Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit or Similar


  • This topic is locked This topic is locked
12 replies to this topic

#1 CluelessNI

CluelessNI

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 05 February 2010 - 12:36 PM

Hi,

I recently had an incidence of someone fraudulently using my paypal account. One possibility is that they obtained my password by hacking my PC. I have a firewall on my router and also use the Windows XP firewall. I also have AVG and Superantispyware (free editions). I have swept my PC and AVG returned no threats whilst SuperAntispyware found 32 threats. The bottom line is I am concerned about the possibility of a rootkit on my PC. I have attached a HJT log so if anyone is willing to look at it to identify possible threats I would be grateful.

With thanks.................

Attached Files


Edited by CluelessNI, 05 February 2010 - 12:37 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 AM

Posted 09 February 2010 - 10:59 AM

Please follow the steps here and post the requested logs. Once I receive them, I will help you further:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

#3 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 February 2010 - 09:05 AM

Following an attemt to use my paypal account fraudulently it appeared that the hacker may have obtained my password through keystrokes on my PC (according to Paypal). Therefore if I would appreciate it if someone could check the following for a possible rootkit or similar. With thanks...........

DDS.txt:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ian at 20:14:12.46 on 09/02/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.958.580 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\AVG\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
E:\AVG\avgrsx.exe
E:\AVG\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
E:\quicktime\qttask.exe
E:\AVG\avgtray.exe
E:\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Super Anti Spyware\SUPERAntiSpyware.exe
E:\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\avg\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - e:\avg\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - e:\avg\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - e:\avg\toolbar\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] e:\super anti spyware\SUPERAntiSpyware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [QuickTime Task] "e:\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] e:\avg\avgtray.exe
mRun: [HP Software Update] "e:\hp software update\HPWuSchd2.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - e:\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - e:\office\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\office\office11\REFIEBAR.DLL
Trusted Zone: org.uk\charityra
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.northernbank.co.uk/html/activex/e-Safekey/NB/e-Safekey.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - e:\avg\avgpp.dll
Notify: !SASWinLogon - e:\super anti spyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\super anti spyware\SASSEH.DLL
Hosts: 192.168.1.30 HP0018715D5F05

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-26 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-26 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-26 108552]
R1 SASDIFSV;SASDIFSV;e:\super anti spyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;e:\super anti spyware\SASKUTIL.SYS [2009-9-15 74480]
R2 avg8wd;AVG Free8 WatchDog;e:\avg\avgwdsvc.exe [2009-9-26 297752]
R3 SASENUM;SASENUM;e:\super anti spyware\SASENUM.SYS [2009-9-15 7408]
S3 Tomcat5;Apache Tomcat;e:\tomcat 5.5\bin\tomcat5.exe [2007-8-24 57344]

=============== Created Last 30 ================

2010-02-09 20:12:46 0 ----a-w- c:\documents and settings\ian\defogger_reenable
2010-01-13 15:46:47 0 d-----w- c:\docume~1\ian\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

==================== Find3M ====================

2009-12-04 15:36:55 69290 ----a-w- c:\windows\hpoins05.dat

============= FINISH: 20:14:32.15 ===============

Attached Files



#4 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 February 2010 - 09:07 AM

Hi Grinler,

Thanks for the help. I have posted a new topic with the appropriate logs as requested.

With thanks..................

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 AM

Posted 10 February 2010 - 09:23 AM

I have merged your two topics.

Looks clean to me. Please do the following to be safe:

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this



#6 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 11 February 2010 - 05:54 PM

Hi Grinler,

Thanks for this. I have run combofix as instructed and attached the log as requested.

With best wishes.................................

Attached Files



#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 AM

Posted 11 February 2010 - 06:00 PM

Are you still having the google redirects?

#8 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 February 2010 - 04:34 AM

Hi Grinler,

No - I dont have Google re-directs, nor did I have originally. My concern stems simply from the fact that Paypal seemed to think my PC had been hacked and some software installed to identify keystrokes. It therefore seemed prudent to check this out and I am aware such software i.e. rootkits can be hard to detect.

With thanks.............

#9 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 February 2010 - 10:16 AM

Hi Grinler,

In addition to my PC my stepson uses a laptop on my home network I hope you don't mind but I thought it prudent ot check this out as well, especailly as he had been using P2P software (now removed!). I have run DDS and GMER and posted/attached the logs below. I did not run combofix as I thought I would wait until you requested it.

With thanks................


DDS (Ver_09-12-01.01) - NTFSx86
Run by al at 14:17:39.36 on 12/02/2010
Internet Explorer: 7.0.6000.16945
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2045.1166 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\OEM02Mon.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\al\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\al\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\al\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\al\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-16 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-16 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-16 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-16 297752]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]

=============== Created Last 30 ================

2010-02-12 14:15:36 0 ----a-w- c:\users\al\defogger_reenable
2010-01-24 18:04:14 0 d-----w- c:\windows\system32\drivers\NSS
2010-01-24 18:04:14 0 d-----w- c:\program files\Norton Security Scan
2010-01-24 11:33:03 0 d-----w- c:\program files\Ask.com
2010-01-24 11:32:00 0 d-----w- c:\program files\uTorrent
2010-01-24 11:30:09 0 d-----w- c:\users\al\appdata\roaming\uTorrent
2010-01-16 19:05:03 0 d--h--w- C:\$AVG8.VAULT$
2010-01-16 10:49:25 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-16 10:49:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 10:49:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-16 10:49:24 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-16 10:49:24 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-16 10:49:24 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-16 10:48:36 1657350 ----a-w- c:\windows\system32\wlan.tmf
2010-01-16 10:48:36 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-01-16 10:48:35 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-01-16 10:48:35 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-01-16 10:48:35 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-01-16 10:48:35 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-01-16 10:48:35 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-01-16 10:47:52 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-01-16 10:47:52 1406464 ----a-w- c:\windows\system32\msxml6.dll
2010-01-16 10:47:52 1260032 ----a-w- c:\windows\system32\msxml3.dll
2010-01-16 10:47:51 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-01-16 10:47:19 36864 ----a-w- c:\windows\system32\wmdmps.dll
2010-01-16 10:47:19 31744 ----a-w- c:\windows\system32\wmdmlog.dll
2010-01-16 10:47:19 311296 ----a-w- c:\windows\system32\mswmdm.dll
2010-01-16 10:46:52 216576 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-16 10:46:11 98816 ----a-w- c:\windows\system32\mfps.dll
2010-01-16 10:46:11 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2010-01-16 10:46:11 2855424 ----a-w- c:\windows\system32\mf.dll
2010-01-16 10:46:11 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-01-16 10:46:11 2048 ----a-w- c:\windows\system32\mferror.dll
2010-01-16 10:45:37 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-01-16 10:45:07 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-16 10:43:54 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-01-16 10:43:53 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-01-16 10:41:59 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-01-16 10:40:15 268800 ----a-w- c:\windows\system32\es.dll
2010-01-16 10:40:02 713728 ----a-w- c:\windows\system32\timedate.cpl
2010-01-16 10:38:44 428032 ----a-w- c:\windows\system32\EncDec.dll
2010-01-16 10:38:44 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2010-01-16 10:38:44 1244672 ----a-w- c:\windows\system32\mcmde.dll
2010-01-16 10:38:43 80896 ----a-w- c:\windows\system32\MSNP.ax
2010-01-16 10:38:43 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2010-01-16 10:38:43 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2010-01-16 10:38:43 292352 ----a-w- c:\windows\system32\psisdecd.dll
2010-01-16 10:38:43 217088 ----a-w- c:\windows\system32\psisrndr.ax
2010-01-16 10:34:58 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-16 10:34:57 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-16 10:34:57 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-16 10:33:30 2031104 ----a-w- c:\windows\system32\win32k.sys
2010-01-16 10:32:53 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-16 10:32:48 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-16 10:32:45 1686528 ----a-w- c:\windows\system32\gameux.dll
2010-01-16 10:31:27 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-01-16 10:30:51 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-01-16 10:30:44 274432 ----a-w- c:\windows\system32\raschap.dll
2010-01-16 10:30:44 232960 ----a-w- c:\windows\system32\rastls.dll
2010-01-16 10:30:35 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-01-16 10:30:14 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-01-16 10:29:45 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-16 10:29:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-01-16 10:29:38 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-01-16 10:29:38 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-01-16 10:29:26 311296 ----a-w- c:\windows\system32\unregmp2.exe

==================== Find3M ====================

2010-01-16 10:42:08 72704 ----a-w- c:\windows\system32\admparse.dll
2010-01-16 10:42:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-16 10:42:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-16 10:41:54 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-16 10:41:51 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-24 21:39:05 100570 ----a-w- c:\users\al\appdata\roaming\nvModes.dat
2009-09-15 18:02:54 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-09-15 18:02:54 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-15 18:02:54 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-16 17:42:29 174 --sha-w- c:\program files\desktop.ini
2009-08-16 17:34:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:18:48.14 ===============

Attached Files



#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 AM

Posted 12 February 2010 - 10:53 AM

Ok, I normally wont analyze two computers in the same thread, but as your first computer is clean, you just need to uninstall the current versions of Java and install the latest version, which is version 18. Otherwise its clean.

For the laptop, I dont see anything in the DDS log. Run combofix on it and post the log from it.


#11 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 13 February 2010 - 07:20 AM

Hi again Grinler,

Please find attached a combofix log for the laptop as discussed. I am sure it will prove clear but its nice to be certain.

With thanks..............

Attached Files



#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 AM

Posted 13 February 2010 - 10:03 AM

Looks good as well. Your computers are all clean.

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore for your particular Windows Versions below:

Windows XP System Restore Guide

and

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:



I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

#13 CluelessNI

CluelessNI
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 14 February 2010 - 01:09 PM

Thanks for all your help Grinler. It has given me peace of mind in nothing else.

With best wishes....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users