PLEASE HELP! MALWARE has taken over my laptop!
- Thread starter amanyeah
- Start date
Hi! Sorry if I'm dumping a lot of stuff on you... But I'm sure you have the skills to help me. Thank you so much for your kindness.
It came to me that I ought to check my dad's account on the computer since it was his windows account that got infected. I noticed that his icons on the desktop are blurry. I took a screenshot to show you. I tried to compress it but that option was not available. Also I tried erasing firefox shortcuts on the desktop but it said "cannot delete file: cannot read from the source file or disk" I am however able to use Firefox with no problem.
I have attached the aforementioned screenshot. For comparison I put a "new folder" on the left side under the recycle bin. See how it's clearer than the other icons? Weird right?
Ok. It won't attach just yet. I'll try to figure out why then see if I can attach it. Sorry. :banghead:
It came to me that I ought to check my dad's account on the computer since it was his windows account that got infected. I noticed that his icons on the desktop are blurry. I took a screenshot to show you. I tried to compress it but that option was not available. Also I tried erasing firefox shortcuts on the desktop but it said "cannot delete file: cannot read from the source file or disk" I am however able to use Firefox with no problem.
I have attached the aforementioned screenshot. For comparison I put a "new folder" on the left side under the recycle bin. See how it's clearer than the other icons? Weird right?
Ok. It won't attach just yet. I'll try to figure out why then see if I can attach it. Sorry. :banghead:
Hi,
On shortcut tab of Notepad properties window set Target text box contents as C:\WINDOWS\notepad.exe and then click ok to close the window.
Download this tool to your desktop. Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Post back fresh dds logs.
On shortcut tab of Notepad properties window set Target text box contents as C:\WINDOWS\notepad.exe and then click ok to close the window.
Download this tool to your desktop. Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Post back fresh dds logs.
Hello! It seems to have worked! The icons are no longer blurry! 
I have noticed though, that there is still a shortcut on the desktop for "Windows Recovery". Can I delete it already? Or later? I don't want to take any steps you don't recommend! 
:
Here is the new DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mama at 17:26:42.07 on Sat 04/30/2011
Internet Explorer: 6.0.2900.2180
.
============== Running Processes ===============
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.6:8080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SQYJBiKnjSxs] c:\documents and settings\all users\application data\SQYJBiKnjSxs.exe
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] $$
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\mama\applic~1\mozilla\firefox\profiles\tbl1cs9g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.6
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.6
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.6
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.6
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.6
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R? IFP300;iRiver Internet Audio Player IFP-300
S? AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler
S? AntiVirService;AntiVir PersonalEdition Classic Guard
S? avgntdd;avgntdd
S? avgntmgr;avgntmgr
.
=============== Created Last 30 ================
.
2011-04-30 03:38:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 03:38:19 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 03:38:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 03:38:19 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 03:38:19 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 03:38:19 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-30 03:38:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 03:38:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-27 18:17:55 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-27 03:18:05 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-04-26 22:17:16 440998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-26 22:13:01 28672 ------w- c:\program files\messenger\custsat.dll
2011-04-26 22:12:58 96768 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-04-26 22:12:22 40832 ------w- c:\windows\system32\drivers\irbus.sys
2011-04-26 22:12:21 9728 ------w- c:\windows\system32\comsdupd.exe
2011-04-26 22:12:21 53248 ------w- c:\windows\system32\vbicodec.ax
2011-04-26 22:12:20 239616 ------w- c:\windows\system32\wstrenderer.ax
2011-04-26 22:12:20 164352 ------w- c:\windows\system32\wstpager.ax
2011-04-26 22:10:58 1737856 ------w- c:\windows\system32\mtxparhd.dll
2011-04-26 21:57:57 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 21:48:25 2897920 ------w- c:\windows\system32\xpsp2res.dll
2011-04-26 21:42:01 19528 ----a-w- c:\windows\002298_.tmp
2011-04-26 21:41:45 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-26 21:41:29 15872 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-26 21:32:23 -------- d-----w- c:\windows\EHome
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 17:28:19.54 ===============
I have noticed though, that there is still a shortcut on the desktop for "Windows Recovery". Can I delete it already? Or later? I don't want to take any steps you don't recommend! :Here is the new DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mama at 17:26:42.07 on Sat 04/30/2011
Internet Explorer: 6.0.2900.2180
.
============== Running Processes ===============
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.6:8080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SQYJBiKnjSxs] c:\documents and settings\all users\application data\SQYJBiKnjSxs.exe
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] $$
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\mama\applic~1\mozilla\firefox\profiles\tbl1cs9g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.6
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.6
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.6
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.6
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.6
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R? IFP300;iRiver Internet Audio Player IFP-300
S? AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler
S? AntiVirService;AntiVir PersonalEdition Classic Guard
S? avgntdd;avgntdd
S? avgntmgr;avgntmgr
.
=============== Created Last 30 ================
.
2011-04-30 03:38:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 03:38:19 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 03:38:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 03:38:19 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 03:38:19 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 03:38:19 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-30 03:38:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 03:38:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-27 18:17:55 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-27 03:18:05 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-04-26 22:17:16 440998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-26 22:13:01 28672 ------w- c:\program files\messenger\custsat.dll
2011-04-26 22:12:58 96768 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-04-26 22:12:22 40832 ------w- c:\windows\system32\drivers\irbus.sys
2011-04-26 22:12:21 9728 ------w- c:\windows\system32\comsdupd.exe
2011-04-26 22:12:21 53248 ------w- c:\windows\system32\vbicodec.ax
2011-04-26 22:12:20 239616 ------w- c:\windows\system32\wstrenderer.ax
2011-04-26 22:12:20 164352 ------w- c:\windows\system32\wstpager.ax
2011-04-26 22:10:58 1737856 ------w- c:\windows\system32\mtxparhd.dll
2011-04-26 21:57:57 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 21:48:25 2897920 ------w- c:\windows\system32\xpsp2res.dll
2011-04-26 21:42:01 19528 ----a-w- c:\windows\002298_.tmp
2011-04-26 21:41:45 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-26 21:41:29 15872 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-26 21:32:23 -------- d-----w- c:\windows\EHome
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 17:28:19.54 ===============
Hello! and sorry again for another thing I must ask...:sad:
I tried to restore my desktop by going to "Display Properties" > Desktop. I am not able to scroll down the options. Nor am I able to change the desktop background. Is this a permanent consequence of the virus attack? :sad:
I tried to restore my desktop by going to "Display Properties" > Desktop. I am not able to scroll down the options. Nor am I able to change the desktop background. Is this a permanent consequence of the virus attack? :sad:
Good morning! Here is what you asked for! : By the way, was it OK if I ran the combofix on the administrator account instead of the account which was infected? I was worried Windows wouldn't allow it because the infected account was not an "administrator" and did not have certain privileges. 
Thanks again for your help!:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Aman Enconado at 3:12:35.52 on Sun 05/01/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.22 [GMT 8:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aman Enconado\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.ph/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.7:8080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\amanen~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\amanen~1\applic~1\mozilla\firefox\profiles\x82aqc4n.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1<mpl=default<mplcache=2
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.7
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.7
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.7
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.7
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.7
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-30 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-30 61960]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
.
=============== Created Last 30 ================
.
2011-04-30 12:05:52 -------- d-----w- c:\program files\VideoLAN
2011-04-30 10:52:53 -------- d-----w- c:\docume~1\amanen~1\applic~1\Avira
2011-04-30 10:47:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-30 10:47:12 -------- d-----w- c:\program files\Avira
2011-04-30 10:47:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-30 03:38:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 03:38:19 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 03:38:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 03:38:19 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 03:38:19 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 03:38:19 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-30 03:38:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 03:38:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-27 18:17:55 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-27 03:18:05 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-04-26 22:17:16 440998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-26 22:13:01 28672 ------w- c:\program files\messenger\custsat.dll
2011-04-26 22:12:58 96768 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-04-26 22:12:22 40832 ------w- c:\windows\system32\drivers\irbus.sys
2011-04-26 22:12:21 9728 ------w- c:\windows\system32\comsdupd.exe
2011-04-26 22:12:21 53248 ------w- c:\windows\system32\vbicodec.ax
2011-04-26 22:12:20 239616 ------w- c:\windows\system32\wstrenderer.ax
2011-04-26 22:12:20 164352 ------w- c:\windows\system32\wstpager.ax
2011-04-26 22:10:58 1737856 ------w- c:\windows\system32\mtxparhd.dll
2011-04-26 21:57:57 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 21:48:25 2897920 ------w- c:\windows\system32\xpsp2res.dll
2011-04-26 21:42:01 19528 ----a-w- c:\windows\002298_.tmp
2011-04-26 21:41:45 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-26 21:41:29 15872 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-26 21:32:23 -------- d-----w- c:\windows\EHome
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 3:13:42.53 ===============
: By the way, was it OK if I ran the combofix on the administrator account instead of the account which was infected? I was worried Windows wouldn't allow it because the infected account was not an "administrator" and did not have certain privileges. Thanks again for your help!
:.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Aman Enconado at 3:12:35.52 on Sun 05/01/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.22 [GMT 8:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aman Enconado\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.ph/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.7:8080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\amanen~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\amanen~1\applic~1\mozilla\firefox\profiles\x82aqc4n.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1<mpl=default<mplcache=2
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.7
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.7
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.7
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.7
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.7
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-30 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-30 61960]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
.
=============== Created Last 30 ================
.
2011-04-30 12:05:52 -------- d-----w- c:\program files\VideoLAN
2011-04-30 10:52:53 -------- d-----w- c:\docume~1\amanen~1\applic~1\Avira
2011-04-30 10:47:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-30 10:47:12 -------- d-----w- c:\program files\Avira
2011-04-30 10:47:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-30 03:38:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 03:38:19 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 03:38:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 03:38:19 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 03:38:19 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 03:38:19 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-30 03:38:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 03:38:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-27 18:17:55 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-27 03:18:05 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-04-26 22:17:16 440998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-26 22:13:01 28672 ------w- c:\program files\messenger\custsat.dll
2011-04-26 22:12:58 96768 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-04-26 22:12:22 40832 ------w- c:\windows\system32\drivers\irbus.sys
2011-04-26 22:12:21 9728 ------w- c:\windows\system32\comsdupd.exe
2011-04-26 22:12:21 53248 ------w- c:\windows\system32\vbicodec.ax
2011-04-26 22:12:20 239616 ------w- c:\windows\system32\wstrenderer.ax
2011-04-26 22:12:20 164352 ------w- c:\windows\system32\wstpager.ax
2011-04-26 22:10:58 1737856 ------w- c:\windows\system32\mtxparhd.dll
2011-04-26 21:57:57 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 21:48:25 2897920 ------w- c:\windows\system32\xpsp2res.dll
2011-04-26 21:42:01 19528 ----a-w- c:\windows\002298_.tmp
2011-04-26 21:41:45 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-26 21:41:29 15872 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-26 21:32:23 -------- d-----w- c:\windows\EHome
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 3:13:42.53 ===============
Hi,
Yes, it was ok to run CF like you did
Have you noticed any other symptoms? If no then let's install and run Secunia Personal Software Inspector (PSI) to find out about existing vulnerabilities.
Yes, it was ok to run CF like you did
Have you noticed any other symptoms? If no then let's install and run Secunia Personal Software Inspector (PSI) to find out about existing vulnerabilities.
Hello! Good morning! (again! haha) Thanks for the prompt reply!:bigthumb:
You asked about symptoms. I'm not sure if it's a symptom but I still can't edit my desktop. I'm unable to change the it. Meaning I can't put wallpaper. It's just color blue now. I took a snapshot of it.
Also can I run "Secunia Personal Software Inspector (PSI) " with my Avira Antivir? or do I have to uninstall the AVira first? or can I just "deactivate" it?
Thanks so much! :bighug:
You asked about symptoms. I'm not sure if it's a symptom but I still can't edit my desktop. I'm unable to change the it. Meaning I can't put wallpaper. It's just color blue now. I took a snapshot of it.
Also can I run "Secunia Personal Software Inspector (PSI) " with my Avira Antivir? or do I have to uninstall the AVira first? or can I just "deactivate" it?
Thanks so much! :bighug:
Hi! I tried clicking Azul or any of the others but nothing happens. It's like i'm not allowed to click it. I can't even scroll down the options.
I also ran PSI. I have a 83%. That's pretty good right? The programs it wants me to update require some high specs. I don't think my computer can handle them. What do you suggest? I attached a screenshot which I saved in 16-colors to save space.
I also ran PSI. I have a 83%. That's pretty good right? The programs it wants me to update require some high specs. I don't think my computer can handle them. What do you suggest? I attached a screenshot which I saved in 16-colors to save space.
As long as percentage is below 100% there's a risk getting infected again. First thing would be to visit Windows Update and install all important updates offered there. When done, post back fresh dds logs + run another PSI scan.
If your Windows is legit one then you should have no problems following that set of instructions. If it's non legal version then we won't be dealing this case any further, quote from Before You Post Topic:
Ok. Thanks. How do I know? I had it installed at the store but the guy seemed like a seedy fellow so I'm having second thoughts now if it is legit.
But aside from that would it be safe to say that my computer is free from the virus?
Also, can I delete the shortcut on my desktop which has the name "Windows Recovery"?
But aside from that would it be safe to say that my computer is free from the virus?
Also, can I delete the shortcut on my desktop which has the name "Windows Recovery"?
Hello! Sorry for the delay. There was an emergency as my dad was hospitalized earlier. I hope you are still there.
Here is the new DDS log after I updated on the Microsoft website.:
Something weird with the PSI though.. I got a LOWER score AFTER I installed the Microsoft updates... I have attached a picture of the PSI.
Also I still cannot click on any "background" on the desktop tab in the "display properties" window...
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mama at 14:36:47.95 on Wed 05/04/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.58 [GMT 8:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.6:8080
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SQYJBiKnjSxs] c:\documents and settings\all users\application data\SQYJBiKnjSxs.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304490200914
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\mama\applic~1\mozilla\firefox\profiles\tbl1cs9g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.6
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.6
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.6
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.6
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.6
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-30 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-30 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-30 61960]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
.
=============== Created Last 30 ================
.
2011-05-04 06:34:26 -------- d-----w- c:\windows\system32\PreInstall
2011-05-04 06:34:21 -------- d--h--w- c:\windows\$hf_mig$
2011-05-04 06:28:50 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-05-04 06:28:49 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-05-04 06:28:48 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-05-04 06:28:47 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-05-03 09:13:09 -------- d-----w- c:\program files\iTunes
2011-05-03 09:13:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2011-05-03 09:08:34 -------- d-----w- c:\docume~1\mama\locals~1\applic~1\Apple
2011-05-02 04:51:19 -------- d-----w- c:\docume~1\mama\locals~1\applic~1\Secunia PSI
2011-05-02 04:50:34 -------- d-----w- c:\program files\Secunia
2011-05-01 17:04:40 -------- d-----w- C:\spoolerlogs
2011-05-01 03:40:27 -------- d-----w- c:\docume~1\mama\locals~1\applic~1\Temp
2011-04-30 12:05:52 -------- d-----w- c:\program files\VideoLAN
2011-04-30 11:13:55 -------- d-----w- c:\docume~1\mama\applic~1\Avira
2011-04-30 10:47:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-30 10:47:12 -------- d-----w- c:\program files\Avira
2011-04-30 10:47:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-30 03:38:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 03:38:19 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 03:38:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 03:38:19 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 03:38:19 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 03:38:19 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-30 03:38:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 03:38:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-27 18:17:55 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-27 03:18:05 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-04-26 22:17:16 440998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-26 22:13:01 28672 ------w- c:\program files\messenger\custsat.dll
2011-04-26 22:12:58 96768 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-04-26 22:12:22 40832 ------w- c:\windows\system32\drivers\irbus.sys
2011-04-26 22:12:21 9728 ------w- c:\windows\system32\comsdupd.exe
2011-04-26 22:12:21 53248 ------w- c:\windows\system32\vbicodec.ax
2011-04-26 22:12:20 239616 ------w- c:\windows\system32\wstrenderer.ax
2011-04-26 22:12:20 164352 ------w- c:\windows\system32\wstpager.ax
2011-04-26 22:10:58 1737856 ------w- c:\windows\system32\mtxparhd.dll
2011-04-26 21:57:57 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 21:48:25 2897920 ------w- c:\windows\system32\xpsp2res.dll
2011-04-26 21:42:01 19528 ----a-w- c:\windows\002298_.tmp
2011-04-26 21:41:45 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-26 21:41:29 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-26 21:32:23 -------- d-----w- c:\windows\EHome
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 14:38:07.79 ===============
Here is the new DDS log after I updated on the Microsoft website.
:Something weird with the PSI though.. I got a LOWER score AFTER I installed the Microsoft updates... I have attached a picture of the PSI.
Also I still cannot click on any "background" on the desktop tab in the "display properties" window...
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mama at 14:36:47.95 on Wed 05/04/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.58 [GMT 8:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.6:8080
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SQYJBiKnjSxs] c:\documents and settings\all users\application data\SQYJBiKnjSxs.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1304490200914
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\mama\applic~1\mozilla\firefox\profiles\tbl1cs9g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.6
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.6
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.6
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.6
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.6
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-30 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-30 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-30 61960]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
.
=============== Created Last 30 ================
.
2011-05-04 06:34:26 -------- d-----w- c:\windows\system32\PreInstall
2011-05-04 06:34:21 -------- d--h--w- c:\windows\$hf_mig$
2011-05-04 06:28:50 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-05-04 06:28:49 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-05-04 06:28:48 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-05-04 06:28:47 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-05-03 09:13:09 -------- d-----w- c:\program files\iTunes
2011-05-03 09:13:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2011-05-03 09:08:34 -------- d-----w- c:\docume~1\mama\locals~1\applic~1\Apple
2011-05-02 04:51:19 -------- d-----w- c:\docume~1\mama\locals~1\applic~1\Secunia PSI
2011-05-02 04:50:34 -------- d-----w- c:\program files\Secunia
2011-05-01 17:04:40 -------- d-----w- C:\spoolerlogs
2011-05-01 03:40:27 -------- d-----w- c:\docume~1\mama\locals~1\applic~1\Temp
2011-04-30 12:05:52 -------- d-----w- c:\program files\VideoLAN
2011-04-30 11:13:55 -------- d-----w- c:\docume~1\mama\applic~1\Avira
2011-04-30 10:47:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-30 10:47:12 -------- d-----w- c:\program files\Avira
2011-04-30 10:47:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-30 03:38:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 03:38:19 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 03:38:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 03:38:19 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 03:38:19 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 03:38:19 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-30 03:38:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 03:38:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-27 18:17:55 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-27 03:18:05 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-04-26 22:17:16 440998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-26 22:13:01 28672 ------w- c:\program files\messenger\custsat.dll
2011-04-26 22:12:58 96768 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-04-26 22:12:22 40832 ------w- c:\windows\system32\drivers\irbus.sys
2011-04-26 22:12:21 9728 ------w- c:\windows\system32\comsdupd.exe
2011-04-26 22:12:21 53248 ------w- c:\windows\system32\vbicodec.ax
2011-04-26 22:12:20 239616 ------w- c:\windows\system32\wstrenderer.ax
2011-04-26 22:12:20 164352 ------w- c:\windows\system32\wstpager.ax
2011-04-26 22:10:58 1737856 ------w- c:\windows\system32\mtxparhd.dll
2011-04-26 21:57:57 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 21:48:25 2897920 ------w- c:\windows\system32\xpsp2res.dll
2011-04-26 21:42:01 19528 ----a-w- c:\windows\002298_.tmp
2011-04-26 21:41:45 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-26 21:41:29 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-26 21:32:23 -------- d-----w- c:\windows\EHome
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 14:38:07.79 ===============
Hi,
Please install service pack 3 for Windows XP too. Also, some of installed programs are still outdated. Uninstall those. If you need Office but can't afford new version I recommend to download free OpenOffice.
Please install service pack 3 for Windows XP too. Also, some of installed programs are still outdated. Uninstall those. If you need Office but can't afford new version I recommend to download free OpenOffice.
Yes.