Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus or just too many applications?


  • This topic is locked This topic is locked
12 replies to this topic

#1 needprotection

needprotection

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 03 May 2010 - 12:54 AM

Hello guys .Sorry i didnt read the instruction last time.Now i'll straight to the point ,my PC has been acting odd lately.My OS is Windows 7,it usually only uses up to 500-600 MBs of ram in freeload but recently it takes up to 900 even 1 GBs.And im seeing double process in task manager,i have like 12 svchost running (which is only 6 in safemod) and some other doubled process will show up and disappear now and then ,CPU usage is from 4%-20% and i am not running anything but firefox and hijackthis.The most creepy thing is now my utorrent is doubled and the new 1 i cant terminate with task manager.My antivir Eset Nod 32 scan showed nothing but i still worry about it hopefully you guys can shed a light on this for me .

Here's the DDS scan:
_________________________________________________
DDS (Ver_10-03-17.01) - NTFSx86
Run by Tarantula at 12:49:00.74 on Mon 05/03/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1181 [GMT 7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Razer\Salmosa\razerhid.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\UniKey\UniKey.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Razer\Salmosa\razertra.exe
C:\Program Files\Razer\Salmosa\razerofa.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
D:\FireFox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Tarantula\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tarantula\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tarantula\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Tarantula\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://vn.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://vn.yahoo.com
mStart Page = hxxp://vn.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [UniKey] c:\program files\unikey\UniKey.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Salmosa] c:\program files\razer\salmosa\razerhid.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {E3184D2A-0CBE-478B-BBC7-A7D05DACE46C} = 208.67.222.222,208.67.220.220

================= FIREFOX ===================

FF - ProfilePath - c:\users\tarant~1\appdata\roaming\mozilla\firefox\profiles\gitci2p2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://vn.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://vn.search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\users\tarantula\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\users\tarantula\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - trued:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-12 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-12 1078632]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-11-16 38240]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-4-7 277536]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2010-4-7 9344]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-4-7 27136]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-14 1343400]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2010-4-8 23480]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
S4 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2010-4-7 704760]

=============== Created Last 30 ================

2010-05-01 07:33:17 0 d-----w- c:\users\tarant~1\appdata\roaming\Mobipocket
2010-05-01 07:32:46 0 d-----w- c:\program files\Mobipocket.com
2010-05-01 06:36:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 16:41:13 32768 ----a-w- c:\windows\system32\php_mysql.dll
2010-04-29 16:18:43 0 d-----w- C:\php
2010-04-29 15:26:47 0 d-----w- C:\inetpub
2010-04-28 04:24:43 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-04-28 02:13:07 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 02:13:07 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 01:04:40 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-26 03:10:38 0 d-----w- c:\program files\JDownloader
2010-04-25 04:16:57 0 d-----w- c:\windows\system32\appmgmt
2010-04-20 07:55:28 0 d-----w- c:\programdata\Blizzard
2010-04-18 06:50:32 33540 ----a-w- c:\windows\system32\CoreFLACDecoder-uninstall.exe
2010-04-17 03:08:39 439440 ----a-w- c:\program files\un_Internet Download Manager_16575.exe
2010-04-16 11:36:10 0 d-----w- c:\users\tarant~1\appdata\roaming\Ubisoft
2010-04-16 11:33:58 0 d-----w- c:\programdata\Ubisoft
2010-04-15 23:33:04 0 d-----w- c:\programdata\Sun
2010-04-15 13:53:34 0 d-----w- c:\program files\SystemRequirementsLab
2010-04-15 06:11:12 0 d-----w- c:\program files\SpeedFan
2010-04-15 06:11:06 45 ----a-w- c:\windows\system32\initdebug.nfo
2010-04-15 05:06:10 0 d--h--w- c:\windows\msdownld.tmp
2010-04-15 05:06:10 0 d-----w- c:\windows\RegisteredPackages
2010-04-15 05:06:04 0 d-----w- c:\program files\Windows Media Components
2010-04-15 04:58:07 0 d-----w- c:\program files\common files\Futuremark Shared
2010-04-15 02:24:01 0 d-----w- c:\program files\MSI
2010-04-15 02:21:18 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-04-15 02:21:08 0 d-----w- C:\Intel
2010-04-14 01:54:27 0 d-----w- c:\windows\system32\Wat
2010-04-14 01:41:01 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 01:41:01 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 01:40:57 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 01:40:56 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 01:40:56 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 01:40:55 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 01:35:01 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 01:34:59 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 12:38:07 0 d-----w- c:\windows\system32\xlive
2010-04-13 12:38:06 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-13 11:12:46 0 d-----w- c:\program files\Trend Micro
2010-04-12 12:59:25 0 d-----w- c:\program files\Internet Download Manager
2010-04-12 10:06:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-12 05:09:56 0 d-----w- c:\program files\Blue Coat K9 Web Protection
2010-04-10 06:04:50 0 d-----w- c:\users\tarant~1\appdata\roaming\NVIDIA
2010-04-10 05:46:00 0 d-----w- c:\windows\system32\directx
2010-04-10 05:26:32 0 d-----w- c:\windows\64F6748976BB4CDDA236F954BE774B35.TMP
2010-04-10 05:26:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-09 01:35:41 0 d-----w- c:\program files\Alcohol Soft
2010-04-09 01:33:15 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-08 11:04:59 0 d-----w- c:\users\tarant~1\appdata\roaming\IDM
2010-04-08 11:04:58 0 d-----w- c:\users\tarant~1\appdata\roaming\DMCache
2010-04-08 03:49:56 0 d-----w- c:\programdata\Yahoo!
2010-04-08 02:03:34 0 d-----w- c:\windows\Panther
2010-04-08 02:03:23 8192 --sha-r- C:\BOOTSECT.BAK
2010-04-08 02:03:22 383562 --sha-r- C:\bootmgr
2010-04-08 02:03:21 0 d-sh--w- C:\Boot
2010-04-08 01:37:23 0 d-----w- c:\users\tarant~1\appdata\roaming\Wippien
2010-04-08 01:37:22 487479 ----a-w- c:\windows\system32\SkinMagic.dll
2010-04-08 01:37:22 23480 ----a-w- c:\windows\system32\drivers\wip0204.sys
2010-04-08 01:37:22 0 d-----w- c:\users\tarant~1\appdata\roaming\Language
2010-04-08 01:37:19 0 d-----w- c:\program files\Wippien
2010-04-08 01:28:41 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-08 00:21:24 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-04-08 00:21:24 507568 ----a-w- c:\windows\system32\winload.exe
2010-04-08 00:21:24 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-04-08 00:21:23 442920 ----a-w- c:\windows\system32\winresume.exe
2010-04-08 00:21:22 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-04-08 00:19:16 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-04-07 16:44:09 0 d-----w- c:\program files\Yahoo!
2010-04-07 13:55:13 0 d-----w- c:\users\tarant~1\appdata\roaming\ESET
2010-04-07 13:54:37 0 d-----w- c:\programdata\ESET
2010-04-07 13:54:37 0 d-----w- c:\program files\ESET
2010-04-07 12:56:32 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-04-07 12:52:52 0 d-----w- c:\program files\common files\Steam
2010-04-07 12:36:09 0 ----a-w- c:\windows\system32\Access.dat
2010-04-07 12:33:50 0 d-----w- c:\programdata\NVIDIA
2010-04-07 12:33:32 0 d-sh--w- c:\windows\Installer
2010-04-07 12:33:30 0 d-----w- c:\program files\NVIDIA Corporation
2010-04-07 12:33:03 795104 ----a-w- c:\windows\system32\dpinst.exe
2010-04-07 12:33:02 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-07 12:33:00 215656 ----a-w- c:\windows\system32\nvcod1910.dll
2010-04-07 12:33:00 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-04-07 12:32:56 0 d-----w- C:\NVIDIA
2010-04-07 12:17:00 0 d-----w- c:\program files\UniKey
2010-04-07 12:12:12 0 d-----w- c:\users\tarant~1\appdata\roaming\Tunngle
2010-04-07 12:12:12 0 d-----w- c:\programdata\Tunngle
2010-04-07 12:12:10 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-04-07 12:12:09 0 d-----w- c:\program files\Tunngle
2010-04-07 12:05:36 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-07 12:04:31 0 d-----w- c:\program files\uTorrent
2010-04-07 12:04:13 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-04-07 12:04:13 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-04-07 12:04:13 0 d-----w- c:\users\tarant~1\appdata\roaming\uTorrent
2010-04-07 12:02:06 0 d-----w- c:\program files\common files\PX Storage Engine
2010-04-07 12:00:30 9344 ----a-w- c:\windows\system32\drivers\Salmosa.sys
2010-04-07 12:00:30 110592 ----a-w- c:\windows\system32\Salmosa.cpl
2010-04-07 11:52:05 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2010-04-07 11:52:05 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-04-07 11:52:05 277536 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2010-04-07 11:47:21 749824 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-04-07 11:46:31 0 d-----w- c:\windows\system32\wbem\Performance
2010-04-07 11:46:17 0 d-----w- c:\program files\GRETECH
2010-04-07 11:45:48 0 d-----w- c:\program files\GNU
2010-04-07 11:45:35 0 d-----w- c:\program files\UltraISO
2010-04-07 11:45:35 0 d-----w- c:\program files\common files\EZB Systems
2010-04-07 11:44:43 0 d-----w- c:\program files\Realtek
2010-04-07 11:44:41 0 d--h--w- c:\program files\Temp
2010-04-07 11:44:13 0 d-----w- c:\program files\AC3Filter
2010-04-03 11:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 11:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 11:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 11:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 11:26:56 66714 ----a-w- c:\windows\system32\NvwsApps.xml
2010-04-03 11:26:56 276196 ----a-w- c:\windows\system32\NvApps.xml

