I noticed about 2 weeks ago that sometimes clicking on a Google search result took me to the wrong page, usually trying to sell something. Tonight I saw 11 emails from postmaster@mail.hotmail.com stating:
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
xxxxxxx@hotmail.com
because those mailboxes were unavailable. There are another 13 in my Sent folder that I guess got delivered.
This is all within a Hotmail account I've had since 1993. I was able to access it and have changed my password to a very strong one.
All my emails from that Hotmail account are transferred to my Gmail account (via Pop3), and I check and send all my emails from Thunderbird.
I have followed the steps in the preparation guide. I backed up my data, XP firewall is enabled, I ran Defogger, and I've run DDS and GMER.
Oh, the Dameware software was installed by me, to connect to other PC's on my home network.
Here is DDS.TXT:
DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 21:27:20.92 on Tue 10/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.519 [GMT -4:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\njmvsf5c.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\tcpview.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\dealio toolbar\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
BHO: Diigo Toolbar Helper: {84053da7-03de-4fb6-80ae-202c04691d8a} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\dealio toolbar\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Diigo Toolbar: {09197ffb-c236-4153-b268-31051e4f3b6c} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
EB: Diigo Sidebar: {69523951-583f-418c-bde7-18efc9fd54b4} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
uRun: [Meebo Notifier] "c:\documents and settings\administrator\local settings\application data\meebo\meebo notifier\MeeboNotifier.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SearchSettings] c:\program files\dealio toolbar\SearchSettings.exe
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [MPlayer2_FixUp] c:\windows\inf\unregmp2.exe /Fixups
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = avnotify.exe
IE: &Links to this page - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gbacklinks.htm
IE: &Similar pages - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gsimilar.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Open in &new window - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuofinw.htm
IE: Search with &Google - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gsearch.htm
IE: Show page from the &cache - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gcache.htm
IE: Translate this page with Google - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\gtranslate.htm
IE: View old version at &archives.org - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuarch.htm
IE: Zoom &in - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuzoomin.htm
IE: Zoom &out - c:\documents and settings\all users\application data\tuneup software\tuneup utilities\web\tuzoomout.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {B952F2E0-5F9F-4898-89A8-4FB770625E09} - {84053DA7-03DE-4FB6-80AE-202C04691D8A} - c:\program files\diigo\DiigoToolbar.4.0.2.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: Antiwpa - antiwpa.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: Outlook10 - {4f6a227d-c9a3-4358-9734-baeeecc1f73f} - c:\program files\common files\outlook\Outlook10.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\njmvsf5c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://www.google.com/ig|http://www.diigo.com/user/hoopdedoo|http://mail.live.com/default.aspx?wa=wsignin1.0
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\njmvsf5c.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - component: c:\program files\dealio toolbar\ff\components\dealioToolbarFF.dll
FF - component: c:\program files\dealio toolbar\ssff\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: browser.xul.error_pages.enabled - false
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: dom.disable_window_open_feature.minimizable - true
FF - user.js: dom.disable_window_open_feature.menubar - true
FF - user.js: dom.disable_window_open_feature.scrollbars - true
FF - user.js: browser.tabs.closeButtons - 0
FF - user.js: network.http.pipelining - false
FF - user.js: network.http.proxy.pipelining - false
FF - user.js: network.http.pipelining.ssl - false
FF - user.js: network.http.pipelining.maxrequests - 4
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-27 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-11 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-27 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-27 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-27 60936]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-2-25 1047880]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]
S1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-17 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\48f.tmp --> c:\windows\system32\48F.tmp [?]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-31 14424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 12872]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]
S4 Application Updater;Application Updater;"c:\program files\application updater\applicationupdater.exe" --> c:\program files\application updater\ApplicationUpdater.exe [?]
=============== Created Last 30 ================
2010-10-13 01:05:35 388096 ----a-r- c:\docume~1\admini~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-05 22:06:52 -------- d-----w- c:\docume~1\admini~1\applic~1\com.rstoeber.GoogleVoice.913F9D81260FD6F3F98FE8A907686CD092F1C90D.1
2010-10-05 22:06:46 -------- d-----w- c:\program files\GVoice
==================== Find3M ====================
2010-09-06 01:26:25 592 ----a-w- c:\windows\chgkey.vbs
============= FINISH: 21:28:21.25 ===============
Oh, here is the TCPView log. I don't know how to interpret it.
