Do I have malware - part 2?

dansuleman · 11-03-2009, 12:20 PM

Hello,

This one is for my laptop, which I use for basically the same things as my PC which has now been fixed by TSF and for which I am most grateful.

I have my original windows install disc.

Many thanks
Dan

DDS txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by kay at 18:54:44.96 on 03/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.322 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\kay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [<NO NAME>]
mRun: [avp] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kay\applic~1\mozilla\firefox\profiles\iea7qhvj.default\

---- FIREFOX POLICIES ----
c:\documents and settings\all users\application data\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]

=============== Created Last 30 ================

2009-11-02 17:53:57 0 d-----w- c:\program files\The Geek
2009-11-02 17:46:39 0 d-----w- c:\windows\system32\XPSViewer
2009-11-02 17:44:49 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-02 17:44:49 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-02 17:44:49 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-02 17:44:49 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-02 17:44:49 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-02 17:44:48 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-02 17:44:48 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-02 17:44:48 0 d-----w- C:\63e83a65fb1a6bfe119a1582
2009-11-02 17:17:44 0 d-----w- c:\program files\AutoHotkey
2009-11-02 13:20:22 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-10-29 15:20:52 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-29 15:20:52 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-10 14:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 18:55:19.34 ===============

Ried · 11-04-2009, 10:32 PM

Hello Dan,

I'm not seeing any malware in your logs. How is the system behaving?

dansuleman · 11-05-2009, 01:48 AM

Hello Ried,

The system seems to be behaving fine, apart from a bit slow sometimes in opening files/programs, which might not necessary be due to malware.

Thanks

Ried · 11-06-2009, 11:41 AM

Hi Dan,

I think you'll find if you add more RAM, you'd find marked improvement with performance. 512gb RAM is the bare minimum required just to run Windows XP. As you add more software and updates, etc, they demand more memory.

Giving the system a good cleaning of the temp and temp internet files is also helpful.

1. Download TFC (Temp File Cleaner) to your desktop, or other location.
2. Save any unsaved work. TFC will close all open application windows.
3. Double-click TFC.exe to run the program.
4. If prompted, click "Yes" to reboot.

==========================

On another note, your Sun Java is outdated on this computer as well. Be sure to update to the latest version as older versions have vulnerabilities that malware can use to infect your system.

Download the latest version of Java Runtime Environment (JRE) 17 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 17 -"
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u17 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

dansuleman · 11-07-2009, 11:51 AM

Instructions followed as requested.

Thanks
Dan

Ried · 11-07-2009, 08:22 PM

Shall we consider this resolved?

dansuleman · 11-08-2009, 08:05 AM

Still quite slow (actually no change), but since the thread was about malware and you have confirmed that there's no malware identified from the log I posted/attached, then I suppose we could consider the matter closed.

Many thanks for your assistance.
Dan

Ried · 11-08-2009, 03:08 PM

You're welcome, Dan.

Have a look at our sticky topic Is Your PC running slow?. If you still have issues with slowness, then you'd want to seek assistance from the folks in our Windows XP Support section. Let them know you've been checked by our section and no malware has been found.

11-04-2009, 10:32 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,038 OS: WinXP and Vista	Re: Do I have malware - part 2? Hello Dan, I'm not seeing any malware in your logs. How is the system behaving? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-05-2009, 01:48 AM	#3 (permalink)
dansuleman Registered User Join Date: Apr 2009 Posts: 15 OS: windows XP	Re: Do I have malware - part 2? Hello Ried, The system seems to be behaving fine, apart from a bit slow sometimes in opening files/programs, which might not necessary be due to malware. Thanks

11-06-2009, 11:41 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,038 OS: WinXP and Vista	Re: Do I have malware - part 2? Hi Dan, I think you'll find if you add more RAM, you'd find marked improvement with performance. 512gb RAM is the bare minimum required just to run Windows XP. As you add more software and updates, etc, they demand more memory. Giving the system a good cleaning of the temp and temp internet files is also helpful. 1. Download TFC (Temp File Cleaner) to your desktop, or other location. 2. Save any unsaved work. TFC will close all open application windows. 3. Double-click TFC.exe to run the program. 4. If prompted, click "Yes" to reboot. ========================== On another note, your Sun Java is outdated on this computer as well. Be sure to update to the latest version as older versions have vulnerabilities that malware can use to infect your system. Download the latest version of Java Runtime Environment (JRE) 17 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 17 -" Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u17 with JavaFX 1 License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-07-2009, 11:51 AM	#5 (permalink)
dansuleman Registered User Join Date: Apr 2009 Posts: 15 OS: windows XP	Re: Do I have malware - part 2? Instructions followed as requested. Thanks Dan

11-07-2009, 08:22 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,038 OS: WinXP and Vista	Re: Do I have malware - part 2? Shall we consider this resolved? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-08-2009, 08:05 AM	#7 (permalink)
dansuleman Registered User Join Date: Apr 2009 Posts: 15 OS: windows XP	Re: Do I have malware - part 2? Still quite slow (actually no change), but since the thread was about malware and you have confirmed that there's no malware identified from the log I posted/attached, then I suppose we could consider the matter closed. Many thanks for your assistance. Dan

11-08-2009, 03:08 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,038 OS: WinXP and Vista	Re: Do I have malware - part 2? You're welcome, Dan. Have a look at our sticky topic Is Your PC running slow?. If you still have issues with slowness, then you'd want to seek assistance from the folks in our Windows XP Support section. Let them know you've been checked by our section and no malware has been found. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."