==================== Find3M ====================

2010-04-17 03:08:46 6056 ----a-w- c:\program files\un_Internet Download Manager_16575.txt
2010-03-26 11:24:58 3048096 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-03-26 11:03:02 57888 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-03-26 11:03:02 1749536 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-03-26 11:02:56 371232 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-03-26 11:02:56 2649120 ----a-w- c:\windows\system32\RtkAPO.dll
2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-22 07:22:42 1247776 ----a-w- c:\windows\RtlExUpd.dll
2010-03-17 05:08:32 307616 ----a-w- c:\windows\system32\FMAPO.dll
2010-03-15 19:15:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 12:49:28.62 ===============

btw i just found out that Eset cant scan my operating memory , there's something wrong here
where are you guys at :\ ?

Since i post this this morning , my utorrent process has tripled ,i cant end them using task manager,i exit utorrent and they still there
This is not just some dust in the case or disk fragmentation man ...
Well just in case im gonna do another dds scan :
==============================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tarantula at 18:27:10.73 on Mon 05/03/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1129 [GMT 7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Razer\Salmosa\razerhid.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\UniKey\UniKey.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Razer\Salmosa\razertra.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Razer\Salmosa\razerofa.exe
C:\Windows\system32\wbem\wmiprvse.exe
D:\FireFox\firefox.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Tarantula\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://vn.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://vn.yahoo.com
mStart Page = hxxp://vn.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [UniKey] c:\program files\unikey\UniKey.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Salmosa] c:\program files\razer\salmosa\razerhid.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {E3184D2A-0CBE-478B-BBC7-A7D05DACE46C} = 208.67.222.222,208.67.220.220

================= FIREFOX ===================

FF - ProfilePath - c:\users\tarant~1\appdata\roaming\mozilla\firefox\profiles\gitci2p2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://vn.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://vn.search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\users\tarantula\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\users\tarantula\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - trued:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-12 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-12 1078632]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-11-16 38240]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-4-7 277536]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2010-4-7 9344]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-4-7 27136]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-14 1343400]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2010-4-8 23480]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]
S4 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2010-4-7 704760]