[System Process] 0 TCP glurgle 1116 iad04s01-in-f19.1e100.net:https https TIME_WAIT 1 27 4 159
alg.exe 2624 TCP glurgle 1028 glurgle 0 LISTENING
DWRCS.EXE 2020 TCP glurgle 6129 localhost 1025 ESTABLISHED
DWRCS.EXE 2020 TCP glurgle 6129 glurgle 0 LISTENING
DWRCST.EXE 1296 TCP glurgle 1025 localhost 6129 ESTABLISHED
firefox.exe 3012 TCP glurgle 1127 yo-in-f101.1e100.net https ESTABLISHED 1 1,181
firefox.exe 3012 TCP glurgle 1131 server-216-137-39-99.stl2.cloudfront.net:http http CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1113 server.iad.liveperson.net http ESTABLISHED
firefox.exe 3012 TCP glurgle 1122 74.125.227.5:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1128 iad04s01-in-f189.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1132 74.125.227.5:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1092 iad04s01-in-f19.1e100.net https ESTABLISHED 1 1,423 2 454
firefox.exe 3012 TCP glurgle 1115 iad04s01-in-f19.1e100.net https ESTABLISHED 2 3,204 2 756
firefox.exe 3012 TCP glurgle 1117 iad04s01-in-f19.1e100.net https ESTABLISHED 1 1,676 3 2,883
firefox.exe 3012 TCP glurgle kpop iad04s01-in-f100.1e100.net http ESTABLISHED
firefox.exe 3012 TCP glurgle 1086 localhost 1085 ESTABLISHED 41 41 1 1
firefox.exe 3012 TCP glurgle 1085 localhost 1086 ESTABLISHED 41 41 1 1
firefox.exe 3012 TCP glurgle 1091 localhost 1090 ESTABLISHED 33 33
firefox.exe 3012 TCP glurgle 1090 localhost 1091 ESTABLISHED 33 33
firefox.exe 3012 TCP glurgle 1133 localhost 1130 ESTABLISHED
firefox.exe 3012 TCP glurgle 1097 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1114 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1119 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1120 iad04s01-in-f147.1e100.net:https https CLOSE_WAIT
firefox.exe 3012 TCP glurgle 1248 209.85.239.31 http ESTABLISHED 1 788 1 436
firefox.exe 3012 TCP glurgle 1246 iad04s01-in-f190.1e100.net https ESTABLISHED 2 1,001 2 675
firefox.exe 3012 TCP glurgle 1247 iad04s01-in-f100.1e100.net http ESTABLISHED 1 1,042 1 453
firefox.exe 3012 TCP glurgle 1249 yo-in-f101.1e100.net https ESTABLISHED
googletalkplugin.exe 3416 TCP glurgle 1130 localhost 1133 ESTABLISHED
googletalkplugin.exe 3416 TCP glurgle 1130 glurgle 0 LISTENING
jqs.exe 228 TCP glurgle 5152 localhost 1088 CLOSE_WAIT
jqs.exe 228 TCP glurgle 5152 glurgle 0 LISTENING
svchost.exe 1060 TCP glurgle epmap glurgle 0 LISTENING
svchost.exe 1156 UDP glurgle ntp * *
svchost.exe 1156 UDP glurgle ntp * *
System 4 TCP glurgle microsoft-ds glurgle 0 LISTENING
System 4 TCP glurgle netbios-ssn glurgle 0 LISTENING
System 4 UDP glurgle netbios-ns * * 11 550
System 4 UDP glurgle netbios-dgm * *
System 4 UDP glurgle microsoft-ds * *
thunderbird.exe 3336 TCP glurgle 4846 localhost 4847 ESTABLISHED
thunderbird.exe 3336 TCP glurgle 4847 localhost 4846 ESTABLISHED
thunderbird.exe 3336 TCP glurgle 4849 localhost 4848 ESTABLISHED
thunderbird.exe 3336 TCP glurgle 4848 localhost 4849 ESTABLISHED
EDIT: Posts merged ~BP
Attached Files
Edited by Budapest, 13 October 2010 - 12:17 AM.