Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Icons disappearing, PF Usage maxed out, Computer crashing

This is a discussion on Icons disappearing, PF Usage maxed out, Computer crashing within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hello, Here's whats been going on -Sophos picked up a couple of viruses here and there (I'm sorry I don't


Closed Thread
 
Thread Tools Search this Thread
Old 12-08-2010, 12:41 AM   #1
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



Hello,

Here's whats been going on
-Sophos picked up a couple of viruses here and there (I'm sorry I don't have their names). Upon start up I started getting an error message that systems32/rundll32.exe failed to intilize (sp?) properly. After I ran a full scan with Sophos and deleted everything it found the error stopped appearing but was replaced by the same error concerning systems32/ntdevice.
-I downloaded Malwarebytes, it found stuff, I deleted them. Nothing comes up on Malwarebytes anymore, be it regular mode or safe mode. Every once in awhile I'll get something from either of them, usually involving my temp folder.
-I started getting constant warnings that my virtual memory was too low
-I have to restart my computer about twice a day now. All of the graphics go blank in mozilla and then it eventually crashes. Sometimes I get a plug in error, sometimes no error at all. I'll restart and it will crash again within a few minutes (sometimes immediately). It is not just mozilla that is crashing - basically nothing on the computer works. (ex Itunes, pdf files...).
-Around the time it starts acting up the PF Usage will be through the roof. Something like 7.5 GB. Upon restart it will be low and stays low even if I open up tons of programs (I tried to make it crash earlier today following a restart and was unable to. And I opened everything I could.) But the longer the computer runs, the higher the PF usage is.
-My computer won't restart or shut down normally anymore. I'll click restart and all of my icons will disappear and it will forever sit on the picture of my background. I have to manually restart it each time.

Other than that...no crazy virus activity. My browser isn't getting hijacked or anything. But before you tell me I need more RAM, I haven't changed the way I use my computer....just a few months ago I could have tons of tabs open without any problems. Now it will crash if I'm just using mozilla if I have had the computer on too long.

P.S. - It says that Sophos on-access scanning is enabled but it's lying. I disabled it before I ran that, and it is still disabled right now.

P.P.S - I do have a windows service pack 2 disk, but not service pack 3 which I am currently using.

Thank you!

Here is DDS:
DDS (Ver_10-12-05.01) - NTFSx86
Run by Loralee at 1:00:42.65 on Wed 12/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1241 [GMT -5:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Documents and Settings\Loralee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Loralee\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Loralee\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\documents and settings\loralee\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [DLUPDR] "c:\program files\dell printers\additional color laser software\updater\DLUPDR.EXE"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sophos~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264443176706
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264443274941
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\loralee\applic~1\mozilla\firefox\profiles\urg7gy8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/2.html
FF - plugin: c:\documents and settings\loralee\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\loralee\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\loralee\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-1-25 152192]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-1-25 24064]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2010-2-3 140184]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-9-7 104488]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-9-7 93736]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-1-26 175144]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-1-25 14976]

=============== Created Last 30 ================

2010-12-07 17:41:36 -------- d-----w- c:\docume~1\loralee\locals~1\applic~1\PassMark
2010-12-07 17:41:21 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2010-12-07 17:41:21 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2010-12-07 17:41:16 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-12-07 17:41:10 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-12-07 17:40:57 -------- d-----w- c:\windows\Logs
2010-12-07 17:40:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\PassMark
2010-12-07 17:40:50 -------- d-----w- c:\program files\PerformanceTest
2010-12-07 17:09:53 -------- d-----w- c:\program files\CCleaner
2010-12-07 16:35:25 -------- d-----w- c:\windows\pss
2010-12-07 16:01:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Citrix
2010-12-07 16:01:09 -------- d-----w- c:\program files\Citrix
2010-12-07 16:00:51 -------- d-----w- c:\docume~1\loralee\locals~1\applic~1\Citrix
2010-12-07 16:00:46 103784 ----a-w- c:\documents and settings\loralee\GoToAssistDownloadHelper.exe
2010-12-07 15:02:27 266360 ----a-w- c:\windows\system32\TweakUI.exe