=============== Created Last 30 ================

2010-05-03 09:23:07 0 d-----w- c:\programdata\SecTaskMan
2010-05-03 09:22:58 0 d-----w- c:\program files\Security Task Manager
2010-05-03 06:29:10 20 ----a-w- c:\users\tarantula\defogger_reenable
2010-05-01 07:33:17 0 d-----w- c:\users\tarant~1\appdata\roaming\Mobipocket
2010-05-01 07:32:46 0 d-----w- c:\program files\Mobipocket.com
2010-05-01 06:36:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 16:41:13 32768 ----a-w- c:\windows\system32\php_mysql.dll
2010-04-29 16:18:43 0 d-----w- C:\php
2010-04-29 15:26:47 0 d-----w- C:\inetpub
2010-04-28 04:24:43 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-04-28 02:13:07 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 02:13:07 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 01:04:40 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-26 03:10:38 0 d-----w- c:\program files\JDownloader
2010-04-25 04:16:57 0 d-----w- c:\windows\system32\appmgmt
2010-04-20 07:55:28 0 d-----w- c:\programdata\Blizzard
2010-04-18 06:50:32 33540 ----a-w- c:\windows\system32\CoreFLACDecoder-uninstall.exe
2010-04-17 03:08:39 439440 ----a-w- c:\program files\un_Internet Download Manager_16575.exe
2010-04-16 11:36:10 0 d-----w- c:\users\tarant~1\appdata\roaming\Ubisoft
2010-04-16 11:33:58 0 d-----w- c:\programdata\Ubisoft
2010-04-15 23:33:04 0 d-----w- c:\programdata\Sun
2010-04-15 13:53:34 0 d-----w- c:\program files\SystemRequirementsLab
2010-04-15 06:11:12 0 d-----w- c:\program files\SpeedFan
2010-04-15 06:11:06 45 ----a-w- c:\windows\system32\initdebug.nfo
2010-04-15 05:06:10 0 d--h--w- c:\windows\msdownld.tmp
2010-04-15 05:06:10 0 d-----w- c:\windows\RegisteredPackages
2010-04-15 05:06:04 0 d-----w- c:\program files\Windows Media Components
2010-04-15 04:58:07 0 d-----w- c:\program files\common files\Futuremark Shared
2010-04-15 02:24:01 0 d-----w- c:\program files\MSI
2010-04-15 02:21:18 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-04-15 02:21:08 0 d-----w- C:\Intel
2010-04-14 01:54:27 0 d-----w- c:\windows\system32\Wat
2010-04-14 01:41:01 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 01:41:01 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 01:40:57 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 01:40:56 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 01:40:56 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 01:40:55 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 01:35:01 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 01:34:59 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 12:38:07 0 d-----w- c:\windows\system32\xlive
2010-04-13 12:38:06 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-13 11:12:46 0 d-----w- c:\program files\Trend Micro
2010-04-12 12:59:25 0 d-----w- c:\program files\Internet Download Manager
2010-04-12 10:06:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-12 05:09:56 0 d-----w- c:\program files\Blue Coat K9 Web Protection
2010-04-10 06:04:50 0 d-----w- c:\users\tarant~1\appdata\roaming\NVIDIA
2010-04-10 05:46:00 0 d-----w- c:\windows\system32\directx
2010-04-10 05:26:32 0 d-----w- c:\windows\64F6748976BB4CDDA236F954BE774B35.TMP
2010-04-10 05:26:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-09 01:35:41 0 d-----w- c:\program files\Alcohol Soft
2010-04-09 01:33:15 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-08 11:04:59 0 d-----w- c:\users\tarant~1\appdata\roaming\IDM
2010-04-08 11:04:58 0 d-----w- c:\users\tarant~1\appdata\roaming\DMCache
2010-04-08 03:49:56 0 d-----w- c:\programdata\Yahoo!
2010-04-08 02:03:34 0 d-----w- c:\windows\Panther
2010-04-08 02:03:23 8192 --sha-r- C:\BOOTSECT.BAK
2010-04-08 02:03:22 383562 --sha-r- C:\bootmgr
2010-04-08 02:03:21 0 d-sh--w- C:\Boot
2010-04-08 01:37:23 0 d-----w- c:\users\tarant~1\appdata\roaming\Wippien
2010-04-08 01:37:22 487479 ----a-w- c:\windows\system32\SkinMagic.dll
2010-04-08 01:37:22 23480 ----a-w- c:\windows\system32\drivers\wip0204.sys
2010-04-08 01:37:22 0 d-----w- c:\users\tarant~1\appdata\roaming\Language
2010-04-08 01:37:19 0 d-----w- c:\program files\Wippien
2010-04-08 01:28:41 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-08 00:21:24 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-04-08 00:21:24 507568 ----a-w- c:\windows\system32\winload.exe
2010-04-08 00:21:24 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-04-08 00:21:23 442920 ----a-w- c:\windows\system32\winresume.exe
2010-04-08 00:21:22 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-04-08 00:19:16 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-04-07 16:44:09 0 d-----w- c:\program files\Yahoo!
2010-04-07 13:55:13 0 d-----w- c:\users\tarant~1\appdata\roaming\ESET
2010-04-07 13:54:37 0 d-----w- c:\programdata\ESET
2010-04-07 13:54:37 0 d-----w- c:\program files\ESET
2010-04-07 12:56:32 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-04-07 12:52:52 0 d-----w- c:\program files\common files\Steam
2010-04-07 12:36:09 0 ----a-w- c:\windows\system32\Access.dat
2010-04-07 12:33:50 0 d-----w- c:\programdata\NVIDIA
2010-04-07 12:33:32 0 d-sh--w- c:\windows\Installer
2010-04-07 12:33:30 0 d-----w- c:\program files\NVIDIA Corporation
2010-04-07 12:33:03 795104 ----a-w- c:\windows\system32\dpinst.exe
2010-04-07 12:33:02 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-07 12:33:00 215656 ----a-w- c:\windows\system32\nvcod1910.dll
2010-04-07 12:33:00 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-04-07 12:32:56 0 d-----w- C:\NVIDIA
2010-04-07 12:17:00 0 d-----w- c:\program files\UniKey
2010-04-07 12:12:12 0 d-----w- c:\users\tarant~1\appdata\roaming\Tunngle
2010-04-07 12:12:12 0 d-----w- c:\programdata\Tunngle
2010-04-07 12:12:10 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-04-07 12:12:09 0 d-----w- c:\program files\Tunngle
2010-04-07 12:05:36 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-07 12:04:31 0 d-----w- c:\program files\uTorrent
2010-04-07 12:04:13 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-04-07 12:04:13 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-04-07 12:04:13 0 d-----w- c:\users\tarant~1\appdata\roaming\uTorrent
2010-04-07 12:02:06 0 d-----w- c:\program files\common files\PX Storage Engine
2010-04-07 12:00:30 9344 ----a-w- c:\windows\system32\drivers\Salmosa.sys
2010-04-07 12:00:30 110592 ----a-w- c:\windows\system32\Salmosa.cpl
2010-04-07 11:52:05 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2010-04-07 11:52:05 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-04-07 11:52:05 277536 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2010-04-07 11:47:21 749824 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-04-07 11:46:31 0 d-----w- c:\windows\system32\wbem\Performance
2010-04-07 11:46:17 0 d-----w- c:\program files\GRETECH
2010-04-07 11:45:48 0 d-----w- c:\program files\GNU
2010-04-07 11:45:35 0 d-----w- c:\program files\UltraISO
2010-04-07 11:45:35 0 d-----w- c:\program files\common files\EZB Systems
2010-04-07 11:44:43 0 d-----w- c:\program files\Realtek
2010-04-07 11:44:41 0 d--h--w- c:\program files\Temp
2010-04-07 11:44:13 0 d-----w- c:\program files\AC3Filter

==================== Find3M ====================

2010-04-17 03:08:46 6056 ----a-w- c:\program files\un_Internet Download Manager_16575.txt
2010-04-03 11:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 11:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 11:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 11:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-26 11:24:58 3048096 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-03-26 11:03:02 57888 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-03-26 11:03:02 1749536 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-03-26 11:02:56 371232 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-03-26 11:02:56 2649120 ----a-w- c:\windows\system32\RtkAPO.dll
2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-22 07:22:42 1247776 ----a-w- c:\windows\RtlExUpd.dll
2010-03-17 05:08:32 307616 ----a-w- c:\windows\system32\FMAPO.dll
2010-03-15 19:15:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:27:29.66 ===============

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 03 May 2010 - 03:23 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:31 PM

Posted 05 May 2010 - 12:15 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 needprotection

needprotection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 06 May 2010 - 12:06 AM

Thanks for finally reply to my post.At this point im not sure what is wrong with my computer anymore ,few days back it seemed to be infected but now it's running normally ,after i deleted a couple of dllhost files.Still here's everything you guys asked:
==================================================================
DDS (Ver_10-03-17.01) - NTFSx86
Run by Tarantula at 11:16:52.58 on Thu 05/06/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1338 [GMT 7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Razer\Salmosa\razerhid.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\UniKey\UniKey.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Users\Tarantula\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Razer\Salmosa\razertra.exe
C:\Program Files\Razer\Salmosa\razerofa.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchProtocolHost.exe
D:\FireFox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tarantula\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://vn.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://vn.yahoo.com
mStart Page = hxxp://vn.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [UniKey] c:\program files\unikey\UniKey.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [googletalk] c:\users\tarantula\appdata\roaming\google\google talk\googletalk.exe /autostart
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Salmosa] c:\program files\razer\salmosa\razerhid.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {E3184D2A-0CBE-478B-BBC7-A7D05DACE46C} = 208.67.222.222,208.67.220.220

================= FIREFOX ===================

FF - ProfilePath - c:\users\tarant~1\appdata\roaming\mozilla\firefox\profiles\gitci2p2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://vn.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://vn.search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\users\tarantula\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\users\tarantula\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - trued:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-12 74088]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-12 1078632]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-11-16 38240]
R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2010-4-7 704760]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-4-7 277536]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2010-4-7 9344]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-4-7 27136]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-14 1343400]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2010-4-8 23480]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]

=============== Created Last 30 ================

2010-05-03 09:23:07 0 d-----w- c:\programdata\SecTaskMan
2010-05-03 09:22:58 0 d-----w- c:\program files\Security Task Manager
2010-05-03 06:29:10 20 ----a-w- c:\users\tarantula\defogger_reenable
2010-05-01 07:33:17 0 d-----w- c:\users\tarant~1\appdata\roaming\Mobipocket
2010-05-01 07:32:46 0 d-----w- c:\program files\Mobipocket.com
2010-05-01 06:36:15 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 16:41:13 32768 ----a-w- c:\windows\system32\php_mysql.dll
2010-04-29 16:18:43 0 d-----w- C:\php
2010-04-29 15:26:47 0 d-----w- C:\inetpub
2010-04-28 04:24:43 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-04-28 02:13:07 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 02:13:07 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 01:04:40 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-26 03:10:38 0 d-----w- c:\program files\JDownloader
2010-04-25 04:16:57 0 d-----w- c:\windows\system32\appmgmt
2010-04-20 07:55:28 0 d-----w- c:\programdata\Blizzard
2010-04-18 06:50:32 33540 ----a-w- c:\windows\system32\CoreFLACDecoder-uninstall.exe
2010-04-17 03:08:39 439440 ----a-w- c:\program files\un_Internet Download Manager_16575.exe
2010-04-16 11:36:10 0 d-----w- c:\users\tarant~1\appdata\roaming\Ubisoft
2010-04-16 11:33:58 0 d-----w- c:\programdata\Ubisoft
2010-04-15 23:33:04 0 d-----w- c:\programdata\Sun
2010-04-15 13:53:34 0 d-----w- c:\program files\SystemRequirementsLab
2010-04-15 06:11:12 0 d-----w- c:\program files\SpeedFan
2010-04-15 06:11:06 45 ----a-w- c:\windows\system32\initdebug.nfo
2010-04-15 05:06:10 0 d--h--w- c:\windows\msdownld.tmp
2010-04-15 05:06:10 0 d-----w- c:\windows\RegisteredPackages
2010-04-15 05:06:04 0 d-----w- c:\program files\Windows Media Components
2010-04-15 04:58:07 0 d-----w- c:\program files\common files\Futuremark Shared
2010-04-15 02:24:01 0 d-----w- c:\program files\MSI
2010-04-15 02:21:18 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-04-15 02:21:08 0 d-----w- C:\Intel
2010-04-14 01:54:27 0 d-----w- c:\windows\system32\Wat
2010-04-14 01:41:01 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 01:41:01 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 01:40:57 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 01:40:56 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 01:40:56 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 01:40:55 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 01:35:01 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 01:34:59 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 12:38:07 0 d-----w- c:\windows\system32\xlive
2010-04-13 12:38:06 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-13 11:12:46 0 d-----w- c:\program files\Trend Micro
2010-04-12 12:59:25 0 d-----w- c:\program files\Internet Download Manager
2010-04-12 10:06:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-12 05:09:56 0 d-----w- c:\program files\Blue Coat K9 Web Protection
2010-04-10 06:04:50 0 d-----w- c:\users\tarant~1\appdata\roaming\NVIDIA
2010-04-10 05:46:00 0 d-----w- c:\windows\system32\directx
2010-04-10 05:26:32 0 d-----w- c:\windows\64F6748976BB4CDDA236F954BE774B35.TMP
2010-04-10 05:26:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-09 01:35:41 0 d-----w- c:\program files\Alcohol Soft
2010-04-09 01:33:15 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-08 11:04:59 0 d-----w- c:\users\tarant~1\appdata\roaming\IDM
2010-04-08 11:04:58 0 d-----w- c:\users\tarant~1\appdata\roaming\DMCache
2010-04-08 03:49:56 0 d-----w- c:\programdata\Yahoo!
2010-04-08 02:03:34 0 d-----w- c:\windows\Panther
2010-04-08 02:03:23 8192 --sha-r- C:\BOOTSECT.BAK
2010-04-08 02:03:22 383562 --sha-r- C:\bootmgr
2010-04-08 02:03:21 0 d-sh--w- C:\Boot
2010-04-08 01:37:23 0 d-----w- c:\users\tarant~1\appdata\roaming\Wippien
2010-04-08 01:37:22 487479 ----a-w- c:\windows\system32\SkinMagic.dll
2010-04-08 01:37:22 23480 ----a-w- c:\windows\system32\drivers\wip0204.sys
2010-04-08 01:37:22 0 d-----w- c:\users\tarant~1\appdata\roaming\Language
2010-04-08 01:37:19 0 d-----w- c:\program files\Wippien
2010-04-08 01:28:41 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-08 00:21:24 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-04-08 00:21:24 507568 ----a-w- c:\windows\system32\winload.exe
2010-04-08 00:21:24 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-04-08 00:21:23 442920 ----a-w- c:\windows\system32\winresume.exe
2010-04-08 00:21:22 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-04-08 00:19:16 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-04-07 16:44:09 0 d-----w- c:\program files\Yahoo!
2010-04-07 13:55:13 0 d-----w- c:\users\tarant~1\appdata\roaming\ESET
2010-04-07 13:54:37 0 d-----w- c:\programdata\ESET
2010-04-07 13:54:37 0 d-----w- c:\program files\ESET
2010-04-07 12:56:32 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-04-07 12:52:52 0 d-----w- c:\program files\common files\Steam
2010-04-07 12:36:09 0 ----a-w- c:\windows\system32\Access.dat
2010-04-07 12:33:50 0 d-----w- c:\programdata\NVIDIA
2010-04-07 12:33:32 0 d-sh--w- c:\windows\Installer
2010-04-07 12:33:30 0 d-----w- c:\program files\NVIDIA Corporation
2010-04-07 12:33:03 795104 ----a-w- c:\windows\system32\dpinst.exe
2010-04-07 12:33:02 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-07 12:33:00 215656 ----a-w- c:\windows\system32\nvcod1910.dll
2010-04-07 12:33:00 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-04-07 12:32:56 0 d-----w- C:\NVIDIA
2010-04-07 12:17:00 0 d-----w- c:\program files\UniKey
2010-04-07 12:12:12 0 d-----w- c:\users\tarant~1\appdata\roaming\Tunngle
2010-04-07 12:12:12 0 d-----w- c:\programdata\Tunngle
2010-04-07 12:12:10 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-04-07 12:12:09 0 d-----w- c:\program files\Tunngle
2010-04-07 12:05:36 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-07 12:04:31 0 d-----w- c:\program files\uTorrent
2010-04-07 12:04:13 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-04-07 12:04:13 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-04-07 12:04:13 0 d-----w- c:\users\tarant~1\appdata\roaming\uTorrent
2010-04-07 12:02:06 0 d-----w- c:\program files\common files\PX Storage Engine
2010-04-07 12:00:30 9344 ----a-w- c:\windows\system32\drivers\Salmosa.sys
2010-04-07 12:00:30 110592 ----a-w- c:\windows\system32\Salmosa.cpl
2010-04-07 11:52:05 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2010-04-07 11:52:05 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-04-07 11:52:05 277536 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2010-04-07 11:47:21 749824 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-04-07 11:46:31 0 d-----w- c:\windows\system32\wbem\Performance
2010-04-07 11:46:17 0 d-----w- c:\program files\GRETECH
2010-04-07 11:45:48 0 d-----w- c:\program files\GNU
2010-04-07 11:45:35 0 d-----w- c:\program files\UltraISO
2010-04-07 11:45:35 0 d-----w- c:\program files\common files\EZB Systems
2010-04-07 11:44:43 0 d-----w- c:\program files\Realtek
2010-04-07 11:44:41 0 d--h--w- c:\program files\Temp
2010-04-07 11:44:13 0 d-----w- c:\program files\AC3Filter

