View Full Version : XP freezes + C:\Program Files\Common\helper.sig
Two symptoms:
1) Since about 4 months, if I watch about 8 YouTube videos, my entire computer freezes, requiring a hard-ware reset/power-off. In both IE and Firefox. Downloading .flv file and watching on VideoLan player (vlc) is OK.
2) Since a few days ago, folder\file "C:\Program Files\Common\helper.sig" opens up on reboot. Date of folder "C:\Program Files\Common" is 5/3/2009 (May 3).
What I did before posting:
a) Downloaded and ran ERUNT to save "System Registry" in default location.
b) Downloaded and ran HijackThis.exe for "Do a system scan and save a logfile" -- log attached below.
(In case it helps, I have BitDefender.)
Please help.
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:43 PM, on 9/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\cmd.exe
C:\opt\tweet_deck\TweetDeck\TweetDeck.exe
C:\Program Files\Juniper Networks\Network Connect 5.5.0\dsNetworkConnect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\opt\vim\vim71\gvim.exe
C:\opt\msys\1.0\bin\bash.exe
C:\opt\Mozilla Firefox\firefox.exe
C:\admin\2009_10_01\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 131.239.50.28 secure.mc.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\opt\real\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\opt\yahoo\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in NewsGator Inbox - C:\Program Files\NewsGator\Inbox\addref.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://source.mc.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp.mc.com/qp2.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://ad-test-dcma1:8080/ProjectServer/objects/pjclient.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230924868452
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230924842979
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://ad-test-dcma1:8080/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://btconferencing.webex.com/client/T25L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.mc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5756/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.mc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ad.mc.com,mc.com,ad.mc.com
O18 - Filter hijack: text/html - {d6da9755-9983-4e66-9866-5eaac8b88e19} - C:\WINDOWS\system32\mst123.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Remote Desk Manager (rdm) - AT&T Research Labs Cambridge - C:\WINDOWS\WinVNC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: wampapache - Apache Software Foundation - c:\opt\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\opt\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 10866 bytes
Hi,
Is that your personal system?
Combination work and personal.
Is it used outside or inside workplace?
I use it from my home (work from home; don't need to watch any video for work).
Ok. Thanks for the clarification.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
dds.txt followed by attach.txt (I think I should paste attach.txt to this forum even though dds said to zip and attach.)
File: dds.txt:
-------------
DDS (Ver_09-09-29.01) - NTFSx86
Run by sgovinda at 10:18:49.41 on Mon 10/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1340 [GMT -7:00]
AV: BitDefender 9 Professional Plus *On-access scanning enabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender 9 Professional Plus *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\opt\msys\1.0\bin\bash.exe
C:\opt\vim\vim71\gvim.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\opt\Mozilla Firefox\firefox.exe
svchost.exe
C:\Documents and Settings\sgovinda\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\opt\real\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Yahoo! Pager] "c:\opt\yahoo\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [BDMCon] "c:\program files\softwin\bitdefender9\bdmcon.exe"
mRun: [BDOESRV] "c:\program files\softwin\bitdefender9\bdoesrv.exe"
mRun: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
mRun: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: NoDispScrSavPage = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Subscribe in NewsGator Inbox - c:\program files\newsgator\inbox\addref.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://qp.mc.com/qp2.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://ad-test-dcma1:8080/ProjectServer/objects/pjclient.cab
DPF: {5334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/8/D/08D91A3B-CFF6-45DE-95DF-64415075E344/mpg4sdmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230924868452
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230924842979
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} - hxxp://ad-test-dcma1:8080/ProjectServer/objects/1033/pjcintl.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://btconferencing.webex.com/client/T25L/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.mc.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5756/mcfscan.cab
Filter: text/html - {d6da9755-9983-4e66-9866-5eaac8b88e19} - c:\windows\system32\mst123.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: sockspy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\sgovinda\applic~1\mozilla\firefox\profiles\3s1hccl3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\opt\real\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\opt\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\opt\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\opt\real\netscape6\nppl3260.dll
FF - plugin: c:\opt\real\netscape6\nprjplug.dll
FF - plugin: c:\opt\real\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\opt\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\opt\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-6-12 92550]
S3 rdm;Remote Desk Manager;c:\windows\winvnc.exe -service --> c:\windows\WinVNC.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
=============== Created Last 30 ================
2009-10-05 10:18 <DIR> --d----- c:\temp\RarSFX0
2009-10-05 06:56 <DIR> --d----- c:\temp\WPDNSE
2009-10-01 07:25 <DIR> --d----- c:\temp\plugtmp-19
2009-09-30 19:34 <DIR> --d----- c:\windows\McAfee.com
2009-09-27 21:32 266,360 a------- c:\windows\system32\TweakUI.exe
2009-09-27 21:32 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-09-27 19:08 <DIR> --d----- c:\temp\plugtmp-18
2009-09-27 14:48 <DIR> --d----- c:\temp\plugtmp-17
2009-09-26 09:35 <DIR> --d----- c:\temp\plugtmp-16
2009-09-26 09:23 <DIR> --d----- c:\temp\plugtmp-15
2009-09-18 19:47 <DIR> --d----- c:\temp\msohtmlclip1
2009-09-18 19:47 <DIR> --d----- c:\temp\msohtmlclip
2009-09-18 19:23 <DIR> --d----- c:\temp\plugtmp-14
2009-09-13 13:19 <DIR> --d----- c:\temp\plugtmp-13
2009-09-10 17:49 80,896 -c------ c:\windows\system32\dllcache\tlntsess.exe
2009-09-10 17:49 76,288 -c------ c:\windows\system32\dllcache\telnet.exe
2009-09-10 17:47 132,096 -c------ c:\windows\system32\dllcache\wkssvc.dll
2009-09-10 17:47 84,992 -c------ c:\windows\system32\dllcache\avifil32.dll
2009-09-10 17:47 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-10 17:47 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-09-10 17:47 58,880 -c------ c:\windows\system32\dllcache\atl.dll
2009-09-10 17:47 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-09-10 17:46 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-09-10 17:46 136,192 -c------ c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 17:46 92,928 -c------ c:\windows\system32\dllcache\ksecdd.sys
2009-09-10 17:46 54,272 -c------ c:\windows\system32\dllcache\wdigest.dll
2009-09-10 17:46 301,568 -c------ c:\windows\system32\dllcache\kerberos.dll
2009-09-06 21:24 <DIR> --d----- c:\temp\plugtmp-12
==================== Find3M ====================
2009-10-05 10:16 81,984 a------- c:\windows\system32\bdod.bin
2009-10-05 06:50 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-10-05 06:50 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2007-07-12 11:51 461 a------- c:\program files\INSTALL.LOG
============= FINISH: 10:20:12.45 ===============
File: attach.txt
----------------
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/16/2005 8:05:08 AM
System Uptime: 10/5/2009 6:49:30 AM (4 hours ago)
Motherboard: Dell Computer Corporation | |
Processor: Intel(R) Pentium(R) M processor 1600MHz | Microprocessor | 1594/133mhz
==== Disk Partitions =========================
==== Installed Programs ======================
"Minimal SYStem 1.0.10"
"MSYS Developer Tool Kit 1.0.1"
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVS DVDMenu Editor 1.2.1.19
AVS Video Converter 6
AVS Video Editor 3.5
AVS4YOU Software Navigator 1.2
BitDefender 9 Professional Plus
Bonjour
Broadcom Gigabit Integrated Controller
C-Major Audio
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.92 Modem
Configuration Manager Client
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.7
cwRsync (remove only)
FeedDemon
FeedStation
GNU Privacy Guard
GoToMeeting/GoToWebinar 3.0.0.198
GPL Ghostscript 8.60
GPL Ghostscript Fonts
GSview 4.8
GTK+ 2.10.13 runtime environment
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
IsoBuster 2.4
iTunes
Java(TM) 6 Update 14
Java(TM) 6 Update 3
Java(TM) 6 Update 7
Joost (tm) Beta 1.1.4
Juniper Networks Network Connect 5.5.0
Juniper Networks Network Connect 6.0.0
LEGATO EmailXtender® 4.70 Client
Logitech QuickCam
Logitech QuickCam Driver Package
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2007
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MinGW 5.1.3
mIWA
mLogView
mMHouse
Mozilla Firefox (3.5.3)
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mWMI
mXML
mZConfig
nav-u tool
NewsGator Inbox 3.0
O2Micro Smartcard Driver
OverDrive Media Console
PAL
PowerDVD 5.1
QuickTime
RDC
RealPlayer
Rhapsody Player Engine
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Seesmic Desktop
Skype™ 3.8
Sonic Update Manager
SUPERAntiSpyware Free Edition
Sybase/Clarify v6.1
The GIMP 2.2.17
Tweak UI
TweetDeck
UltraVNC 1.0.6.5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VLC media player 1.0.1
WampServer 2.0
WebEx
WebFldrs XP
WIMGAPI
Winamp
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
Winzip 7.0
WS_FTP LE
X-Chat 2.8.4-1
Xming 6.9.0.28
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
YASA VOB to MP4 Converter v3.9 (build 0059)
==== End Of File ===========================
Hi,
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
Notes:
1) Log is attached below.
2) Mbam said to "press restart" to remove two .dll files it found; I did so.
3) On reboot, the folder for "C:\Program Files\Common" showed up (folder was empty since mbam had removed the helper.sig file it used to contain).
4) Here is the "Last Write", "Last Access" and "Creation" dates for the three files detected by mbam:
Last Write Last Access Creation
C:\WINDOWS\system32\mst122.dll 01/28/2009 10/06/2009 12/03/2008
C:\WINDOWS\system32\mst123.dll 03/02/2009 10/06/2009 03/02/2009
C:\Program Files\Common\ 05/03/2009 10/06/2009 12/22/2008
C:\Program Files\Common\helper.sig 12/27/2008 10/06/2009 12/22/2008
Malwarebytes' Anti-Malware 1.41
Database version: 2915
Windows 5.1.2600 Service Pack 3
10/6/2009 10:46:07 AM
mbam-log-2009-10-06 (10-46-07).txt
Scan type: Full Scan (C:\|)
Objects scanned: 345071
Time elapsed: 1 hour(s), 38 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{703d7e06-e5d7-4d81-bb4a-74dbdc8b64aa} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db651f66-1b9f-4aa0-a6f4-e0ceb66395af} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d6da9755-9983-4e66-9866-5eaac8b88e19} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mst122.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mst123.dll (Trojan.Agent) -> Delete on reboot.
Hi,
Preparation:
Please download Brute Force Uninstaller (http://www.pieter-arntz.info/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click Next
In the box to choose where to extract the files to,
Click Browse
Click on the + sign next to My Computer
Click on Local Disk (C: )
Click Make New Folder
Type in BFU
Click Next, and Uncheck the Show Extracted Files box and then click Finish.
RIGHT-CLICK HERE (http://metallica.geekstogo.com/DeepDive.bfu) and choose “Save As” (in IE it’s “Save Target As”) in order to download DeepDive Remover.
Save it in the same folder you made earlier (c:\BFU).
Using the tool: Go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select DeepDive.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Does the folder still open up on startup?
Notes:
1) No folder showed up on reboot!
2) I have watched some videos and the computer has not acted like it was going to freeze.
3) When I had the symptom of watching videos resulting in the computer freezing, I did <ctrl-alt-del> and monitored the memory used by FireFox. I noticed that the amount of memory used would increase from about 125 Megs to over 400 Megs. I find that this increase in memory is still happening (FireFox version 3.5.3). So is there any other bad thing still in the computer? Since I just rebooted, memory used by FireFox went from about 117 Meg to current value of 149 Megs. It is almost midnight here; I will leave the PC on and check the memory usage in the morning.
Thanks for all your help. Despite that above "memory leak" type issue, the computer seems much better now.
Here's the log from Brute Force Uninstall:
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 11:18:09 PM, on 10/6/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 3744
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1 (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 11:18:39 PM.
Hi,
Do you have any addons in Firefox installed?
1) After about 7.5 hours of idle time, memory used by firefox went from 149 to 154 Megs. I then browsed two pages and the memory used increased to 164 Meg.
2) Here's the list from Tools->Addons:
Plugins Tab:
------------
2.p.1) Active Touch General Plugin Container 2.6.0.13 (Version 103)
2.p.2) Adobe Acrobat 6.1.0.137 (PDF plugin)
2.p.3) Disabled: iTunes Applications Detector 1.0.0.0
2.p.4) Java Deployment Toolkit 6.0.140.8
2.p.5) Java Platfrom SE 6 U11 6.0.110.3
2.p.6) Java Platform SE 6 U14 6.0.110.3
2.p.7) Microsoft DRM 9.0.0.4503 (DRM Netscape Network Object)
2.p.8) Microsoft DRM 9.0.0.4503 (DRM Store Netscape Plugin)
2.p.9) Mozilla Default Plug-in 1.0.0.15
2.p.10) Disabled: QuickTime Plug-in 7.50.61.0
2.p.11) RealJukebox NS Plugin 1.0.369
2.p.12) Real Networks Rhapsody Player Engine 1.0.2.603
2.p.13) RealPlayer Version Plugin 6.0.12.69
2.p.14) RealPlayer G2 LiveConnect-Enabled Plug-In (32 bit) 6.0.12.60
2.p.15) Shockwave Flash 10.0.32.18
2.p.16) Shockwave for Director 11.0.0.458
2.p.17) Shockwave Plug-In 3.0.40723.0
2.p.18) Windows Media Player Plug-in Dynamic Link Library 3.0.2.629 (Npdsplay dll)
2.p.19) Windows Presentation Foundation 3.5.30729.1
2.p.20) Disapled: Yahoo Application State Plugin 1.0.5
Extensions Tab:
----------------
2.e.1) Firebug 1.4.2
2.e.2) Java Quick Starter 1.0
2.e.3) Microsoft .NET Framework Assistant 1.1
2.e.4) RealPlayer Browser Record Plugin 1.0
2.e.5) Web Developer 1.18
Themes Tab:
-------------
2.t.1) Default 3.5.3
Updates Tab:
-------------
2.u.1) Firebug 1.4.2 is available
(When I started filling out the form, memory usage was 164 Megs; now it is 165 Megs.)
Hi,
That's actually pretty normal for Firefox (I have often several hundreds of megabytes in use).
Let's update some of your vulnerable software to more recent versions.
Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 and 9.1.3) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 16 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Was able to do some, not all, of the tasks:
1) Used Windows Add/Remove Programs to uninstall everything related to Acrobat Reader, rebooted, verified it was not listed in FireFox plugin, and installed latest version.
2) FireFox Add-ons -> Plugins tab does not have uninstall button. It appears from this FAQ (http://kb.mozillazine.org/Firefox_:_FAQs_:_Uninstall_Extensions#Uninstalling_plugins) that FireFox does not want people uninstalling plugins! Since I could not uninstall the older version, I have not done anything about the Shockwave player yet.
3) Flash was current in FireFox but old in IE. Removing it from IE removed it for FireFox too. Had to then reinstall separately for IE and FireFox. Verified that I now have the current version in both IE and FireFox.
4) In Windows Add/Remove Programs, uninstalled everything related to java, and rebooted. Although "Java Platfrom SE 6 U11" and "Java Platfrom SE 6 U14" are both gone from the FireFox Plugins list, "Java Deployment Toolkit 6.0.140.8" is still present. So I have not yet installed the latest java runtime environment.
Hi,
To get rid of plugins related things in Firefox the quickest way is to reinstall the browser.
Some progress:
1) I installed the latest Shockwave. But the plugin in FireFox did not get updated. So I un-installed Shockwave and disabled the plugin.
2) I installed jre-6u16-windows-i586; happily, the plugins in FireFox got updated too; they now are: "Java Development Toolkit 6.0.160.1" and "Java Platform SE 6 U16 6.0.160.1".
Now for hopefully the last issue, which I have noticed only once: Task Manager showed that both searchprotocolhost.exe and searchfilterhost.exe were running and consuming 100% of CPU. Is this normal or caused by some "virus"? (I do not use Windows' search indexer; I use "classical" search.)
Hi,
That behaviour is not caused by virus. Looks like similar thing described in this (http://social.technet.microsoft.com/Forums/en-US/itprovistaannouncements/thread/45da8050-dadc-427c-9c42-16ba57323c2f) topic.
First a correction: The "Shockwave Flash" issue is actually resolved normally: Both "Shockwave for Director 11.0.0.458" and "Shockwave Plug-In 3.0.40723.0" are gone; all that remains is "Shockwave Flash 10.0.32.18" which is the latest version.
1) Should I be concerned that the "trojans"/"whatever" I had on my computer recorded my key-strokes and sent them to "their master"?
2) Could they have uploaded some files from my PC to "their master"?
3) Googling for "helper.sig", "mst122.dll" and "mst123.dll" does not have hits from security software sites (such as symantec etc.) -- so are these not wide-spread viruses? Why didn't the bit-defender catch them (it is kept updated)? Does only malwarebytes have the signature for them?
Sorry, I had to add (4 and 5):
First a correction: The "Shockwave Flash" issue is actually resolved normally: Both "Shockwave for Director 11.0.0.458" and "Shockwave Plug-In 3.0.40723.0" are gone; all that remains is "Shockwave Flash 10.0.32.18" which is the latest version.
1) Should I be concerned that the "trojans"/"whatever" I had on my computer recorded my key-strokes and sent them to "their master"?
2) Could they have uploaded some files from my PC to "their master"?
3) Googling for "helper.sig", "mst122.dll" and "mst123.dll" does not have hits from security software sites (such as symantec etc.) -- so are these not wide-spread viruses? Why didn't the bit-defender catch them (it is kept updated)? Does only malwarebytes have the signature for them?
4) Although the folder "C:\Program Files\Common" and the file "C:\Program Files\Common\helper.sig" entered my PC on 12/22/2008, it was only recently that the folder "C:\Program Files\Common" started showing up on reboot. Why the delay? It was seeing this folder on reboot that made me suspect a virus.
5) Before the folder started showing up, the only symptom I had was that the computer would freeze after watching about 10 streaming videos. I incorrectly attributed that to memory leak in the browser and not to virus. What's the connection between the "trojan"/"whattever" I had and streaming video -- what was it trying to do while the videos were being streamed?
1) & 2) I don't think you have anything to worry.
3) Unfortunately, can't tell why Bitdefender didn't spot the culprit. However, as I have said to many people earlier, there's not protection software that would detect all possible threats. Some detect something that some other doesn't and vice versa.
4) Did you see those items on on 12/22/2008? Bad items may fake their creation dates.
5) Without knowing whole thing it's not possible to say if there was connection between those two things or not.
I did not see them in December; I was going by the creation date reported by the "dir /o:d /t:c" command.
The PC has been working smoothly since the clean up. Thank you very much for all your help. I think this topic can be closed now.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.