pc crippled, many problems

[ashleigh]

i am having alot of problems with my computer, it is very slow my friend told me about this forum and how it helped him so i tried to download hijackthis to post a logfile for u but i got this error hijackthisinstaller[1].exe is not a valid win32 application but i have windows xp?

[km2357]

Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click No.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
  
• GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log.
• Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.

[ashleigh]

DDS (Ver_09-10-26.01) - NTFSx86
Run by Ashliegh at 16:38:40.28 on Wed 11/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.512 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
F:\iTunesHelper.exe
H:\Tam\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ashliegh\Local Settings\Temporary Internet Files\Content.IE5\0UI3VOKV\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dogpile.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: {73cdc4da-54d0-424a-b30c-25d7ef9d69c7} - c:\windows\system32\rayohupo.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: TSToolbarBHO: {c1656cca-d2ea-4a32-94ae-ae0b180e6449} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Transaction Protector: {e7620c98-fccc-40e5-92ec-c7685d2e1e40} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "F:\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PCSuiteTrayApplication] h:\tam\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [10e74d5b] rundll32.exe "c:\windows\system32\rabivufu.dll",b
mRun: [CPM13d47ec7] Rundll32.exe "c:\windows\system32\pumulede.dll",a
mRun: [zasunagoju] Rundll32.exe "c:\windows\system32\sabiyubi.dll",s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [Nokia.PCSync] h:\tam\nokia pc suite 6\PcSync2.exe /NoDialog
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
StartupFolder: c:\docume~1\ashliegh\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Little%20Shop%20of%20Treasures%202/Images/stg_drm.ocx
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209628578062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Little%20Shop%20of%20Treasures%202/Images/armhelper.ocx
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab31267.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\pumulede.dll,c:\windows\system32\pumotozi.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pumulede.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\pumulede.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\pumotozi.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-2 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-2 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-2 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-24 55152]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-10 52240]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-18 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-9-18 333328]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys --> c:\windows\system32\drivers\toywdm.sys [?]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-2-10 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-2-10 648456]

=============== Created Last 30 ================



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 14/12/2006 9:38:06 AM
System Uptime: 11/11/2009 4:29:24 PM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | NF-CK804
Processor: AMD Athlon(tm) 64 Processor 3800+ | Socket 754 | 2412/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 20 GiB total, 0.005 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 63 GiB total, 40.822 GiB free.
H: is FIXED (NTFS) - 61 GiB total, 42.277 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

3DMark05
Adobe Acrobat 5.0
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
AVG 8.5
Battlefield 1942
Battlefield 2(TM)
Battlefield 2142
Big Fish Games Client
Bonjour
Call of Duty - United Offensive
Canon MP Drivers 6.0
Canon MP Navigator 1.0
Canon ScanGear Starter
Choice Guard
Compatibility Pack for the 2007 Office system
Create Your Own
DesertCombat Public Alpha 0.35
Doom 3
DOOM 3: Resurrection of Evil
DV Studio3
EA SPORTS online 2004
Easy-WebPrint
EasyCleaner
GameSpy Comrade
Google Toolbar for Internet Explorer
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
IL-2 Sturmovik 1946
IL-2 Sturmovik: Forgotten Battles
IL-2 Sturmovik: Forgotten Battles AEP
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Junk Mail filter update
Little Shop of Treasures 2
Logitech Gaming Software
Logitech iTouch Software
Logitech MouseWare 9.75
MadOnion.com/3DMark2001 SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MYOB Accounting v13
Nero Suite
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Drivers
OmniPage SE 2.0
PartitionMagic
PC Connectivity Solution
PIAPer
PowerQuest PartitionMagic 8.0
Presto! PageManager 6.01
Quicken 2006
QuickTime
RALPH - May, Stacey Screen Saver
Realtek AC'97 Audio
RegScrubXP 3.25
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Segoe UI
SHARP GSM GPRS USB Driver Ver2.1.0
Sierra Utilities
SpywareBlaster 4.1
Trend Micro Internet Security Pro
Trend Micro Remote File Lock
ubi.com
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebCam Driver for Panasonic DVC
WebFldrs XP
Windows Defender
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

9/11/2009 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
9/11/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
9/11/2009 2:45:01 PM, error: WinDefend [1005] - Windows Defender scan has encountered an error and terminated. Scan ID: {D449AE2A-7A28-497D-8479-BC1989DCEA53} Scan Type: AntiSpyware Scan Parameters: Quick Scan User: NT AUTHORITY\NETWORK SERVICE Error Code: 0x8050800c Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
8/11/2009 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
8/11/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
8/11/2009 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
8/11/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
8/11/2009 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
8/11/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
7/11/2009 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
7/11/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
7/11/2009 6:49:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 Beep
7/11/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
7/11/2009 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402
7/11/2009 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
7/11/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
7/11/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
7/11/2009 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
7/11/2009 12:50:24 PM, error: SAM [12288] - SAM failed to write changes to the database. This is most likely due to a memory or disk-space shortage. The SAM database will be restored to an earlier state. Recent changes will be lost. Check the disk-space available and maximum pagefile size setting.
7/11/2009 12:21:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
7/11/2009 12:12:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
7/11/2009 1:47:00 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/11/2009 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
7/11/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
7/11/2009 1:00:00 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402
7/11/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
6/11/2009 9:00:00 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
6/11/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
6/11/2009 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
6/11/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
6/11/2009 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
6/11/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
6/11/2009 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
6/11/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
5/11/2009 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
5/11/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
4/11/2009 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
4/11/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
10/11/2009 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
10/11/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
10/11/2009 5:00:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
10/11/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
10/11/2009 12:41:20 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/11/2009 1:22:06 PM, error: WinDefend [1005] - Windows Defender scan has encountered an error and terminated. Scan ID: {301064AA-6BA9-4B58-80A4-9781466A1EEA} Scan Type: AntiSpyware Scan Parameters: Quick Scan User: NT AUTHORITY\NETWORK SERVICE Error Code: 0x8050800c Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
10/11/2009 1:15:25 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================



I tried to download gmer.zip but when i did, a folder came up saying i needed to register some winrar zip thing...

[ashleigh]

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-13 00:38:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ashliegh\LOCALS~1\Temp\fxldipoc.sys


---- System - GMER 1.0.15 ----

SSDT 860FEBE0 ZwCreateKey
SSDT 860FE0E0 ZwCreateProcess
SSDT 860FE3A0 ZwCreateProcessEx
SSDT 860FF8A0 ZwCreateSection
SSDT 860FFF20 ZwCreateThread
SSDT 860FF160 ZwDeleteKey
SSDT 860FF420 ZwDeleteValueKey
SSDT 861000C0 ZwLoadDriver
SSDT 860FFBE0 ZwMapViewOfSection
SSDT 860FE660 ZwOpenProcess
SSDT 860FFA40 ZwOpenSection
SSDT 860FEEA0 ZwSetValueKey
SSDT 860FE920 ZwTerminateProcess
SSDT 860FFD80 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2768 80501FA0 4 Bytes JMP 0F00A5B4

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BB791C78-91E0-DB32-3A99-5EA102B313A3}\AutoConvertTo@ {00020803-0000-0000-C000-000000000046}

---- EOF - GMER 1.0.15 ----

[km2357]

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by Infostealer.Banker.C

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:

• The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to Reformat and Reinstall, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.

[ashleigh]

crap....is there a way you can tell how long the virus has been on my computer? because we havent done any online banking or anything since last year but my dad copied and pasted the bank details from a document onto the site could they still trace those details too?

[ashleigh]

i've decided to reformat but i do not know how to do this, could u please tell me how

[km2357]

crap....is there a way you can tell how long the virus has been on my computer? because we havent done any online banking or anything since last year but my dad copied and pasted the bank details from a document onto the site could they still trace those details too?

I can't tell for certain how long you had the infostealer virus. Looking through your logs I notice malware dating back to April of this year. So, you've had this (and other malware) for at least 7 months or so. Do you first remember when your computer first became really slow? Was it before April?

Some of the things that this virus can do is:

Steal information from Windows clipboard
Capture screenshots

When you copy something (in order to paste it later on) it goes into the Windows Clipboard. So if your dad copied and pasted the bank details within the last 7 months or so, then I wouldn't take any chances on it and I would have him contact his bank and let them know his computer was infected and that his account may have been compromised. And to be on the safe side, I would have him contact any credit card companies and let them know as well.

i've decided to reformat but i do not know how to do this, could u please tell me how

Go ahead and follow the instructions in the link below:

http://www.spyware-free.us/tutorials/reformat/

Either print the info out or have another computer nearby that shows the info on its screen so you can refer to it while your reformat the infected computer.

Let me know when you've reformatted the computer so I can give you some tips on staying clean in the future.

And if you have any more questions, let me know as well.

[km2357]

ashleigh? How are things coming along?

[km2357]

This topic has been archived due to inactivity.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start a new topic.