==================== Find3M ====================

2010-04-17 03:08:46 6056 ----a-w- c:\program files\un_Internet Download Manager_16575.txt
2010-04-03 11:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 11:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 11:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 11:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-26 11:24:58 3048096 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-03-26 11:03:02 57888 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-03-26 11:03:02 1749536 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-03-26 11:02:56 371232 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-03-26 11:02:56 2649120 ----a-w- c:\windows\system32\RtkAPO.dll
2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-22 07:22:42 1247776 ----a-w- c:\windows\RtlExUpd.dll
2010-03-17 05:08:32 307616 ----a-w- c:\windows\system32\FMAPO.dll
2010-03-15 19:15:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 11:17:10.35 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 10 May 2010 - 07:01 PM

Hello.

I see just a couple of things that requires attention and fixing. Let' start with Malwarebytes.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 needprotection

needprotection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 11 May 2010 - 01:10 AM

thank you extremeboy for replying
i did what you asked , a quick scan didnt show much but a full scan revealed 4 trojen in my PC so i cleaned them up
here's the log :
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4089

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/11/2010 12:34:32 PM
mbam-log-2010-05-11 (12-34-32).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 191295
Time elapsed: 27 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\System Volume Information\_restore{63BBA8FF-C57E-4E5C-8861-B39FCD0B30EF}\RP102\A0052980.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{63BBA8FF-C57E-4E5C-8861-B39FCD0B30EF}\RP86\A0037568.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{63BBA8FF-C57E-4E5C-8861-B39FCD0B30EF}\RP86\A0037585.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{63BBA8FF-C57E-4E5C-8861-B39FCD0B30EF}\RP89\A0038520.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 11 May 2010 - 04:59 PM

Those aren't really much to worry about other than infected restore points which isn't really "active" until you actually restore to a current date stamp.

The logs actually looks good. Don't see any active malware infections. There was a few suspicious entries but upon reviewing the previous logs again it looks good.

Let's get an online scan done.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 needprotection

needprotection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 12 May 2010 - 04:51 AM

i did a scan and man does the update long took me 2 hours to finish the update
anyway here's the log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 12, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 12, 2010 01:58:16
Records in database: 4098431
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 83330
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:04:34

No threats found. Scanned area is clean.

Selected area has been scanned.

didnt show nothing unusual

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 12 May 2010 - 02:40 PM

Looks good to me.

Just regarding P2P programs you have...

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case UTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.



Other than that your log looks good. Let's wrap up here, if you do have any problems with the computer do let me know.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here. Computer being slow doesn't always mean it's malware. ;)

If you would like, visit my http://computermalwaresecurity.blogspot.com/ blog and Subscribe/Follow along.

If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks. smile.gif

With Regards,
Extremeboy

Edited by extremeboy, 20 May 2010 - 09:17 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 17 May 2010 - 08:13 PM

How's the last few cleanup steps going? Is everything good?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 needprotection

needprotection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 18 May 2010 - 12:04 AM

i think it's good now , no more double processes , CPU usage is normal , although there are like 13 svchost.exe processes running in my system.
Does windows even use that much? My friend's OS is Windows 7 too and there're only 6 of them.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 18 May 2010 - 03:02 PM

Well, yes that could be normal. Some machines have more/less. To understand that, you will need to know what svchost.exe is and how Windows uses them. I wouldn't worry about it too much. For my Vista, I have about 12 svchosts.exe running upon startup and a lot less in XP around 7 or 8. ;)

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 needprotection

needprotection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 18 May 2010 - 07:41 PM

Well then my computer is officially clean.
Thank you very much for all the help Extremeboy .

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 19 May 2010 - 02:57 PM

You're welcome. I'm very happy I was able to help out.

Happy surfing again.
---
Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users