Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus affecting hardware?


  • This topic is locked This topic is locked
20 replies to this topic

#1 halfnerdhybrid

halfnerdhybrid

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 25 May 2010 - 09:40 PM

I made a post about something trying to overheat my computer (seemingly)

all i really know is that i left my computer alone fine, and 20 minutes later when i came back, i heard my GPU's fan working at full speed. So, i checked SpeedFan and almost everything that SpeedFan reads was running 15-20c above normal values (some over 60c)

i was instructed to post here with some readings from a couple of scans. here they are.






DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Teresa at 16:51:54.01 on Tue 05/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1119.409 [GMT -4:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1257455407\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\SRS Labs\SRSSSC.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\1257455407\ee\aolsoftware.exe
C:\Documents and Settings\Teresa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://vocaloidotaku.net/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Page_URL =
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant =
BHO: rsion - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.1.0.32\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.1.0.32\coIEPlg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} -
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [Advanced SystemCare 3] "d:\program files\advanced systemcare 3\AWC.exe" /startup
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [SRS Audio Sandbox] "d:\program files\srs labs\SRSSSC.exe" /hideme
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [LogitechSetup] F:\setup.exe /skip_all_checks /p /start /restart /l:enu
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...00006e.00000141
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; IEMB3; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; IEMB3)" -"http://www.lorenzodimauro.com/TUBES/DP.htm"
mRun: [HostManager] c:\program files\common files\aol\1257455407\ee\AOLSoftware.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "d:\program files\logitech\Quickcam.exe" /hide
StartupFolder: c:\docume~1\teresa\startm~1\programs\startup\atitool.lnk - d:\program files\atitool\ATITool.exe
StartupFolder: c:\docume~1\teresa\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\eReg.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &AOL Toolbar search
IE: &Google Search
IE: &Translate English Word
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Backward Links
IE: Cached Snapshot of Page
IE: Similar Pages
IE: Translate Page into English
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: buzzen.net
Trusted Zone: mypsptubes.com\www
Hosts: 208.43.47.212 a1.review.zdnet.com
Hosts: 208.43.47.212 reviews.riverstreams.co.uk
Hosts: 208.43.47.212 d1.reviews.cnet.com
Hosts: 208.43.47.212 review.2009softwarereviews.com
Hosts: 208.43.47.212 reviews.download.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-4-13 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-4-13 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-4-13 501888]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-5 214664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-4-13 116784]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-7-21 3744]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-1-21 54752]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-7-21 3904]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.1.0.32\ccsvchst.exe [2010-4-13 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-11 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100518.002\IDSXpx86.sys [2010-5-24 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100524.002\NAVENG.SYS [2010-5-24 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100524.002\NAVEX15.SYS [2010-5-24 1347504]
S2 013786983401667mcinstcleanup;McAfee Application Installer Cleanup (013786983401667);c:\docume~1\teresa\locals~1\temp\013786~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\teresa\locals~1\temp\013786~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 aawservice;Ad-Aware 2007 Service; [x]
S2 FreezeScreenSaver;FreezeScreenSaver; [x]
S2 gupdate1ca88f6a27b62c;Google Update Service (gupdate1ca88f6a27b62c);c:\program files\google\update\GoogleUpdate.exe [2009-12-29 133104]
S2 McShield;McAfee Real-time Scanner; [x]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-8-7 9344]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;c:\windows\system32\drivers\AWRTPD.sys [2007-7-11 6272]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;c:\windows\system32\drivers\AWRTRD.sys [2007-8-7 8320]
S3 cpuz130;cpuz130; [x]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 McSysmon;McAfee SystemGuards; [x]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-5 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-29 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-5 40552]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\mtk.sys --> c:\windows\system32\drivers\mtk.sys [?]
S3 Npfaavetdmsn;Npfaavetdmsn; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2008-11-4 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2008-11-4 5248]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-05-25 20:42:28 228 ----a-w- c:\documents and settings\teresa\defogger_reenable
2010-05-25 11:55:59 462848 -c--a-w- c:\windows\system32\dllcache\a3dapi.dll
2010-05-25 11:55:58 38400 -c--a-w- c:\windows\system32\dllcache\8514a.dll
2010-05-25 11:55:57 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2010-05-25 11:55:57 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-05-25 11:55:56 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-05-25 11:55:55 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-05-25 11:55:55 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-05-25 11:55:54 53376 -c--a-w- c:\windows\system32\dllcache\1394bus.sys
2010-05-25 11:55:54 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-05-25 11:55:18 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-05-25 07:47:04 120 ----a-w- c:\windows\ACTIVEJP.INI
2010-05-24 18:50:39 0 d-----w- c:\windows\system32\xlive
2010-05-18 06:33:40 0 d-----w- C:\DriveKey
2010-05-06 01:25:49 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-05-06 01:25:49 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-05-06 01:25:49 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-05-06 01:25:49 133616 ------w- c:\windows\system32\pxafs.dll
2010-05-02 07:57:13 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-05-02 05:01:03 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-05-02 05:01:03 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-05-02 04:57:17 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-04-30 22:24:58 3534776 ----a-w- c:\windows\system32\GameMon.des
2010-04-30 22:24:41 0 d-----w- c:\program files\common files\INCA Shared
2010-04-30 08:09:45 0 d-----w- c:\program files\ijji
2010-04-28 23:29:18 416 ----a-w- c:\windows\system32\nvUnsupRes.dat
2010-04-27 17:01:19 0 d-----w- c:\docume~1\teresa\applic~1\IObit
2010-04-27 16:58:14 0 d-----w- c:\program files\CCleaner
2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-05-25 20:44:25 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-25 20:44:19 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-25 18:10:23 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-25 18:10:23 22328 ----a-w- c:\docume~1\teresa\applic~1\PnkBstrK.sys
2010-04-25 18:10:00 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-25 18:09:54 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-04-25 18:09:54 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-19 00:19:05 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-11 10:59:02 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-11 10:59:02 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-11 10:59:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-11 10:59:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-03 23:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 23:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 23:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 23:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-02 20:54:38 600680 -c--a-w- c:\windows\system32\NVUNINST.EXE
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2008-06-07 17:02:59 0 -c--a-w- c:\program files\temp01
2008-03-09 11:25:10 236 ---ha-w- c:\program files\common files\dx.reg
2007-07-15 22:03:31 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_9756328.dnp
2007-07-15 22:03:31 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_8527155.dnp
2007-07-15 22:03:31 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_7345122.dnp
2007-07-15 22:03:31 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_4765952.dnp
2007-07-15 22:02:10 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_8710541.dnp
2007-07-15 22:02:10 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_774328.dnp
2007-07-15 22:02:09 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_7506532.dnp
2007-07-15 22:02:09 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_4864403.dnp
2007-07-15 22:01:26 18 -c--a-w- c:\program files\XP Repair Pro 2007ERR_Item0-7-15-2007_18-1-17_5537339.dnp
2006-08-03 05:58:23 774144 -c--a-w- c:\program files\RngInterstitial.dll
2007-06-06 20:26:59 56 -csh--r- c:\windows\system32\10895E78F2.sys
2010-01-04 06:36:41 6738 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:53:22.40 ===============




Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 PM

Posted 27 May 2010 - 07:08 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 halfnerdhybrid

halfnerdhybrid
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 27 May 2010 - 07:24 PM

I'm here. I've been checking every day since my original posting, because if my computer goes kaput, I can't really afford a new one....

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 PM

Posted 27 May 2010 - 07:37 PM

Okay, we'll try and take it easy. You have a hijacker but for some reason you don't have the symptoms of hijacking.

Did you used to have redirection on the machine?

Please download and run Combofix so that we can see what we can remove

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 halfnerdhybrid

halfnerdhybrid
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 28 May 2010 - 03:04 AM

So, even though I'm not seeing symptoms, this Hijacker is doing what exactly to my computer??

Attached Files

  • Attached File  log.txt   41.54KB   2 downloads


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 PM

Posted 28 May 2010 - 05:10 PM

QUOTE(halfnerdhybrid @ May 28 2010, 09:04 AM) View Post
So, even though I'm not seeing symptoms, this Hijacker is doing what exactly to my computer??


It's running it down by overloading it with malware files all running at the same time as the system files. In this case, Combofix has removed these dll files and the PC's performance should be improved greatly. A slow computer is in itself the symptoms that you have picked up on.


Let's reset the changes made.

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Then run Deldomains


Firstly download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplied.


Finally run ESET's online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.



Posted Image
m0le is a proud member of UNITE

#7 halfnerdhybrid

halfnerdhybrid
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 28 May 2010 - 06:02 PM

Okay, I can't figure out how to download DelDomain

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 PM

Posted 28 May 2010 - 07:02 PM

Click the link. Then save the file to your desktop (File > Save Page As >)

Then right click the file (looks like two cogs) and select install.
Posted Image
m0le is a proud member of UNITE

#9 halfnerdhybrid

halfnerdhybrid
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 29 May 2010 - 03:23 AM

The log file as requested.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 PM

Posted 29 May 2010 - 06:19 AM

Someone on this system was trying to access cracks or a 'keygen'....this is a certain way to attract malware to your system. As well as being illegal, 'Cracks' and 'Keygens' are often associated or loaded with malware, and should be avoided (along with 'crack' sites).

Please post a new DDS log and let me know how the system is running now.
Posted Image
m0le is a proud member of UNITE

#11 halfnerdhybrid

halfnerdhybrid
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 29 May 2010 - 07:29 AM

And again, as requested.

Also, everything SEEMS to be okay, but i'm wondering if it's not just the age of my system causing some things to overheat now...

Attached Files

  • Attached File  DDS.txt   25.32KB   1 downloads


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 PM

Posted 29 May 2010 - 02:24 PM

It might be but we haven't finished yet.

Run OTL again.

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
BHO: rsion - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} -
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
:reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"securityproviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Posted Image
m0le is a proud member of UNITE

#13 halfnerdhybrid

halfnerdhybrid
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 29 May 2010 - 05:55 PM

What is OTL? I don't think i've run that yet.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:20 PM

Posted 29 May 2010 - 06:05 PM

I apologise, please follow these instructions.
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
BHO: rsion - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} -
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
:reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"securityproviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Posted Image
m0le is a proud member of UNITE

#15 halfnerdhybrid

halfnerdhybrid
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spotsylvania, VA
  • Local time:12:20 PM

Posted 29 May 2010 - 11:59 PM

I got this in a notepad document...



Error: Unable to interpret <OTL> in the current context!
Error: Unable to interpret <BHO: rsion - No File> in the current context!
Error: Unable to interpret <BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File> in the current context!
Error: Unable to interpret <TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File> in the current context!
Error: Unable to interpret <TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File> in the current context!
Error: Unable to interpret <TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} -> in the current context!
Error: Unable to interpret <TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File> in the current context!
Error: Unable to interpret <EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File> in the current context!
Error: Unable to interpret <EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File> in the current context!
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\\"securityproviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.5.1 log created on 05302010_005740




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users