Hello everyone,
A few weeks ago I noticed that files on my computer were becoming inaccessible, files of types .doc, jpg and .gif.
All the .doc files were prepared using Microsoft Word for Windows from my Microsoft Office Professional 2000 installation. On opening the files the display shows nothing but a page full of oblong icons, the header shows the font as Courier New although all my documents are prepared using Arial. This display is exactly the same whatever viewer I use. I have created new files and saved them in .rtf format and when I reopen them I get a page of gobbledegook which includes the word .docy in the file name. I can take and post a screenshot of this display, not of course the actual file itself , if that would help at all. Looking in folders using Explorer all the file names show correctly but the size of the files appears to have been reduced from whatever their original size was to anything between 20 and 25 KB. The corruption process appears to be going on gradually over time affecting any file that I open and sometimes all the files in the containing folder, the position now is that I'm afraid to open any more .doc files in case I lose them.
The .jpg and .gif files all report No preview available whichever viewer programme I use and once having opened a file in a folder all the files of these types within the folder are corrupted.
The steps I have taken to try and remedy this problem :-
I have uninstalled Microsoft Office 2000 Professional and re-installed it.
I have run individually and separately security scans using the latest versions of Microsoft Security Essentials, Malwarebytes Anti-Malware, Windows Defender, Superantispyware, Windows Malicious Software Removal Tool and ESET NOD32 Antivirus, all report clear.
I have run HiJackThis and cannot see anything suspicious in the report. I have also run CCleaner and Eusing Registry Cleaner neither showing anything suspicious.
I have carried out the following as instructed:-
Download DDS and save it to your desktop from here
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will save 2 logs to your desktop
DDS.txt
Attach.txt
Download GMER Rootkit Scanner from here.
Ensure you have uninstalled any CD Emulation programs before you run GMER as outlined above and here
Extract the contents of the zipped file to desktop.
Disable your onboard Anti Virus and any other Active protection programs you have installed. If you are unsure how to do this, see this link.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
On running the first scan the programme stopped reporting a rootkit error, the report is attached as ark.txt, I ran the second procedure and the report is attached as ark2.txt.
My computer :-
Hewlett-Packard Company
Compaq Presario
Intel [R]
Pentium[R] 4CPU 3.06 GHz
3.06 Ghz, I.00 GB Ram
Physical Address Extension
Operating System
Windows XP Home Edition Service Pack 3 Version 2002.
My apologies for such a long posting, I really would appreciate any help at all that anyone can give me on solving this problem.
Kind regards,
Oliver
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Compaq_Owner at 14:12:16 on 2012-12-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.194 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Eset Anti Virus 04122012\ekrn.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Eset Anti Virus 04122012\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\M8 Clipboard Manager\FreeClip\FreeClip.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\SuperAntispyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
mURLSearchHooks: {4a6e1b85-1193-4a2a-aab8-7417f275f18a} - <orphaned>
BHO: AutorunsDisabled - <orphaned>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
EB: Dealio: {5C4C24D0-28B6-4B6B-B70F-E09848367F10} - LocalServer32 - <no file>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\temp\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [egui] "c:\eset anti virus 04122012\egui.exe" /hide /waitservice
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\defender.lnk - c:\program files\windows defender\MSASCui.exe
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\freeclip.lnk - c:\m8 clipboard manager\freeclip\FreeClip.exe
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\supera~1.lnk - c:\superantispyware\SUPERAntiSpyware.exe
StartupFolder: c:\documents and settings\temp\start menu\programs\startup\autorunsdisabled\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Google Search - <no file>
IE: Backward Links - <no file>
IE: Cached Snapshot of Page - <no file>
IE: E&xport to Microsoft Excel - <no file>
IE: Similar Pages - <no file>
IE: Translate into English - <no file>
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} - hxxps://download.yahoo.com/dl/installs/bt/yregucfg.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CA6F0A67-18BB-4E39-BB8A-A1E04D6AACDF} - hxxp://www.superadblocker.com/activex/sabminf.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} - hxxp://update.hpphoto.com/download/HPSWUpdate.ocx
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F} : DHCPNameServer = 15.243.128.51 15.243.160.51
TCP: Interfaces\{D35F4375-5DAB-46AD-9381-117C3BBE3F2E} : DHCPNameServer = 192.168.1.254
Filter: text/html - <Clsid value has no data>
Handler: AutorunsDisabled - <Clsid value has no data>
Notify: !SASWinLogon - <no file>
Notify: AtiExtEvent - <no file>
Notify: AutorunsDisabled - <no file>
Notify: crypt32chain - <no file>
Notify: cryptnet - <no file>
Notify: cscdll - <no file>
Notify: dimsntfy - <no file>
Notify: igfxcui - <no file>
Notify: ScCertProp - <no file>
Notify: Schedule - <no file>
Notify: sclgntfy - <no file>
Notify: SensLogn - <no file>
Notify: termsrv - <no file>
Notify: wlballoon - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 193552]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2012-3-14 104160]
R1 RapportCerberus_43926;RapportCerberus_43926;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\43926\RapportCerberus32_43926.sys [2012-10-30 272216]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
R1 SASDIFSV;SASDIFSV;c:\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-11-19 98392]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\codemeter\runtime\bin\CodeMeter.exe [2012-12-4 2568120]
R2 ekrn;ESET Service;c:\eset anti virus 04122012\ekrn.exe [2012-3-7 913144]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
S2 gupdate1c9cdac127325d8;Google Update Service (gupdate1c9cdac127325d8);c:\program files\google\update\GoogleUpdate.exe [2009-5-5 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 gBTMouUsb;BT Mouse Device Drv;c:\windows\system32\drivers\gBTMouUsb.sys [2012-5-1 9856]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\HPUATA.sys [2001-9-24 75776]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507; [x]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2012-2-1 137600]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
S4 apnsqcvg;apnsqcvg; [x]
S4 bhjmdble;bhjmdble; [x]
S4 bsflajmr;bsflajmr; [x]
S4 iwjzussd;iwjzussd; [x]
S4 jqcoxcig;jqcoxcig; [x]
S4 qbpcqsrr;qbpcqsrr; [x]
S4 Winfk84;Winfk84; [x]
S4 Winfl05;Winfl05; [x]
S4 Winio51;Winio51; [x]
S4 Winjo51;Winjo51; [x]
S4 Winlr84;Winlr84; [x]
S4 Winot05;Winot05; [x]
S4 Winrw51;Winrw51; [x]
S4 Winsy84;Winsy84; [x]
S4 Winwd28;Winwd28; [x]
.
=============== File Associations ===============
.
FileExt: .js: JSFile="c:\program files\macromedia\dreamweaver 4\Dreamweaver.exe" "%1"
ShellExec: hpqpssp.exe: Open=c:\program files\hp\digital imaging\bin\hpqpssp.exe
.
=============== Created Last 30 ================
.
2012-12-08 14:11:35 -------- d-----w- C:\DDS scanner 08122012
2012-12-08 14:05:32 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{94c1be4c-e167-475a-8a0d-a131cf7d7799}\mpengine.dll
2012-12-08 12:49:54 -------- d-----w- c:\documents and settings\temp\application data\DriverCure
2012-12-08 12:49:51 -------- d-----w- c:\documents and settings\temp\application data\SpeedMaxPc
2012-12-08 12:48:08 -------- d-----w- c:\documents and settings\all users\application data\SpeedMaxPc
2012-12-07 09:28:52 6812136 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-12-05 13:23:41 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{e76a3e6c-c73f-449f-a238-32b330a6ce12}\mpengine.dll
2012-12-05 09:42:23 -------- d-----w- c:\documents and settings\temp\application data\OpenOffice.org
2012-12-05 09:33:36 -------- d-----w- c:\program files\OpenOffice.org 3
2012-12-05 09:30:58 -------- d-----w- C:\Apache OpenOffice 05122012
2012-12-04 10:24:03 -------- d-----w- c:\documents and settings\temp\local settings\application data\ESET
2012-12-04 01:48:33 -------- d-----w- C:\Eset Anti Virus 04122012
2012-12-04 01:08:18 666024 ----a-w- c:\windows\system32\WibuCm32.dll
2012-12-04 01:08:16 -------- d-----w- c:\program files\CodeMeter
2012-12-04 01:08:00 -------- d-----w- C:\Recover My Files v5
2012-12-01 15:11:29 -------- d-----w- C:\WordView 01122012
2012-11-15 15:04:59 -------- d-----w- C:\Audacity recording Thursday 15th November 2012 only to 1352pm
2012-11-14 20:15:43 -------- d-----w- C:\Audacity recording Wednesday 14th November 2012
2012-11-14 09:45:12 -------- d-----w- C:\Audacity recording Wednesday 14112012
2012-11-13 21:16:42 -------- d-----w- C:\Audacity recording Tuesday 13112012
2012-11-12 21:18:22 -------- d-----w- C:\Audacity recording Monday 12th November 2012
2012-11-11 21:19:04 -------- d-----w- C:\Audacity recording Sunday 11112012
2012-11-11 00:32:44 -------- d-----w- C:\Audacity recording Saturday 10112012
2012-11-10 00:16:14 -------- d-----w- C:\Audacity Recording Friday 09112012
.
==================== Find3M ====================
.
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-09 06:08:16 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 06:08:16 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 19:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-14 15:36:13 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-14 15:36:11 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-14 15:36:11 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-14 15:36:11 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 14:14:13.56 ===============
A few weeks ago I noticed that files on my computer were becoming inaccessible, files of types .doc, jpg and .gif.
All the .doc files were prepared using Microsoft Word for Windows from my Microsoft Office Professional 2000 installation. On opening the files the display shows nothing but a page full of oblong icons, the header shows the font as Courier New although all my documents are prepared using Arial. This display is exactly the same whatever viewer I use. I have created new files and saved them in .rtf format and when I reopen them I get a page of gobbledegook which includes the word .docy in the file name. I can take and post a screenshot of this display, not of course the actual file itself , if that would help at all. Looking in folders using Explorer all the file names show correctly but the size of the files appears to have been reduced from whatever their original size was to anything between 20 and 25 KB. The corruption process appears to be going on gradually over time affecting any file that I open and sometimes all the files in the containing folder, the position now is that I'm afraid to open any more .doc files in case I lose them.
The .jpg and .gif files all report No preview available whichever viewer programme I use and once having opened a file in a folder all the files of these types within the folder are corrupted.
The steps I have taken to try and remedy this problem :-
I have uninstalled Microsoft Office 2000 Professional and re-installed it.
I have run individually and separately security scans using the latest versions of Microsoft Security Essentials, Malwarebytes Anti-Malware, Windows Defender, Superantispyware, Windows Malicious Software Removal Tool and ESET NOD32 Antivirus, all report clear.
I have run HiJackThis and cannot see anything suspicious in the report. I have also run CCleaner and Eusing Registry Cleaner neither showing anything suspicious.
I have carried out the following as instructed:-
Download DDS and save it to your desktop from here
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will save 2 logs to your desktop
DDS.txt
Attach.txt
Download GMER Rootkit Scanner from here.
Ensure you have uninstalled any CD Emulation programs before you run GMER as outlined above and here
Extract the contents of the zipped file to desktop.
Disable your onboard Anti Virus and any other Active protection programs you have installed. If you are unsure how to do this, see this link.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
On running the first scan the programme stopped reporting a rootkit error, the report is attached as ark.txt, I ran the second procedure and the report is attached as ark2.txt.
My computer :-
Hewlett-Packard Company
Compaq Presario
Intel [R]
Pentium[R] 4CPU 3.06 GHz
3.06 Ghz, I.00 GB Ram
Physical Address Extension
Operating System
Windows XP Home Edition Service Pack 3 Version 2002.
My apologies for such a long posting, I really would appreciate any help at all that anyone can give me on solving this problem.
Kind regards,
Oliver
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Compaq_Owner at 14:12:16 on 2012-12-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.194 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Eset Anti Virus 04122012\ekrn.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Eset Anti Virus 04122012\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\M8 Clipboard Manager\FreeClip\FreeClip.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\SuperAntispyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
mURLSearchHooks: {4a6e1b85-1193-4a2a-aab8-7417f275f18a} - <orphaned>
BHO: AutorunsDisabled - <orphaned>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
EB: Dealio: {5C4C24D0-28B6-4B6B-B70F-E09848367F10} - LocalServer32 - <no file>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\temp\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [egui] "c:\eset anti virus 04122012\egui.exe" /hide /waitservice
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\defender.lnk - c:\program files\windows defender\MSASCui.exe
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\freeclip.lnk - c:\m8 clipboard manager\freeclip\FreeClip.exe
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\supera~1.lnk - c:\superantispyware\SUPERAntiSpyware.exe
StartupFolder: c:\documents and settings\temp\start menu\programs\startup\autorunsdisabled\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Google Search - <no file>
IE: Backward Links - <no file>
IE: Cached Snapshot of Page - <no file>
IE: E&xport to Microsoft Excel - <no file>
IE: Similar Pages - <no file>
IE: Translate into English - <no file>
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} - hxxps://download.yahoo.com/dl/installs/bt/yregucfg.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CA6F0A67-18BB-4E39-BB8A-A1E04D6AACDF} - hxxp://www.superadblocker.com/activex/sabminf.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} - hxxp://update.hpphoto.com/download/HPSWUpdate.ocx
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F} : DHCPNameServer = 15.243.128.51 15.243.160.51
TCP: Interfaces\{D35F4375-5DAB-46AD-9381-117C3BBE3F2E} : DHCPNameServer = 192.168.1.254
Filter: text/html - <Clsid value has no data>
Handler: AutorunsDisabled - <Clsid value has no data>
Notify: !SASWinLogon - <no file>
Notify: AtiExtEvent - <no file>
Notify: AutorunsDisabled - <no file>
Notify: crypt32chain - <no file>
Notify: cryptnet - <no file>
Notify: cscdll - <no file>
Notify: dimsntfy - <no file>
Notify: igfxcui - <no file>
Notify: ScCertProp - <no file>
Notify: Schedule - <no file>
Notify: sclgntfy - <no file>
Notify: SensLogn - <no file>
Notify: termsrv - <no file>
Notify: wlballoon - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 193552]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2012-3-14 104160]
R1 RapportCerberus_43926;RapportCerberus_43926;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\43926\RapportCerberus32_43926.sys [2012-10-30 272216]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
R1 SASDIFSV;SASDIFSV;c:\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-11-19 98392]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\codemeter\runtime\bin\CodeMeter.exe [2012-12-4 2568120]
R2 ekrn;ESET Service;c:\eset anti virus 04122012\ekrn.exe [2012-3-7 913144]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
S2 gupdate1c9cdac127325d8;Google Update Service (gupdate1c9cdac127325d8);c:\program files\google\update\GoogleUpdate.exe [2009-5-5 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 gBTMouUsb;BT Mouse Device Drv;c:\windows\system32\drivers\gBTMouUsb.sys [2012-5-1 9856]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\HPUATA.sys [2001-9-24 75776]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507; [x]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2012-2-1 137600]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
S4 apnsqcvg;apnsqcvg; [x]
S4 bhjmdble;bhjmdble; [x]
S4 bsflajmr;bsflajmr; [x]
S4 iwjzussd;iwjzussd; [x]
S4 jqcoxcig;jqcoxcig; [x]
S4 qbpcqsrr;qbpcqsrr; [x]
S4 Winfk84;Winfk84; [x]
S4 Winfl05;Winfl05; [x]
S4 Winio51;Winio51; [x]
S4 Winjo51;Winjo51; [x]
S4 Winlr84;Winlr84; [x]
S4 Winot05;Winot05; [x]
S4 Winrw51;Winrw51; [x]
S4 Winsy84;Winsy84; [x]
S4 Winwd28;Winwd28; [x]
.
=============== File Associations ===============
.
FileExt: .js: JSFile="c:\program files\macromedia\dreamweaver 4\Dreamweaver.exe" "%1"
ShellExec: hpqpssp.exe: Open=c:\program files\hp\digital imaging\bin\hpqpssp.exe
.
=============== Created Last 30 ================
.
2012-12-08 14:11:35 -------- d-----w- C:\DDS scanner 08122012
2012-12-08 14:05:32 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{94c1be4c-e167-475a-8a0d-a131cf7d7799}\mpengine.dll
2012-12-08 12:49:54 -------- d-----w- c:\documents and settings\temp\application data\DriverCure
2012-12-08 12:49:51 -------- d-----w- c:\documents and settings\temp\application data\SpeedMaxPc
2012-12-08 12:48:08 -------- d-----w- c:\documents and settings\all users\application data\SpeedMaxPc
2012-12-07 09:28:52 6812136 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-12-05 13:23:41 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{e76a3e6c-c73f-449f-a238-32b330a6ce12}\mpengine.dll
2012-12-05 09:42:23 -------- d-----w- c:\documents and settings\temp\application data\OpenOffice.org
2012-12-05 09:33:36 -------- d-----w- c:\program files\OpenOffice.org 3
2012-12-05 09:30:58 -------- d-----w- C:\Apache OpenOffice 05122012
2012-12-04 10:24:03 -------- d-----w- c:\documents and settings\temp\local settings\application data\ESET
2012-12-04 01:48:33 -------- d-----w- C:\Eset Anti Virus 04122012
2012-12-04 01:08:18 666024 ----a-w- c:\windows\system32\WibuCm32.dll
2012-12-04 01:08:16 -------- d-----w- c:\program files\CodeMeter
2012-12-04 01:08:00 -------- d-----w- C:\Recover My Files v5
2012-12-01 15:11:29 -------- d-----w- C:\WordView 01122012
2012-11-15 15:04:59 -------- d-----w- C:\Audacity recording Thursday 15th November 2012 only to 1352pm
2012-11-14 20:15:43 -------- d-----w- C:\Audacity recording Wednesday 14th November 2012
2012-11-14 09:45:12 -------- d-----w- C:\Audacity recording Wednesday 14112012
2012-11-13 21:16:42 -------- d-----w- C:\Audacity recording Tuesday 13112012
2012-11-12 21:18:22 -------- d-----w- C:\Audacity recording Monday 12th November 2012
2012-11-11 21:19:04 -------- d-----w- C:\Audacity recording Sunday 11112012
2012-11-11 00:32:44 -------- d-----w- C:\Audacity recording Saturday 10112012
2012-11-10 00:16:14 -------- d-----w- C:\Audacity Recording Friday 09112012
.
==================== Find3M ====================
.
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-09 06:08:16 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 06:08:16 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 19:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-14 15:36:13 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-14 15:36:11 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-14 15:36:11 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-14 15:36:11 143872 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 14:14:13.56 ===============