HijackThis Log File

[blade81 3]

Hi,

TDSSKiller removed MBR infection from hard drive earlier and that likely rendered recovery partition non working. If you have access to Vista Home Premium installation media you should reinstall (via reformat) with it using product code that was earlier used with this affected system.

[Jon.h1 0]

Hi

Unfortunately Vista came pre-installed with no installation media - as his laptop is out of warranty his only option is to format and buy a new version - judging by the cost I think he would prefer to save up for a new laptop!

Have you any suggestion as to how I can get the USB ports working - or the CD/DVD drive? I think if he's going to keep using it I best back up any important files! I know not having the service packs leaves him open to more infections but he needs to use it for work so will just have to hope for the best and keep his virus checkers updated!

Thanks.

[blade81 3]

Hi,

What happens when you plug USB stick in? Nothing appears in "My Computer"?

[Jon.h1 0]

Hi, yes it doesn't show in my computer or make a noise when I plug in - although light does flash on memory stick - strangely if I leave it in when I boot up it does show the 'safely remove hardware' icon? I looked in device manager and it doesn't indicate any problems with hardware.

[blade81 3]

Hi,

Please post fresh dds logs. Gonna have another look at them.

[Jon.h1 0]

Thanks for this - much appreciated.


Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.893.354 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\TDSupportApp\cdrom_mon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Betting Assistant\AUClient.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\leigh\Desktop\Virus programs and logs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [UpdateP2GShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" update "software\cyberlink\power2go\5.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SpareMessaging] "c:\program files\spare messaging\MessagingApp.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - c:\microgaming\poker\ladbrokesmpp\MPPoker.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\leigh\appdata\roaming\mozilla\firefox\profiles\bf2zla78.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-3 61960]

=============== Created Last 30 ================

2011-02-07 01:53:26 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{7eab6983-9c65-44cf-9969-45003fd917a3}\mpengine.dll
2011-02-02 14:55:24 -------- d-----w- c:\windows\system32\sda
2011-02-02 14:31:06 -------- d-----w- C:\DRIVERS
2011-02-02 14:13:26 189784 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
2011-02-02 14:13:25 9112096 ----a-w- c:\windows\system32\RtsUStoricon.dll
2011-02-02 14:13:25 313888 ----a-w- c:\windows\system32\RtsUStor.dll
2011-02-02 14:06:37 -------- d-----w- c:\progra~2\Uniblue
2011-02-01 16:27:29 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-24 05:41:00 -------- d-----w- c:\users\leigh\appdata\local\Microsoft Games
2011-01-22 22:28:53 -------- d-----w- C:\23c0772385b4e0b18a29d528
2011-01-21 17:14:59 -------- d-----w- C:\c2736068c4bc9db26c6852
2011-01-21 15:10:20 -------- d-----w- c:\users\leigh\appdata\local\Secunia PSI
2011-01-21 15:10:09 -------- d-----w- c:\program files\Secunia
2011-01-21 09:42:28 -------- d-----w- C:\d75e11d75c52d06aac066a98849548b5
2011-01-20 18:33:24 -------- d-----w- c:\windows\CheckSur
2011-01-20 10:21:06 47560 ----a-w- c:\windows\system32\SPReview.exe
2011-01-20 10:21:06 152576 ----a-w- c:\windows\system32\SPWizUI.dll
2011-01-20 09:28:55 -------- d-----w- C:\76abc49a284af2d29077608848a239
2011-01-14 21:22:26 181304 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2011-01-14 21:22:11 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-01-14 21:21:51 44032 ----a-w- c:\windows\system32\cbsra.exe
2011-01-14 21:21:32 194560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-01-14 21:21:07 34360 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-01-14 21:20:57 39424 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-01-14 21:19:58 73216 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-01-14 21:19:36 19968 ----a-w- c:\windows\system32\drivers\sermouse.sys
2011-01-14 21:19:33 15872 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-01-14 21:19:31 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-01-14 21:19:26 14848 ----a-w- c:\windows\system32\iscsilog.dll
2011-01-14 21:19:24 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-01-13 19:07:55 -------- d-----w- c:\program files\ESET
2011-01-13 19:02:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-13 19:02:12 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-13 12:04:26 -------- d-----w- c:\users\leigh\Tracing
2011-01-13 12:03:31 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2011-01-13 11:37:31 -------- d-----w- c:\program files\Microsoft
2011-01-13 11:37:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-01-13 11:35:45 484632 ----a-w- c:\program files\common files\windows live\.cache\3f7d0a71cbb316\DXSETUP.exe
2011-01-13 11:35:44 74520 ----a-w- c:\program files\common files\windows live\.cache\3f7d0a71cbb316\DSETUP.dll
2011-01-13 11:35:44 1670936 ----a-w- c:\program files\common files\windows live\.cache\3f7d0a71cbb316\dsetup32.dll
2011-01-13 11:31:37 -------- d-----w- c:\program files\common files\Windows Live
2011-01-13 10:09:37 -------- d-----w- c:\users\leigh\appdata\local\temp
2011-01-13 09:50:42 -------- d-sh--w- C:\$RECYCLE.BIN
2011-01-13 09:20:00 25088 ----a-w- c:\windows\system\vdsvrlnk.dll
2011-01-13 09:19:58 31232 ----a-w- c:\windows\system\vdremote.dll
2011-01-10 21:00:10 388096 ----a-r- c:\users\leigh\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-10 21:00:01 -------- d-----w- c:\program files\Trend Micro
2011-01-10 16:29:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-10 16:29:42 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-10 16:27:22 -------- d-----w- c:\users\leigh\appdata\local\Sunbelt Software
2011-01-10 16:25:57 -------- dc-h--w- c:\progra~2\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-10 16:24:49 -------- d-----w- c:\program files\Lavasoft
2011-01-10 15:43:53 -------- d-----w- C:\_OTM

==================== Find3M ====================


============= FINISH: 10:59:48.28 ===============

[blade81 3]

Hi,

Do you recall if USB issue started after Windows update attempt?

[Jon.h1 0]

Not sure exactly when because I wasn't using USB ports - but he remembers his USB mouse had stopped working after the infection had been cleaned - but not sure if that was before or after trying to install updates?

[blade81 3]

Hi,

The reason I asked is cos some USB driver files have a timestamp of January 14 2011.

Could you install [url="http://www.imgburn.com/"]ImgBurn[/url] to see if it recognizes the cd/dvd writer?

[Jon.h1 0]

Wow - installed ImgBurn did a discovery and then verify and all worked fine so closed program and on off chance tried to write to DVD and it worked! Have now backed up all his files - not sure what happened there but thanks!

It is a bit odd that USB drivers seem to have been updated on the same day and exact time that I first tried to install the service pack - I can't remember doing anything to update them?

Actually I've just plugged in his USB mouse and thats started working again! Also I've just tried 2 older 1Gb USB memory sticks and they seem to be working OK - it just seems to be the newer larger (Kingston 8Gb) memory stick that isn't working (which does work on my XP laptop).

Anyway, now I've backed up his files he can manage for now.

Thanks to you his computer is at least now at a state where he can use it for work - so thanks loads for all your expert help - I have warned him to be very carefull when on the internet until he can update his operating system.

I think his computer was probably initially infected because he kept disabling his anti-virus programs - he's a statistical analyst and uses MS Excel to test his mathmatical formula and he found that AVG in particular kept crashing his programs so he just disabled everything! I will have to do a bit of trial and error with various anti-virus programs to see which ones - if any - he can work with. Have you come accross this problem before?

Can I just ask - if I borrow a copy of Vista from someone do you know if I can reinstall Vista and then change the OEM product key to the one he already has on this computer?

Thanks again - really have appreciated all your help.

[blade81 3]

Glad to hear that helped

[quote]I think his computer was probably initially infected because he kept disabling his anti-virus programs - he's a statistical analyst and uses MS Excel to test his mathmatical formula and he found that AVG in particular kept crashing his programs so he just disabled everything! I will have to do a bit of trial and error with various anti-virus programs to see which ones - if any - he can work with. Have you come accross this problem before?[/quote]
Don't recall being heard about such an issue earlier.

[quote]Can I just ask - if I borrow a copy of Vista from someone do you know if I can reinstall Vista and then change the OEM product key to the one he already has on this computer?[/quote]
If you can borrow a copy of Vista Home Premium then it may be possible to use it. Not saying it would work for sure but changes do exist.

[blade81 3]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !