Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

JS/Downloader.Agent on my computer

Started by Catherine88 , Feb 24 2008 06:56 AM

  • Please log in to reply

#1
Catherine88
Posted 24 February 2008 - 06:56 AM

Catherine88

    Member

  • Member
  • PipPip
  • 11 posts
Hi,
I recently had to reinstall everything on my computer because I had way to many viruses, after about 3 months everything seemed to be fine, but now I keep getting these pop ups from my AVG Viruse Protection saying a threat has been detected,and it is a JS/Downloader.Agent I have now over 40 of these in my virus vault and they keep popping up. I have checked the firewall and its still working along with the virus protection. I also tried downloading the FixIEDef.exe and that never worked, The downloader agent also seems to have affected my internet to as when I for example type in to Yahoo a name and then it gives me a site it will bring me to a completly differnet one that was stated in the first place. I need help anyone know how to get rid of these, As they are getting seriesously annoying.


Would be so appreciated if anyone could help

Thanks
Catherine

Edited by Catherine88, 24 February 2008 - 07:02 AM.

  • 0

Advertisements

#2
Tal
Posted 24 February 2008 - 08:40 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello Catherine88 , welcome to GeeksToGo! :)

My name is Tal, and I will be assisting you in the process of removing malware from your computer. I am going through your logs now, and I'll be back soon with instructions on how to proceed.

As I'm still in training, my replies to you have to be approved before posting, so please excuse delays between replies.

Tal.
  • 0

#3
Catherine88
Posted 24 February 2008 - 08:41 AM

Catherine88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks I look forward to hearing from you Tal, and please take your time.
  • 0

#4
Tal
Posted 25 February 2008 - 07:31 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello Catherine88 ,

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you witness a certain entry or program you're unsure about, please don't hesitate to ask! :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

  • 0

#5
Catherine88
Posted 25 February 2008 - 11:54 AM

Catherine88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Tal,

Deckard's System Scanner v20071014.68
Run by Catherine on 2008-02-25 17:50:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2008-02-25 17:50:35 UTC - RP209 - Deckard's System Scanner Restore Point
12: 2008-02-24 18:16:36 UTC - RP208 - Installed Java™ 6 Update 3
11: 2008-02-24 18:15:28 UTC - RP207 - Removed Java™ 6 Update 3
10: 2008-02-24 18:03:50 UTC - RP206 - Installed Java™ 6 Update 3
9: 2008-02-23 15:24:14 UTC - RP205 - System Checkpoint


-- First Restore Point --
1: 2008-02-19 21:19:20 UTC - RP197 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Catherine.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:52, on 25/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Catherine\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Catherine.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199625830109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199627775546
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{047F6913-41AC-45F3-8ADD-F602EDE4CF4E}: NameServer = 85.255.115.3,85.255.112.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CE7B123-8D34-4432-9723-E3763B0E71C1}: NameServer = 85.255.115.3,85.255.112.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F20A3D6-B262-4E42-A406-DD932271326D}: NameServer = 85.255.115.3,85.255.112.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{C62DB202-0BC4-4C18-9ABB-45D950367E34}: NameServer = 85.255.115.3,85.255.112.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{047F6913-41AC-45F3-8ADD-F602EDE4CF4E}: NameServer = 85.255.115.3,85.255.112.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7083 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&1F7DBC9F&0&10F0
Manufacturer: CXT
Name: PCI SoftV92 Data Fax Modem with SmartCP
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&1F7DBC9F&0&10F0
Service: Modem


-- Scheduled Tasks -------------------------------------------------------------

2008-02-18 20:30:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-25 and 2008-02-25 -----------------------------

2008-02-25 17:51:43 0 d-------- C:\Program Files\Trend Micro
2008-02-24 18:17:30 0 d-------- C:\Program Files\Java
2008-02-24 18:16:39 0 d-------- C:\Program Files\Common Files\Java
2008-02-18 17:40:12 0 dr-h----- C:\$VAULT$.AVG
2008-02-12 19:12:56 0 d-------- C:\Program Files\iPod
2008-02-12 19:12:43 0 d-------- C:\Program Files\iTunes
2008-02-08 07:42:09 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-08 07:42:09 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-08 07:42:09 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-02-08 07:42:09 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-08 07:42:09 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-08 07:42:08 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-08 07:42:08 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-08 07:42:08 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-08 07:42:08 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-08 07:42:08 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-08 07:42:08 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-08 07:42:08 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-08 07:42:08 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-08 07:42:08 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-04 11:09:26 0 d-------- C:\Anquet Map Data
2008-02-04 08:38:56 0 d-------- C:\Program Files\Anquet Technology Ltd
2008-02-02 21:49:44 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2008-02-02 21:48:50 0 d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2008-02-02 21:46:25 0 d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-02-02 21:46:23 0 d-------- C:\Documents and Settings\Guest\Application Data\Real
2008-02-02 21:46:13 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2008-02-02 21:45:58 0 d--h----- C:\Documents and Settings\Guest\Templates
2008-02-02 21:45:58 0 dr------- C:\Documents and Settings\Guest\Start Menu
2008-02-02 21:45:58 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2008-02-02 21:45:58 0 dr-h----- C:\Documents and Settings\Guest\Recent
2008-02-02 21:45:58 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2008-02-02 21:45:58 786432 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2008-02-02 21:45:58 0 d--h----- C:\Documents and Settings\Guest\NetHood
2008-02-02 21:45:58 0 dr------- C:\Documents and Settings\Guest\My Documents
2008-02-02 21:45:58 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2008-02-02 21:45:58 0 dr------- C:\Documents and Settings\Guest\Favorites
2008-02-02 21:45:58 0 d-------- C:\Documents and Settings\Guest\Desktop
2008-02-02 21:45:58 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2008-02-02 21:45:58 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2008-02-02 21:45:58 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-01-28 13:16:56 3740 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-01-25 11:55:31 0 d-------- C:\Program Files\Google
2008-01-25 11:55:31 0 d-------- C:\Documents and Settings\Catherine\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2008-02-25 17:48:45 0 d-------- C:\Documents and Settings\Catherine\Application Data\DNA
2008-02-25 08:00:03 0 d-------- C:\Documents and Settings\Catherine\Application Data\AVG7
2008-02-24 18:16:39 0 d-------- C:\Program Files\Common Files
2008-02-24 16:52:01 0 d-------- C:\Documents and Settings\Catherine\Application Data\dvdcss
2008-02-20 22:54:14 0 d-------- C:\Documents and Settings\Catherine\Application Data\BitTorrent
2008-02-19 21:26:03 0 d-------- C:\Program Files\LimeWire
2008-02-19 21:25:28 0 d-------- C:\Program Files\Windows Live
2008-02-19 19:22:05 0 d-------- C:\Documents and Settings\Catherine\Application Data\LimeWire
2008-01-24 13:54:29 0 d-------- C:\Documents and Settings\Catherine\Application Data\Adobe
2008-01-22 14:56:12 0 d-------- C:\Documents and Settings\Catherine\Application Data\Real
2008-01-22 14:55:31 0 d-------- C:\Program Files\Common Files\xing shared
2008-01-22 14:55:28 0 d-------- C:\Program Files\Common Files\Real
2008-01-22 14:55:19 0 d-------- C:\Program Files\Real
2008-01-18 12:53:15 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-17 14:06:36 0 d-------- C:\Documents and Settings\Catherine\Application Data\vlc
2008-01-17 13:46:56 0 d-------- C:\Program Files\VideoLAN
2008-01-16 17:11:19 0 d-------- C:\Documents and Settings\Catherine\Application Data\Sun
2008-01-13 19:28:39 0 d-------- C:\Documents and Settings\Catherine\Application Data\MSN6
2008-01-12 14:55:30 0 d-------- C:\Documents and Settings\Catherine\Application Data\Apple Computer
2008-01-12 14:53:59 0 d-------- C:\Program Files\Apple Software Update
2008-01-12 14:53:42 0 d-------- C:\Program Files\Common Files\Apple
2008-01-10 22:22:44 0 d-------- C:\Documents and Settings\Catherine\Application Data\DivX
2008-01-10 21:44:32 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-10 21:40:14 0 d-------- C:\Program Files\BitTorrent
2008-01-10 21:40:13 0 d-------- C:\Program Files\DNA
2008-01-07 17:16:32 0 d-------- C:\Program Files\CONEXANT
2008-01-06 22:56:49 0 d-------- C:\Program Files\DivX
2008-01-06 18:53:25 0 d-------- C:\Program Files\Messenger
2008-01-06 16:15:38 0 d-------- C:\Documents and Settings\Catherine\Application Data\Macromedia
2008-01-06 16:11:02 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-06 14:46:40 0 d-------- C:\Program Files\Movie Maker
2008-01-06 14:44:39 0 d-------- C:\Program Files\Windows NT
2008-01-06 13:05:14 0 d-------- C:\Program Files\NETGEAR
2008-01-06 13:05:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-06 13:05:04 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-08 14:31:27 0 -rahs---- C:\MSDOS.SYS
2007-12-08 14:31:27 0 -rahs---- C:\IO.SYS
2007-12-08 14:31:27 0 --a------ C:\CONFIG.SYS
2007-12-08 14:31:27 0 --a------ C:\AUTOEXEC.BAT
2007-12-08 14:29:21 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-08 14:20:57 62 --ahs---- C:\Documents and Settings\Catherine\Application Data\desktop.ini
2007-12-04 01:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-11-29 22:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-11-29 22:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-28 21:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [06/01/2008 13:26]
"SoundMan"="SOUNDMAN.EXE" [27/10/2004 13:49 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [22/01/2008 14:55]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [04/02/2008 14:18]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [10/01/2008 21:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [18/01/2008 12:53:21]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [06/01/2008 13:05:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdqry.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-02-25 17:53:24 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 511.48 MiB / 132.47 MiB
Pagefile Memory (total/avail): 1250.05 MiB / 964.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.28 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 214.33 GiB free.
D: is Removable (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is CDROM (UDF)
J: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - ST3250820AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE2 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE3 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE4 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE5 - Generic STORAGE DEVICE USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Catherine\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CATHERINESROOM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Catherine
LOGONSERVER=\\CATHERINESROOM
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CATHER~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CATHER~1\LOCALS~1\Temp
USERDOMAIN=CATHERINESROOM
USERNAME=Catherine
USERPROFILE=C:\Documents and Settings\Catherine
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Catherine (admin)
Administrator (new local, admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BitTorrent --> "C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{02DFB3FD-CF52-4183-8BCA-2A127D4888F4}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{582E9125-32B6-4CBA-AB48-3E33CE3DB389}\Setup.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1626 / Error
Event Submitted/Written: 02/25/2008 05:52:38 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: The data is invalid.

Event Record #/Type1623 / Error
Event Submitted/Written: 02/25/2008 05:52:32 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: The data is invalid.

Event Record #/Type1620 / Error
Event Submitted/Written: 02/25/2008 05:52:14 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: The data is invalid.

Event Record #/Type1611 / Success
Event Submitted/Written: 02/25/2008 07:28:11 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1586 / Error
Event Submitted/Written: 02/24/2008 05:04:52 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application vlc.exe, version 0.8.6.0, faulting module liba52tofloat32_plugin.dll, version 0.0.0.0, fault address 0x0000731b.
Processing media-specific event for [vlc.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type856 / Warning
Event Submitted/Written: 02/25/2008 04:03:40 PM
Event ID/Source: 1005 / Dhcp
Event Description:
Your computer has detected that the IP address 192.168.1.2 for the Network Card
with network address 00184DE1186C is already in use on the network.
Your computer will automatically attempt to obtain a different address.

Event Record #/Type855 / Warning
Event Submitted/Written: 02/25/2008 04:03:40 PM
Event ID/Source: 1005 / Dhcp
Event Description:
Your computer has detected that the IP address 0.0.0.0 for the Network Card
with network address 00184DE1186C is already in use on the network.
Your computer will automatically attempt to obtain a different address.

Event Record #/Type854 / Warning
Event Submitted/Written: 02/25/2008 04:03:40 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00184DE1186C. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type852 / Warning
Event Submitted/Written: 02/25/2008 04:03:12 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00184DE1186C. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type842 / Error
Event Submitted/Written: 02/25/2008 07:27:58 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.3 for the Network Card with network address 00184DE1186C has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-02-25 17:53:24 ------------
  • 0

#6
Tal
Posted 27 February 2008 - 02:32 PM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello Catherine88,

You have a Wareout infection on your PC as well as another infection. Let's take care of them.

Step1 : Fixing Wareout

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

Step 2 : Registry Fix

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process :)

To backup your registry, click Start > Run > Type regedit into the box > Click OK > In the window that shows up, click File > Export... > Name the file RegistryBackup > Save it in a convenient location such as your desktop.

Please open a new Notepad document (Note: Other text editors will not work) and paste the following code into it, starting from REGEDIT4:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-

Now, click File > Save As... > Change the File Type to All Files > Name the file RegFix1.reg > Save it on your desktop.

Once you've saved it, please double click it. A window should pop up - Click Yes to merge the information with the registry.


In your next reply, please include report.txt as well as a new DSS log Note that DSS will only produce a shortened version of main.txt, this is normal

Regards,

Tal :)
  • 0

#7
Catherine88
Posted 27 February 2008 - 03:23 PM

Catherine88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Username "Catherine" - 27/02/2008 21:15:32 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdqry.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.3 85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{047F6913-41AC-45F3-8ADD-F602EDE4CF4E}
"nameserver"="85.255.115.3,85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7CE7B123-8D34-4432-9723-E3763B0E71C1}
"nameserver"="85.255.115.3,85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7F20A3D6-B262-4E42-A406-DD932271326D}
"nameserver"="85.255.115.3,85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C62DB202-0BC4-4C18-9ABB-45D950367E34}
"nameserver"="85.255.115.3,85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{047F6913-41AC-45F3-8ADD-F602EDE4CF4E}
"DhcpNameServer"="85.255.115.3,85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7F20A3D6-B262-4E42-A406-DD932271326D}
"DhcpNameServer"="85.255.115.3,85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{85F228CC-06C3-4E3A-A2BE-C373A94346E5}
"DhcpNameServer"="85.255.115.3,85.255.112.100" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C62DB202-0BC4-4C18-9ABB-45D950367E34}
"DhcpNameServer"="85.255.115.3,85.255.112.100" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdqry.ren 79360 13/06/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe\" /background"
"BitTorrent DNA"="\"C:\\Program Files\\DNA\\btdna.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Whats the DSS?
  • 0

#8
Tal
Posted 01 March 2008 - 07:41 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello Catherine,

DSS is Deckard's System Scanner. Please follow the instructions in my first post to you to generate a DSS log :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP