links dr---- [14:43 04/09/2008]

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:48 AM

Posted 06 November 2009 - 11:08 AM

Hi,

ok, let's list the contents of Documents... this will probably list a lot of personal files. If there is anything you don't want to see published please edit it out. I'm only interested in the contents of that recently changed folder.

Please run the following script:

:dir
%userprofile%\Documents /w*recently*

%userprofile%\Documents /w*changed*

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Mawquis

Mawquis
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 06 November 2009 - 11:12 AM

Hey I ran that scan and this is all I came up with...Is there another name by which the files can be pulled up??
Thanks
Marq





SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 08:10 on 06/11/2009 by PHAROAH (Administrator - Elevation successful)

========== dir ==========

C:\Users\PHAROAH\Documents - Parameters: "/w*recently*"

C:\Users\PHAROAH\Documents - Parameters: "/w*changed*"

-=End Of File=-

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:48 AM

Posted 06 November 2009 - 11:23 AM

Hi,

this means that there is no folder containing recently or changed in your documents folder.

There is a my pictures folder in documents, yes?
If so, I would like to see the content of it:
:dir
%userprofile%\Documents\my pictures
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users