Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Behaviour While Browsing the Web


  • This topic is locked This topic is locked
2 replies to this topic

#1 Robewat

Robewat

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 16 January 2010 - 01:03 PM

Problems began with being directed to incorrect web pages usually advertising some thing. This happend when selecting a web page from my favouites or even when doing a Google search then trying to open from the results. IE 6 would then not connect to the internet at all. Google Chrome installed and worked but then also started doing some strange things and opening the wrong web sites.

My computer eventually crashed and would not reboot. I was looped straight back to the restart and boot menu regardless which boot option was selected, normal, safe mode, last known, command prompt etc. A repair of XP got me up and running again, but I am not convinced that the problem are all solved as there are numerous red entries in the start up when I do an online automatic Hijackthis analysis. I have not changed or deleted any of the entries from the automatic analysis. I will now paste the DDS repot and attach the other file. I was unable to do a root repeal scan as the programme froze my computer. I left it running for over one hour, tried twice, and got the same result.

Hope you can help.

Raymond


DDS (Ver_09-12-01.01) - NTFSx86
Run by Raymond at 16:23:13.29 on 16/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.574 [GMT 0:00]

AV: avast! antivirus 4.8.1368 [VPS 100116-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Raymond\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [Magentic] c:\progra~1\magentic\bin\Magentic.exe /c
uRun: [EPSON Stylus DX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_SDC.tmp" /EF "HKCU"
uRun: [Google Update] "c:\documents and settings\raymond\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\imesha~1\mediabar\datamngr\datamngr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-6 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-6 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-6-27 138680]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-6-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-6-27 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]

=============== Created Last 30 ================

2026-03-09 10:32:17 3120 ----a-w- c:\windows\MF_C421.lfa
2026-03-09 10:32:17 3120 ----a-w- c:\windows\MF_C420.lfa
2026-03-09 02:54:09 3120 ----a-w- c:\windows\MF_C425.lfa
2010-01-16 14:37:28 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-16 14:37:28 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-16 14:37:27 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-01-16 14:37:27 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-16 14:37:27 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-16 14:37:27 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-16 14:37:26 991232 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-01-16 14:37:26 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-16 14:37:25 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-16 14:27:38 0 d-----w- c:\program files\MSXML 6.0
2010-01-16 13:51:12 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-16 13:51:12 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-16 13:49:45 19569 ----a-w- c:\windows\003451_.tmp
2010-01-16 13:26:55 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-01-16 13:26:55 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-01-16 13:25:23 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-16 13:25:12 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-16 13:24:19 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-16 13:24:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-16 13:23:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-16 13:22:28 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-16 13:22:28 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-01-16 13:22:27 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-16 13:22:27 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-16 13:22:27 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-16 13:22:27 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-16 13:22:26 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-16 13:22:26 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-16 13:22:25 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-16 13:20:56 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-16 13:20:54 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-16 13:20:52 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-16 13:20:41 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-16 13:20:40 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-16 13:20:39 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-16 13:20:32 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-16 12:52:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-16 12:52:42 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 12:52:42 0 d-----w- c:\docume~1\raymond\applic~1\SUPERAntiSpyware.com
2010-01-16 11:44:56 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2010-01-16 11:43:57 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-01-16 11:42:59 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2010-01-16 11:24:05 22339 ----a-r- c:\windows\SET94.tmp
2010-01-16 11:24:05 10559 ----a-r- c:\windows\SET95.tmp
2010-01-16 11:24:02 13753 ----a-r- c:\windows\SET51.tmp
2010-01-16 11:24:00 1086058 ----a-r- c:\windows\SET45.tmp
2010-01-16 11:24:00 106147 ----a-r- c:\windows\SET42.tmp
2010-01-16 11:15:52 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-01-16 11:15:47 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-01-16 11:15:47 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-01-16 11:15:47 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-01-16 11:15:47 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-01-16 11:15:47 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-01-16 11:15:25 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-16 11:12:10 55296 ----a-w- c:\windows\system32\SET179.tmp
2010-01-16 11:12:10 55296 ----a-w- c:\windows\system32\COM17A.tmp
2010-01-16 11:12:10 23552 ----a-w- c:\windows\system32\SET17C.tmp
2010-01-16 11:12:10 23552 ----a-w- c:\windows\system32\COM17D.tmp
2010-01-16 11:05:16 0 d-----w- c:\windows\NV796268.TMP
2010-01-16 11:02:07 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-16 11:02:07 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-16 11:02:07 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-16 11:02:07 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-16 10:53:32 0 d-----w- c:\windows\dell
2009-12-29 10:23:15 0 dc-h--w- c:\windows\ie8
2009-12-28 13:47:29 0 d-----w- c:\docume~1\raymond\applic~1\Malwarebytes
2009-12-28 13:47:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 13:47:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 13:47:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 13:47:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-20 09:46:31 0 d-----w- c:\docume~1\raymond\applic~1\imeshmediabartb
2009-12-20 09:46:00 483328 ----a-w- c:\windows\system32\actskn45.ocx
2009-12-20 09:45:56 0 d-----w- c:\program files\iMesh Applications
2009-12-17 19:35:21 0 d-sh--w- c:\documents and settings\raymond\IECompatCache

==================== Find3M ====================

2010-01-16 12:28:52 1770 ----a-w- c:\docume~1\raymond\applic~1\wklnhst.dat
2010-01-16 11:34:09 34380 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-04 16:16:42 4527419 ----a-w- c:\docume~1\raymond\applic~1\Black Eyed Peas - Meet Me Halfway.zip
2009-11-04 15:30:14 16384 ----a-w- c:\docume~1\raymond\applic~1\blank.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll
2008-06-28 14:56:18 0 ----a-w- c:\program files\temp01
2007-06-12 20:13:58 251 ----a-w- c:\program files\wt3d.ini
2005-06-01 15:45:22 6816 ----a-w- c:\program files\VWSNAP.exe

============= FINISH: 16:23:45.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:22 PM

Posted 22 January 2010 - 08:26 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:22 PM

Posted 30 January 2010 - 02:24 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users