Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sluggish Desk Top (virus or old age?)


  • This topic is locked This topic is locked
8 replies to this topic

#1 Cypiot

Cypiot

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 16 December 2010 - 11:03 AM

She's been through a few viral wars over the years, not sure if there's residual malware or just the strain of running newer RAM-hogging apps. Added 1 gig of RAM the other day but still takes her sweet time.

Gringo, are you out there?!?!

DDS and GMER Logs included below and attached as requested:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Andrew Cypiot at 22:37:20.12 on Wed 12/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1515 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F7D4101\V1\PBN.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Andrew Cypiot\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: Google Web Accelerator Helper - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: {A01EB923-56D9-4E6C-9E60-88CDB8A0CC2F} - No File
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\playwi~1.lnk - c:\program files\belkin\f7d4101\v1\PBN.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Edit with Altova X&MLSpy - c:\program files\altova\xmlspy2006\spy.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - c:\program files\altova\xmlspy2006\spy.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\123 pdf creator\IEAddon.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
TCP: {1B88640C-FAA7-4793-9EEE-C62D5A2700F1} = 192.168.2.1
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew~1\applic~1\mozilla\firefox\profiles\b4dr25a1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - mail.google.com
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\andrew cypiot\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 setup_9.0.0.722_01.12.2010_02-17drv;setup_9.0.0.722_01.12.2010_02-17drv;c:\windows\system32\drivers\9869169.sys [2010-11-30 315408]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2009-11-6 642432]
R4 98691691;98691691;c:\windows\system32\drivers\98691691.sys [2010-11-30 128016]
R4 98691692;98691692 Boot Guard Driver;c:\windows\system32\drivers\98691692.sys [2010-11-30 37392]
S2 WLANBelkinService;Belkin WLAN service;c:\program files\belkin\f7d4101\v1\wlansrv.exe [2009-12-28 36864]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-12-8 23456]
S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\drivers\ma311n51.sys [2004-3-3 54784]
S3 uti0odaz;AVZ Kernel Driver;c:\windows\system32\drivers\uti0odaz.sys [2010-11-30 7168]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-12-08 23:53:24 24064 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2010-12-08 23:15:42 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-12-08 23:15:42 -------- d-----w- c:\docume~1\andrew~1\locals~1\applic~1\eSupport.com
2010-12-01 08:23:54 -------- d-sha-r- C:\cmdcons
2010-12-01 08:18:11 98816 ----a-w- c:\windows\sed.exe
2010-12-01 08:18:11 89088 ----a-w- c:\windows\MBR.exe
2010-12-01 08:18:11 256512 ----a-w- c:\windows\PEV.exe
2010-12-01 08:18:11 161792 ----a-w- c:\windows\SWREG.exe
2010-12-01 08:16:54 -------- d-----w- C:\ComboFix
2010-12-01 07:24:16 7168 ----a-w- c:\windows\system32\drivers\uti0odaz.sys
2010-12-01 00:28:17 37392 ----a-w- c:\windows\system32\drivers\98691692.sys
2010-12-01 00:28:17 128016 ----a-w- c:\windows\system32\drivers\98691691.sys
2010-12-01 00:28:16 315408 ----a-w- c:\windows\system32\drivers\9869169.sys
2010-12-01 00:06:47 -------- d-----w- c:\docume~1\andrew~1\applic~1\RegGenie
2010-12-01 00:02:29 161816 ----a-w- c:\windows\RegGenieOnUninstall.exe
2010-11-29 18:33:35 -------- d-----w- c:\docume~1\andrew~1\applic~1\DriverCure
2010-11-29 18:33:34 -------- d-----w- c:\docume~1\andrew~1\applic~1\ParetoLogic
2010-11-29 18:33:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-11-29 18:16:09 -------- d-----w- c:\program files\Trend Micro
2010-11-29 17:56:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-11-29 17:56:03 -------- d-----w- c:\program files\Security Task Manager
2010-11-29 17:30:21 -------- d-----w- c:\docume~1\andrew~1\applic~1\Uniblue
2010-11-29 17:29:58 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{6DAA3B20-D487-4FA2-81D5-50404CCB868D}
2010-11-29 17:29:47 -------- d-----w- c:\program files\Uniblue
2010-11-29 17:29:06 -------- d-----w- c:\docume~1\andrew~1\locals~1\applic~1\PackageAware

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-18 19:23:26 974848 -c--a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 -c--a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 -c--a-w- c:\windows\system32\mfc40u.dll

============= FINISH: 22:40:10.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:51 PM

Posted 17 December 2010 - 03:27 PM

Good evening. :)

Are you sitting comfortably? Yes? Then i'll begin:

You PC may be infected, or not, but the advice I offer is the same regardless of this fact for the following reasons:

1) Your machine shows no installed anti-virus program that I can see. Although as AV doesn't guarantee an infection-free surfing experience, it's absence is enough to condemn an operating system installation for me.
The potential infections that could have set up shop, replacing and/or infecting system files and altering system settings making re-infection more likely isn't to be taken lightly and the easiest way to ensure a clean PC is a fresh Windows install or a run of Dell System Restore - if it's installed on your machine.

2) "Install Date: 3/3/2004 6:58:52 PM". Given the amount of time that Windows has been up and running, it's high time it had a fresh install. I wipe my machine every twelve months or so to remove the detritus from general usage and am always pleasantly surprised by it's sprightliness. No matter how carefully you run your PC it just can't help slowing down with the installations/uninstallations and Windows updates that are part of normal PC life. After nearly six years I imagine that you will be equally pleased with a fresh look at Windows.

Playing hunt the infection isn't a wise use of time, in my opinion, as the machine would definitely benefit from a fresh Windows installation anyway, and the time that this would take is probably a lot less than would be spent trying to find something that may not even be there.

If you have any questions, please ask and i'll answer as best I can.

So long, and thanks for all the fish.

 

 


#3 Cypiot

Cypiot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 17 December 2010 - 04:22 PM

Hi Noviciate --

Thanks for the speedy response!

Speak, and I will obey. Only I'm hesitant to do a fresh install without your guidance. A quick google search lands me at a site like this: Code Project. Do you have a recommended set of instructions for me? Also, there's the pesky problem that I can't find (assuming I ever had) XP backup CD's for my (perfectly legal) system.

Breath baited,
Andrew

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:51 PM

Posted 17 December 2010 - 05:33 PM

What model of Dell is the beastie? - i'm assuming it is a Dell.

So long, and thanks for all the fish.

 

 


#5 Cypiot

Cypiot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 17 December 2010 - 05:48 PM

Dell Dimension 2400

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:51 PM

Posted 17 December 2010 - 06:10 PM

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#7 Cypiot

Cypiot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 17 December 2010 - 06:14 PM

As requested:

Partition ID: Disk #0, Partition #0
Size: 31.35 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 38.25 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Computer Corporation
Name: Phoenix ROM BIOS PLUS Version 1.10 A05
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:51 PM

Posted 17 December 2010 - 07:23 PM

Not all models of that computer have Dell System restore, but I think yours does. Here's a handy link explaining the process: http://www.ehow.com/how_2184092_perform-dell-system-restore.html

Basically you back up all important data FIRST as this process will effectively wipe the hard drive clean and bye-bye data.
Then you download some security programs for the PC BEFORE you proceed. You will need to install these BEFORE you reconnect to the internet after the Factory Restore.

One anti-virus - the following are all free:

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here
Microsoft Security Essentials: Available here

One firewall - likewise the following are free:

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

There are other examples of either, but these are the main options and i've used them at one time or another. If you prefer paid-for, feel free, or if you have a different free option - it's your PC after all.

Once you've got the back-ups made and have the two installation files safe, on disc or usb flashdrive, you get to proceed with the instructions to reset the operating system back to how it was when the PC left the factory.

Install the AV and firewall, connect to the internet and ensure the AV is updated and then visit Windows Updates and put the kettle on - it may take a while!

Finally reinstall any programs you want and Bob's your Auntie's husband, or so they say.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:51 PM

Posted 23 December 2010 - 03:57 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users