Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need to know if I am clean for banking


  • This topic is locked This topic is locked
3 replies to this topic

#1 StephL67

StephL67

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:07:32 AM

Posted 10 April 2011 - 12:23 PM

This is a follow up after cleaning a lot of spyware, adware, malware and trojans. To reference the original topic go here... http://www.bleepingcomputer.com/forums/topic387940.html/page__st__15__gopid__2201774#entry2201774

The initial cause for concern was that my Dell 1520 laptop that connects to the same home network as this desktop became severaly infected (still working on that in another thread) I thought it would be a good idea to run thourough scans on the other computers in the network and that brought me here again for the desktop. On every system (including my laptop) things seemed to be running fine but when i started doing some system cleanup and deep scans problems started happening, guess I poked a bees nest!

As instructed I am posting the DDS and GMER log here for analyzing to see if the system is completely clean.

A summary of the current computer status:

I connect wirelessly to a private home network using an external Wireless USB adapter by Netgear that has to be allowed to run at each new boot, when working properly if I do not allow, I will not be able to connect, during the cleaning process I could click don't allow and I would still be connected, I did not know how, after the clean it seems back to normal, not connecting unless I allow the adapter. Upon waking from sleep mode I am no longer connected to the internet, I can connect by manually connecting to my network and it is fairly quick. I checked the connection settings and it is set to connect automatically, I switched it to manual and then back to auto to see if that might reset it but that did not work.

While I was in the Network control panel I started looking at the different options and clicked on the link that said see what is connected, an alert popped up telling me I had to turn on file and printer sharing to see others on my netowrk, I did this with strong reservations... after the refresh this strange item was listed...

The icon was the same as our network infrastructure except it had an antenna, the name seemed random, something like E?000000 (can't remember the second letter, an S or R maybe?) and the type was printer. When I right clicked on it there were only 3 options, Configure, Create Shortcut, and Properties. choosing configure opened a window asking for PIN and said to search the units documentation for the PIN, I could only cancel. under the properties option it listed the name, type and MAC address, the IP was listed as UNKNOWN. I WISH I would have written down the MAC address, I became concerned of an unauthorized connection under the guise of a printer (and not one I even have, it was listed as a Lexmark s300-s400, I have an HP J4680. I immediately went back into sharing and turned off file sharing, the item disapeared, I turned sharing back on and it never returned so I missed my chance to write down the MAC address.

I am not able to uninstall some items in my add/remove programs list and it appears there are double installs of...

Microsoft Visual C++ 2008 Redistributabe - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributabe - x86 9.0.30729.4148

MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)

There is an Adobe add-on listed that I have never heard of and do not recall installing... Adobe ConnectNow Add-in, as well as any of the old security software I had tried does not allow uninstall and says the path is wrong or doesn't exist and asks if I want to remove it from the list, I clicked no because even though the programs don't appear to be running they WERE running in services and processes.

I JUST checked and did not recognize anything that resembled those programs but there are 72 processes running and 16 of those are host processes. There are two crss's running and two instances of taskmanager running, is this normal? This is an area I know enough to get myself into a lot of trouble, I can disable stuff but it could be the wrong stuff! I have caused windows to get the BSOD and shut down, so I am unsure how many should be running and which ones, there are also a LOT of services running too.

Items that may be of interest to note is that on the the base computer (my husband's) I have been having him regularly run updates and scans, when he ran Webroot today it found a keylogger, it was able to delete it but it had a very high security threat level and he said he had never seen one that high before. I am also working on cleaning my laptop in another thread and with myrti's help we think the router may be infected, I have to do a factory reset on it (which I have not had time to do) the laptop appears to be seriously infected, that original post (Unknown Malware, serious infection) I am so concerned that our entire home network has been compromised!

DDS Log...

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Amanda at 8:42:20.24 on Sun 04/10/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1918.908 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rundll32.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Users\Amanda\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Amanda\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
uSearch Bar = hxxp://www.google.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mSearch Bar = hxxp://www.google.com
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {9A545E06-A042-424C-A524-BD5930705FF4} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\amanda\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [<NO NAME>]
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
StartupFolder: c:\users\amanda\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\common files\VistaRunApp.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: adobe.com\get
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\amanda\appdata\roaming\mozilla\firefox\profiles\t35pmf4n.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZLxdm00268US&ptb=EagYqBREPVz2R_6HSGn1hA&ind=2011021916&ptnrS=ZLxdm00268US&si=&n=77ddc25c&psa=&st=kwd&searchfor=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\programdata\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\programdata\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - plugin: c:\users\amanda\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2009-1-3 21728]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-3 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-3 61960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-14 196912]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-8-27 207360]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2007-12-26 288768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-21 136176]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-5-22 20640]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2011-04-09 00:14:15 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c5a6ad4d-6f1b-4b06-a1ce-a5a0fd5c75b8}\mpengine.dll
2011-04-07 23:46:53 53248 ----a-r- c:\users\amanda\appdata\roaming\microsoft\installer\{3ee9bcae-e9a9-45e5-9b1c-83a4d357e05c}\ARPPRODUCTICON.exe
2011-04-07 23:46:42 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-04-07 23:44:24 -------- d-----w- c:\users\amanda\appdata\roaming\Logishrd
2011-04-07 02:09:09 -------- d-----w- c:\users\amanda\appdata\roaming\PrimoPDF
2011-04-07 01:43:47 26416 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-04-07 01:43:47 17712 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-04-07 01:43:36 -------- d-----w- c:\program files\common files\Nitro PDF
2011-04-07 01:43:04 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-04-07 01:43:04 -------- d-----w- c:\users\amanda\appdata\roaming\OpenCandy
2011-04-07 01:43:04 -------- d-----w- c:\users\amanda\appdata\local\OpenCandy
2011-04-07 01:43:01 -------- d-----w- c:\program files\Nitro PDF
2011-04-05 23:13:00 307200 ----a-w- c:\program files\internet explorer\iediagcmd.exe
2011-04-05 23:13:00 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-05 23:13:00 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-04-05 23:13:00 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-05 23:13:00 107008 ----a-w- c:\program files\internet explorer\iecleanup.exe
2011-04-03 20:02:04 -------- d-----w- c:\users\amanda\appdata\roaming\Avira
2011-04-03 19:55:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-03 19:55:30 -------- d-----w- c:\program files\Avira
2011-04-03 19:55:30 -------- d-----w- c:\progra~2\Avira
2011-03-31 21:57:14 -------- d-----w- c:\program files\AVAST Software
2011-03-31 21:57:14 -------- d-----w- c:\progra~2\AVAST Software
2011-03-31 09:08:24 -------- d-----w- c:\program files\ESET
2011-03-30 08:03:55 -------- d-----w- c:\users\amanda\appdata\roaming\SUPERAntiSpyware.com
2011-03-30 08:03:55 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-30 08:03:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-30 07:35:38 -------- d-----w- c:\windows\pss
2011-03-30 00:26:34 -------- d-----w- c:\users\amanda\appdata\roaming\Malwarebytes
2011-03-30 00:26:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 00:26:30 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-30 00:26:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-30 00:26:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 20:11:13 -------- d-----w- c:\windows\Hewlett-Packard
2011-03-26 21:01:06 -------- d-----w- c:\program files\Microsoft Streets & Trips 2009
2011-03-26 20:57:31 -------- d-----w- c:\program files\MSECache
2011-03-23 01:30:45 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 01:30:45 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 01:30:45 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-13 20:04:49 -------- d-----w- c:\program files\LSoft Technologies
2011-03-13 17:58:37 -------- d-----w- c:\progra~2\LightScribe
.
==================== Find3M ====================
.
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2007-01-06 15:09:26 208896 ----a-w- c:\program files\common files\VistaRunApp.exe
.
============= FINISH: 8:43:13.39 ===============



Attached Files


Edited by StephL67, 10 April 2011 - 12:24 PM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:32 AM

Posted 18 April 2011 - 07:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:07:32 AM

Posted 25 April 2011 - 07:35 PM

Hello! So sorry for the delay in responding but I have been unable to sign onto BC because of the infection. I learned through the thread regarding my laptop that it was actually my ROUTER that was infected and even though I had wiped my hd twice the moment I connected to the network I was just re-infected again! The infection seemed to spread through network albeit at a slow pace. it hit my Dell laptop first (what brought me here to begin with) then it hit this one (the HP desktop). It prevented any kind of java or enhanced content from even running (not sure what BC uses but I could not even sign on here! I would attempt to but then I just kept gettng this weird error meesage, not that my user or pass was incorrect some kind of strange technical error (sorry that was DAYS ago and way too much has happened for me to recall) The problems spread to the base desktop also an HP. When i reset the router (as instruced by myrti) I could not get it to reconnect, it just kept flashing all the lights rapidly. I was able to get my son to get it fixed and I have had to delete the Dell laptop hd and re-install Windows 7, The base computer worked fine as soon as we disconnected it from the router and this computer, an HP desktop had to be reset to factory install. I have spent the past 3 days d/ling andf installing windows updates (at least 120 updates) but it seems to be updated now. I also installed Microsoft Security Essentials (the I.T. guy from my job suggested it) I liked the fact that it was right there at Microsoft with the optional updates, I felt more secure not having to surf the web or do a search for a 3rd party virus program.

To sum up a long story, I am finally back up and seemed ot be running normally. I have been able to install all updates and security software and update the data bases for it. One thing i want to mention for those who might read this and not know, Like I didn't, that a router can get infected and one of the security settings (which I feel should be default) is to turn OFF SSID broadcasting, this way you have to KNOW your SSID and although you have to set up your connection manually, it is soooo much more secure!

Please let me know if I should still run any diagnostics for you.

Thanks soooo much and thanks sooo much to bleeping computer and all those that have helped me through this very trying time!

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 25 April 2011 - 09:41 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users