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 1:01:37.07 ===============
Attached Files
File Type: zip gmer.ark.zip (689 Bytes, 18 views)
lolerary is offline  
Sponsored Links
Advertisement
 
Old 12-11-2010, 12:53 AM   #2
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



*Bump*
Did I do something wrong? I tried to read the instructions carefully. Of course I know y'all are busy...considering this was on the third page after only three days. It seems like you are up to your ears in computer problems. We appreciate it.
lolerary is offline  
Old 12-11-2010, 01:50 PM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

It appears you didn't attach the second dds log, Attach.txt, to your initial post.

Go to Start > Run and copy/paste the following into the Run box and click OK:

%temp%\Attach.txt

A text file should open. Please attach that file to your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Sponsored Links
Advertisement
 
Old 12-11-2010, 01:56 PM   #4
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



Hello. I subscribed to the thread. Sorry, for some reason I thought it said not to give to Attach document unless asked for. Here it is.
Attached Files
File Type: txt Attach.txt (20.6 KB, 19 views)
lolerary is offline  
Old 12-11-2010, 02:05 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello lolerary. If you are infected, it isn't showing in your logs. However, from your events log, it appears you have been canceling Windows File Protection. If you get such messages in the future you should always allow Windows to do so.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-11-2010, 03:04 PM   #6
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



I have downloaded Combofix. I tried to use it, but it is telling me that Sophos is still active. I disabled the on-access scanning as the instructions told me to, and Sophos says that it is disabled but Combofix says that it is not. What do I do? Should I just get rid of the program all together?
lolerary is offline  
Old 12-11-2010, 03:07 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Uninstall it temporarily and you can re-install Sophos when we are done.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-11-2010, 03:26 PM   #8
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



Here is the Combofix log. Thank you.

ComboFix 10-12-11.03 - Loralee 12/11/2010 17:18:17.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1607 [GMT -5:00]
Running from: c:\documents and settings\Loralee\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Loralee\GoToAssistDownloadHelper.exe
c:\windows\inf\vvt.pnf
D:\install.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-11 22:09 . 2010-12-11 22:09 -------- d-----w- c:\windows\LastGood
2010-12-11 22:03 . 2010-12-11 22:03 -------- d--h--w- c:\windows\PIF
2010-12-08 19:19 . 2010-12-08 19:19 -------- d-----w- c:\program files\CONEXANT
2010-12-08 19:19 . 2007-08-02 22:35 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys
2010-12-08 19:19 . 2007-08-02 22:34 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys
2010-12-08 19:19 . 2007-08-02 22:34 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys
2010-12-08 19:19 . 2007-07-24 20:08 217088 ----a-r- c:\windows\system32\UCI32M21.dll
2010-12-08 19:19 . 2006-06-19 19:26 12672 ----a-r- c:\windows\system32\drivers\mdmxsdk.sys
2010-12-08 19:19 . 2006-06-19 19:26 94208 ----a-r- c:\windows\system32\mdmxsdk.dll
2010-12-07 17:41 . 2010-12-07 17:41 -------- d-----w- c:\documents and settings\Loralee\Local Settings\Application Data\PassMark
2010-12-07 17:41 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2010-12-07 17:41 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2010-12-07 17:41 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-12-07 17:41 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-12-07 17:40 . 2010-12-07 17:40 -------- d-----w- c:\windows\Logs
2010-12-07 17:40 . 2010-12-07 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark
2010-12-07 17:40 . 2010-12-07 17:40 -------- d-----w- c:\program files\PerformanceTest
2010-12-07 17:09 . 2010-12-07 17:09 -------- d-----w- c:\program files\CCleaner
2010-12-07 16:01 . 2010-12-07 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-12-07 16:01 . 2010-12-07 16:01 -------- d-----w- c:\program files\Citrix
2010-12-07 16:00 . 2010-12-07 16:00 -------- d-----w- c:\documents and settings\Loralee\Local Settings\Application Data\Citrix
2010-12-07 15:02 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-10-15 12:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-10-15 12:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 16:23 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 09:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 09:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 09:50 . 2010-10-14 14:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2010-10-14 14:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

------- Sigcheck -------

[-] 2008-09-18 . 483C1D50C96AAE597545F87DF49863B4 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]
"Google Update"="c:\documents and settings\Loralee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-30 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NVHotkey"="nvHotkey.dll" [2009-05-01 86016]
"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2007-02-22 361368]
"DLUPDR"="c:\program files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2007-02-22 140184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sophos AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2010-1-26 429096]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-12-07 16:01 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Loralee\\Desktop\\DCPlusPlus-0.750\\DCPlusPlus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Loralee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Loralee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [2/3/2010 9:20 AM 140184]
.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-25 04:21]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1644491937-1417001333-1010Core.job
- c:\documents and settings\Loralee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-30 14:37]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1644491937-1417001333-1010UA.job
- c:\documents and settings\Loralee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-30 14:37]

2010-12-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\Loralee\Application Data\Mozilla\Firefox\Profiles\urg7gy8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/2.html
FF - plugin: c:\documents and settings\Loralee\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Loralee\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Loralee\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-12-11 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(936)
c:\progra~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
.
Completion time: 2010-12-11 17:23:50
ComboFix-quarantined-files.txt 2010-12-11 22:23

Pre-Run: 14,576,869,376 bytes free
Post-Run: 19,120,574,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A60FF15B1170F1CD006E90E774E8C962
lolerary is offline  
Old 12-11-2010, 03:28 PM   #9
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



By the way, I don't recall every seeing a Windows File Protection message, must less canceling one.
lolerary is offline  
Old 12-11-2010, 03:35 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, lolerary. ComboFix didn't find much as far as malware is concerned. Any change in behavior?

You do have a system critical file that failed sigcheck. Do you have access to another XP machine with SP3?

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c peV -ltf "%systemdrive%\sfcfiles.dll" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-11-2010, 03:39 PM   #11
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



----a-w- 1,614,848 2008-09-18 1847 C:\WINDOWS\system32\sfcfiles.dll

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 1,614,848 Blocks: 3,154


No change in behavior...I still have to restart my computer every day. I don't get the ntdevice error anymore since someone techy deleted something from my registry (says it was leftover from a virus that got deleted), but all of the other symptoms remain intact.
lolerary is offline  
Old 12-11-2010, 03:41 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Do you have access to another XP machine with SP3?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-11-2010, 03:43 PM   #13
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



No I do not. All of my friends have Macs >_<
lolerary is offline  
Old 12-11-2010, 03:45 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Can anyone email you a copy of C:\Windows\system32\sfcfiles.dll?

Has to be XP with SP3.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-11-2010, 03:47 PM   #15
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



Uhhmm.....not that I know of. I can post a query on facebook. Is there a place I can download it? Is that what my issue is?
lolerary is offline  
Old 12-11-2010, 03:57 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Nowhere really to download it. Best to get it off of a machine you know to be clean.

As far as your issue, I'm not sure but it is something I would try first. Let me know if you still can't get a copy.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-11-2010, 06:04 PM   #17
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



I've posted queries, sent emails, and called people but I haven't had much luck tracking down that file. Is it my only option?
lolerary is offline  
Old 12-11-2010, 08:12 PM   #18
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



Hey, false alarm. A friend of mine managed to get me a copy. Do I stick it in my systems 32 folder and delete the old one?
lolerary is offline  
Old 12-11-2010, 08:18 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, lolerary. Please copy the file to the root of your C:\ drive.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c peV -ltf "%systemdrive%\sfcfiles.dll" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-11-2010, 08:20 PM   #20
Registered Member
 
Join Date: Dec 2010
Posts: 30
OS: Windows XP Service Pack 3



What is the root of my C drive?
lolerary is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:25 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts