Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe runs at constant 50%


  • This topic is locked This topic is locked
95 replies to this topic

#1 lightsabre

lightsabre

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 03 April 2009 - 04:06 PM

Hi I wonder whether anyone can help me with this one:

Task manager shows that explorer.exe is running at a constant 50% (plus or minus a percent or two). This is obviously slowing down my PC. I have performed numerous system scans with Kaspersky, Adaware and Spybot, and all three tell me my computer is clean! I have also run these in safe mode, except Kaspersky, which for some reason will not run in safe mode.

The problem is there whether my laptop is connected to the internet or not. Interrestingly, it goes away if I log in as guest, or create a new user!

The DDS log is as follows:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Nige at 19:44:13.11 on 03/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1982.882 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Windows\System32\rundll32.exe
F:\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Nige\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.timesonline.co.uk/tol/news/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: E-Zsoft VideoDownloaderToolBar: {4322a444-92f8-4c3e-bd4c-013ba51e2871} - c:\program files\e-zsoft\youtubedownloader\VDTB.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: E-Zsoft VideoDownloaderToolBar: {4322a444-92f8-4c3e-bd4c-013ba51e2871} - c:\program files\e-zsoft\youtubedownloader\VDTB.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DetectTray] c:\program files\usb dvb-t tv tuner\DetectTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "F:\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [YouTubeDownloader_upgrade] "c:\program files\e-zsoft\youtubedownloader\YouTubeDownloader.exe" /upgrade
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\nige\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\nige\appdata\roaming\mozilla\firefox\profiles\mthl3lc1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.timesonline.co.uk/tol/news/
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: f:\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-7-9 20496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-4-20 809296]
R3 EC168BDA;EC168BDA service;c:\windows\system32\drivers\EC168BDA.sys [2007-10-5 107264]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\common files\surething shared\stllssvr.exe [2009-2-26 74392]

=============== Created Last 30 ================

2009-03-31 18:21 <DIR> --d----- c:\windows\pss
2009-03-25 07:57 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-25 00:00 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-24 23:59 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 23:59 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 23:59 <DIR> --d----- c:\program files\Lavasoft
2009-03-24 20:35 34,304 a------- c:\windows\system32\drivers\AmdLLD.sys
2009-03-24 20:35 <DIR> --d----- c:\program files\AMD
2009-03-23 08:59 <DIR> --d----- c:\programdata\WindowsSearch
2009-03-23 08:35 <DIR> --d----- c:\program files\Norton Security Scan
2009-03-22 14:43 <DIR> --d----- c:\program files\CDex_150
2009-03-20 08:29 <DIR> --d----- c:\program files\Trend Micro
2009-03-19 18:49 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-03-18 22:29 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-18 22:29 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 22:29 <DIR> --d----- c:\program files\iPod
2009-03-18 22:29 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-18 22:29 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-18 22:28 <DIR> --d----- c:\program files\Bonjour
2009-03-16 20:23 <DIR> --d----- C:\VundoFix Backups
2009-03-14 18:23 <DIR> --d----- c:\program files\Lavasoft(0)
2009-03-11 07:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 07:59 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 07:59 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 07:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 07:59 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 07:59 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-04-03 15:41 917,536 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-03 06:58 83,348 a------- c:\programdata\nvModes.dat
2009-04-03 06:58 83,348 a------- c:\progra~2\nvModes.dat
2009-04-02 19:28 5,652,000 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-02 19:28 48,380 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-02 19:28 5,236 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-02 07:35 20 ----h--- c:\programdata\PKP_DLbz.DAT
2009-04-02 07:35 20 ----h--- c:\programdata\PKP_DLbx.DAT
2009-04-02 07:35 20 ----h--- c:\programdata\PKP_DLbw.DAT
2009-04-02 07:35 20 ----h--- c:\progra~2\PKP_DLbz.DAT
2009-04-02 07:35 20 ----h--- c:\progra~2\PKP_DLbx.DAT
2009-04-02 07:35 20 ----h--- c:\progra~2\PKP_DLbw.DAT
2009-03-31 20:26 20 ----h--- c:\programdata\PKP_DLdw.DAT
2009-03-31 20:26 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2009-03-24 20:35 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-24 20:35 51,200 a------- c:\windows\inf\infpub.dat
2009-03-24 20:35 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 08:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-04 20:21 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-02-03 19:36 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-02-03 19:36 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-01-15 07:11 827,392 a------- c:\windows\system32\wininet.dll
2008-11-21 21:04 53,948 a------- c:\users\nige\appdata\roaming\nvModes.dat
2008-09-27 16:48 174 a--sh--- c:\program files\desktop.ini
2008-09-27 16:35 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:45:05.00 ===============




Thanks in advance for any help!

Edited by Hoov, 23 April 2009 - 11:19 AM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:46 PM

Posted 13 April 2009 - 11:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:46 PM

Posted 18 April 2009 - 11:34 AM

Thread opened at members request.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 lightsabre

lightsabre
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 19 April 2009 - 07:14 AM

OK, thanks. I have re-run the DDS tool. Here are the results:




DDS (Ver_09-03-16.01) - NTFSx86
Run by Nige at 13:12:01.06 on 19/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1982.1077 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Windows\System32\rundll32.exe
F:\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\USB DVB-T TV Tuner\DetectTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Nige\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.timesonline.co.uk/tol/news/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: E-Zsoft VideoDownloaderToolBar: {4322a444-92f8-4c3e-bd4c-013ba51e2871} - c:\program files\e-zsoft\youtubedownloader\VDTB.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: E-Zsoft VideoDownloaderToolBar: {4322a444-92f8-4c3e-bd4c-013ba51e2871} - c:\program files\e-zsoft\youtubedownloader\VDTB.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DetectTray] c:\program files\usb dvb-t tv tuner\DetectTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "F:\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [YouTubeDownloader_upgrade] "c:\program files\e-zsoft\youtubedownloader\YouTubeDownloader.exe" /upgrade
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\nige\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\nige\appdata\roaming\mozilla\firefox\profiles\mthl3lc1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.timesonline.co.uk/tol/news/
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: f:\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-7-9 20496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-4-20 809296]
R3 EC168BDA;EC168BDA service;c:\windows\system32\drivers\EC168BDA.sys [2007-10-5 107264]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\common files\surething shared\stllssvr.exe [2009-2-26 74392]

=============== Created Last 30 ================

2009-04-17 15:20 376,832 a------- c:\windows\system32\winhttp.dll
2009-03-31 18:21 <DIR> --d----- c:\windows\pss
2009-03-25 07:57 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-25 00:00 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-24 23:59 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 23:59 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 23:59 <DIR> --d----- c:\program files\Lavasoft
2009-03-24 20:35 34,304 a------- c:\windows\system32\drivers\AmdLLD.sys
2009-03-24 20:35 <DIR> --d----- c:\program files\AMD
2009-03-23 08:59 <DIR> --d----- c:\programdata\WindowsSearch
2009-03-23 08:35 <DIR> --d----- c:\program files\Norton Security Scan
2009-03-22 14:43 <DIR> --d----- c:\program files\CDex_150

==================== Find3M ====================

2009-04-18 19:40 942,112 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-18 19:40 48,968 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-18 19:40 5,348 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-18 19:40 5,726,176 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-18 13:45 20 ----h--- c:\programdata\PKP_DLbz.DAT
2009-04-18 13:45 20 ----h--- c:\programdata\PKP_DLbx.DAT
2009-04-18 13:45 20 ----h--- c:\programdata\PKP_DLbw.DAT
2009-04-18 13:45 20 ----h--- c:\progra~2\PKP_DLbz.DAT
2009-04-18 13:45 20 ----h--- c:\progra~2\PKP_DLbx.DAT
2009-04-18 13:45 20 ----h--- c:\progra~2\PKP_DLbw.DAT
2009-04-18 13:39 20 ----h--- c:\programdata\PKP_DLdw.DAT
2009-04-18 13:39 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2009-04-14 11:53 83,348 a------- c:\programdata\nvModes.dat
2009-04-14 11:53 83,348 a------- c:\progra~2\nvModes.dat
2009-03-24 20:35 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-24 20:35 51,200 a------- c:\windows\inf\infpub.dat
2009-03-24 20:35 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 08:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-03 05:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 05:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 05:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-03 05:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 05:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 05:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 05:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 05:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 05:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 05:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 04:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 03:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-03 03:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-13 09:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 09:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-09 04:10 2,033,152 a------- c:\windows\system32\win32k.sys
2008-11-21 21:04 53,948 a------- c:\users\nige\appdata\roaming\nvModes.dat
2008-09-27 16:48 174 a--sh--- c:\program files\desktop.ini
2008-09-27 16:35 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:12:49.75 ===============

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:46 PM

Posted 19 April 2009 - 07:24 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 lightsabre

lightsabre
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 20 April 2009 - 12:56 AM

Great - Thanks Hoov.

I will try your suggestions tonight. I have to go to work now, and will not be able to access my PC, but I will work through your suggestions tonight (UK time) ]

Thanks

Edited by lightsabre, 20 April 2009 - 12:57 AM.


#7 lightsabre

lightsabre
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 20 April 2009 - 03:39 PM

OK I have run the programs you have advised.

CCleaner found loads of files, and removed them

Malawarebytes did not find any infections.

explorer.exe is still running at 49% however!




I haven't tried a reboot since the scans, so I will try that now

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:46 PM

Posted 20 April 2009 - 04:12 PM

Please download and install Process Explorer.

Configure PE as follows:

* Under View -> Show lower pane - turn ON (check)
* Under Options -> Verify Image Signatures - turn ON (check)

show DLLs must be on.

* The 5th icon from the right on the toolbar must be a gear. (show DLLs)
* Then hit View -> Refresh now on the Menu bar


Process Explorer creates a "CPU History" system tray icon which gauges CPU activity at a glance. It is a black square in which red/green colors represent process activity. When the CPU is maxed out, only green and red appear in the square and there is no black background. When that happens, you can immediately see what process if the offending one, by hovering your cursor over the Process Explorer system tray icon. You will see two figures: the total % CPU consumption, and the %CPU cycles being consumed by the "greediest" process (it will identify that process by name). When your system slows down, you can immediately glance at the system tray to verify that and identify which process is a resource hog.

When it shows Explorer at max CPUs then immediately highlight the Explorer process and grab a log that shows which DLLs are being loaded into Explorer. To save the log, with Process Explorer open, click on File -> Save, once the DLLS in the lower pane are visible.

Let me know what is causing explorer.exe to run so high.

Edited by Hoov, 20 April 2009 - 04:13 PM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 lightsabre

lightsabre
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 21 April 2009 - 01:25 AM

OK Thanks

I have run process explorer, and am still none the wiser! Here's the log:



Process PID CPU Description Company Name
System Idle Process 0 36.90
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 0.60
smss.exe 464
csrss.exe 604
wininit.exe 656
services.exe 700
svchost.exe 912
unsecapp.exe 3324
WmiPrvSE.exe 3412
ehmsas.exe 4292 Media Center Media Status Aggregator Service Microsoft Corporation
WINWORD.EXE 5824 Microsoft Office Word Microsoft Corporation
dllhost.exe 5712 COM Surrogate Microsoft Corporation
nvvsvc.exe 956
rundll32.exe 336
svchost.exe 984
svchost.exe 1020 1.19
svchost.exe 1072
audiodg.exe 1204
svchost.exe 1104
dwm.exe 2336 Desktop Window Manager Microsoft Corporation
svchost.exe 1136
taskeng.exe 1948
taskeng.exe 2276 Task Scheduler Engine Microsoft Corporation
SLsvc.exe 1232
svchost.exe 1276
AAWService.exe 1488
spoolsv.exe 1588
svchost.exe 1620
AppleMobileDeviceService.exe 584
avp.exe 748
mDNSResponder.exe 896
svchost.exe 1092
KService.exe 1392
LSSrvc.exe 2040
svchost.exe 488
QPCapSvc.exe 580
RichVideo.exe 2724
svchost.exe 2744
svchost.exe 2780
SearchIndexer.exe 2828
SearchProtocolHost.exe 5948
SearchFilterHost.exe 2000
SearchProtocolHost.exe 520 Microsoft Windows Search Protocol Host Microsoft Corporation
XAudio.exe 2872
hpqWmiEx.exe 2900
SDWinSec.exe 2928
QPSched.exe 3284
HPHC_Service.exe 1648
wmpnetwk.exe 3264
iPodService.exe 5212
lsass.exe 716
lsm.exe 724
csrss.exe 668
winlogon.exe 852
explorer.exe 3996 49.41 Windows Explorer Microsoft Corporation
avp.exe 3632 Kaspersky Anti-Virus Kaspersky Lab
rundll32.exe 3236 Windows host process (Rundll32) Microsoft Corporation
iTunesHelper.exe 2636 iTunesHelper Module Apple Inc.
AAWTray.exe 3060 Ad-Aware Tray Application Lavasoft
WiFiMsg.exe 3132 Module to process WiFi messages. Hewlett-Packard Development Company, L.P.
SynTPStart.exe 1852 Synaptics Pointing Device starter Synaptics, Inc.
SynTPEnh.exe 4500
QPService.exe 3244 HP QuickPlay Resident Program CyberLink Corp.
HPKBDAPP.exe 2804 HP QuickTouch On Screen Display Hewlett-Packard Development Company, L.P.
HPWAMain.exe 3240 HPWAMain Module Hewlett-Packard Development Company, L.P.
BJMYPRT.EXE 3936 Canon My Printer CANON INC.
jusched.exe 3112 Java™ Platform SE binary Sun Microsystems, Inc.
sidebar.exe 1480 Windows Sidebar Microsoft Corporation
ehtray.exe 472 Media Center Tray Applet Microsoft Corporation
DetectTray.exe 2188 Detect Device Tray Application
wmpnscfg.exe 2824 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
HOMERunner.exe 2888 System Tray application for TomTom HOME TomTom
LightScribeControlPanel.exe 2252 Hewlett-Packard Company
KHost.exe 2268 Delivery Manager Kontiki Inc.
OUTLOOK.EXE 5604 Microsoft Office Outlook Microsoft Corporation
procexp.exe 4416 11.90 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
firefox.exe 5408 Firefox Mozilla Corporation

Process: explorer.exe Pid: 3996

Type Name
Desktop \Default
Desktop \Default
Directory \KnownDlls
Directory \Sessions\1\BaseNamedObjects
Event \Sessions\1\BaseNamedObjects\HPlugEjectEvent
Event \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterEvent
Event \Sessions\1\BaseNamedObjects\ShellDesktopSwitchEvent
Event \BaseNamedObjects\ShutdownMSIDLLv262144.393299536
Event \BaseNamedObjects\RestartMSIDLLv262144.393299536
Event \BaseNamedObjects\TermSrvReadyEvent
Event \Sessions\1\BaseNamedObjects\ShellReadyEvent
File C:\Windows\System32
File C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File \Device\KsecDD
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\registration\R000000000009.clb
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Burn
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Burn
File C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1434_none_d08b6002442c891f
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\Desktop
File C:\Users\Nige\Desktop
File C:\Users\Nige\AppData\Roaming\Microsoft\Windows\Network Shortcuts
File \Device\Nsi
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
File C:\Users\Nige\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
File C:\Windows\System32\en-US\imageres.dll.mui
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_30_for_KB936330~31bf3856ad364e35~x86~~6.0.1.18000.cat
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9\comctl32.dll.mui
File C:\Users\Nige\AppData\Local\Microsoft\Portable Devices
File C:\Users\Nige\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
File \Device\WMIDataDevice
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File \Device\00000042
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\AppData\Local\Microsoft\Windows\GameExplorer
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\Desktop\ProcessExplorer
File C:\Windows\System32\en-US\prnntfy.dll.mui
File C:\Users\Nige\Links
File C:\Users\Nige\Desktop\ProcessExplorer
File C:\Users\Nige\Links
File C:\Windows\System32\en-US\imageres.dll.mui
File C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
File C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1434_none_d08b6002442c891f
File \Device\NamedPipe\lsass
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File \Device\NamedPipe\srvsvc
File C:\Users\Nige\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
File C:\Users\Nige\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
File \Device\KsecDD
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
File C:\Users\Nige\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
File C:\Windows\System32\en-US\imageres.dll.mui
File \Device\KsecDD
File \Device\KsecDD
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\AppData\Roaming\Microsoft\SystemCertificates\My
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\Desktop\VIDEO_RM\VIDEO_RM.DAT
File C:\Users\Nige\Desktop\VIDEO_RM\VIDEO_RM.DAT
File \Device\KsecDD
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Windows\System32\en-US\user32.dll.mui
File C:\Users\Nige\AppData\Roaming\Microsoft\Windows\Network Shortcuts
File C:\Users\Nige\Desktop\VIDEO_RM\VIDEO_RM.DAT
File C:\Users\Nige\AppData\Roaming\Microsoft\Windows\Start Menu
File C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
File C:\Users\Nige\AppData\Roaming\Microsoft\Windows\Start Menu
File C:\Users\Public\Desktop
File C:\ProgramData\Microsoft\Windows\Start Menu
File C:\Users\Public\Desktop
File C:\ProgramData\Microsoft\Windows\Start Menu
File C:\Users\Nige\AppData\Local\Microsoft\Windows\GameExplorer
Key HKLM
Key HKLM\SYSTEM\ControlSet001\Control\Session Manager
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
Key HKCU\Software\Classes
Key HKCU
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKCU\Software\Classes
Key HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Key HKCR\SystemFileAssociations\.exe
Key HKCU\Software\Microsoft\SystemCertificates\SmartCardRoot
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCU\Software\HP Guide\Menu
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Key HKCU\Software\Microsoft\Windows\Shell
Key HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\152\Shell
Key HKCU\Software\Policies
Key HKLM\SOFTWARE\Policies
Key HKCU\Software
Key HKLM\SOFTWARE
Key HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\152\Shell
Key HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\CommonPlaces
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
Key HKCU\Software
Key HKCU\Software\Microsoft\SystemCertificates\Root
Key HKCU\Software\Microsoft\Windows NT\CurrentVersion
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{fc3e07cd-061e-11dd-80aa-806e6f6e6963}
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot
Key HKCU\Software\Policies
Key HKLM\SOFTWARE\Policies
Key HKLM\SOFTWARE
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKCU\Software\Microsoft\SystemCertificates\My
Key HKCR
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCR\.exe
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\CommonPlaces
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Key HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\152\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Key HKLM\SYSTEM\ControlSet001\Services\crypt32
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
Key HKLM\SOFTWARE
Key HKCR\*
Key HKCU\Software
Key HKU
Key HKCU\Software\Policies
Key HKLM\SOFTWARE\Policies
Key HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Key HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\152\Shell
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Key HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{fc3e07ce-061e-11dd-80aa-806e6f6e6963}
Key HKCU\Software\Policies
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT
Key HKCU\Software\Microsoft\SystemCertificates\TrustedPeople
Key HKCU\Software\Microsoft\SystemCertificates\Disallowed
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA
Key HKCU
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f33f0e6b-8b21-11dd-a065-001e6808278a}
Key HKLM\SOFTWARE\Policies
Key HKCU\Software
Key HKLM\SOFTWARE
Key HKCR\AllFilesystemObjects
Key HKCU\Software\Microsoft\SystemCertificates\CA
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Key HKCU
Key HKCU
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople
Key HKCU\Software\Microsoft\SystemCertificates\trust
Key HKCU
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
Key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
Key HKCU\Software\Policies\Microsoft\SystemCertificates
Key HKCR\exefile
Key HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKLM\SOFTWARE\Microsoft\Security Center
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Mutant \Sessions\1\BaseNamedObjects\MSCTF.Asm.MutexDefaultS-1-5-21-713493626-2567976147-258446499-1000
Mutant \Sessions\1\BaseNamedObjects\c:!users!nige!appdata!roaming!microsoft!windows!cookies!
Mutant \Sessions\1\BaseNamedObjects\ZonesCounterMutex
Mutant \Sessions\1\BaseNamedObjects\ZoneAttributeCacheCounterMutex
Mutant \Sessions\1\BaseNamedObjects\ZoneAttributeCacheCounterMutex
Mutant \Sessions\1\BaseNamedObjects\ZonesCacheCounterMutex
Mutant \Sessions\1\BaseNamedObjects\ZonesLockedCacheCounterMutex
Mutant \Sessions\1\BaseNamedObjects\WininetConnectionMutex
Mutant \Sessions\1\BaseNamedObjects\ALTTAB_RUNNING_MUTEX
Mutant \Sessions\1\BaseNamedObjects\_!MSFTHISTORY!_
Mutant \Sessions\1\BaseNamedObjects\c:!users!nige!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Mutant \Sessions\1\BaseNamedObjects\WininetStartupMutex
Mutant \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer
Mutant \Sessions\1\BaseNamedObjects\DBWinMutex
Mutant \Sessions\1\BaseNamedObjects\_SHuassist.mtx
Mutant \Sessions\1\BaseNamedObjects\c:!users!nige!appdata!local!microsoft!windows!history!history.ie5!
Mutant \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex
Mutant \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer
Mutant \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer
Mutant \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer
Mutant \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit
Mutant \BaseNamedObjects\C::Users:Nige:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer
Mutant \Sessions\1\BaseNamedObjects\WininetProxyRegistryMutex
Mutant \Sessions\1\BaseNamedObjects\eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0
Mutant \Sessions\1\BaseNamedObjects\AMResourceMutex3
Mutant \Sessions\1\BaseNamedObjects\MBAARDYNLQEHENFDXTKKSDAHTLSVERVV
Mutant \Sessions\1\BaseNamedObjects\eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-713493626-2567976147-258446499-1000
Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
Section \BaseNamedObjects\__ComCatalogCache__
Section \BaseNamedObjects\__ComCatalogCache__
Section \BaseNamedObjects\windows_shell_global_counters
Section \Sessions\1\BaseNamedObjects\UrlZonesSM_Nige
Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
Section \Sessions\1\BaseNamedObjects\C:_Users_Nige_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_index.dat_32768
Section \Sessions\1\BaseNamedObjects\AMResourceMapping3-0000-0x000578
Section \BaseNamedObjects\mmGlobalPnpInfo
Section \Sessions\1\BaseNamedObjects\C:_Users_Nige_AppData_Roaming_Microsoft_Windows_Cookies_index.dat_32768
Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters
Section \Sessions\1\BaseNamedObjects\VIDEOMEMORY
Section \Sessions\1\BaseNamedObjects\C:_Users_Nige_AppData_Local_Microsoft_Windows_History_History.IE5_index.dat_16384
Thread explorer.exe(3996): 3440
Thread explorer.exe(3996): 5756
Thread explorer.exe(3996): 1868
Thread explorer.exe(3996): 5100
Thread explorer.exe(3996): 2800
Thread explorer.exe(3996): 2128
Thread explorer.exe(3996): 2128
Thread explorer.exe(3996): 3676
Thread explorer.exe(3996): 3516
Thread explorer.exe(3996): 4364
Thread explorer.exe(3996): 2816
Thread explorer.exe(3996): 3672
Thread explorer.exe(3996): 3724
Thread explorer.exe(3996): 3900
Thread explorer.exe(3996): 3628
Thread explorer.exe(3996): 2308
Thread explorer.exe(3996): 3900
Thread explorer.exe(3996): 3724
Thread explorer.exe(3996): 3756
Thread explorer.exe(3996): 3296
Thread explorer.exe(3996): 3952
Thread explorer.exe(3996): 3952
Thread explorer.exe(3996): 3952
Thread explorer.exe(3996): 3952
Thread explorer.exe(3996): 3140
Thread explorer.exe(3996): 3140
Thread explorer.exe(3996): 284
Thread explorer.exe(3996): 3676
Thread explorer.exe(3996): 3900
Thread explorer.exe(3996): 3944
Thread explorer.exe(3996): 3944
Thread explorer.exe(3996): 5556
Thread explorer.exe(3996): 1856
Thread explorer.exe(3996): 4100
Thread explorer.exe(3996): 2308
Thread explorer.exe(3996): 4108
Thread explorer.exe(3996): 4108
Thread explorer.exe(3996): 4120
Thread explorer.exe(3996): 4312
Thread explorer.exe(3996): 3952
Thread explorer.exe(3996): 4148
WindowStation \Sessions\1\Windows\WindowStations\WinSta0
WindowStation \Sessions\1\Windows\WindowStations\WinSta0

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:46 PM

Posted 21 April 2009 - 02:00 PM

Try this. With process explorer open, double click on the entry for explorer.exe and then in the popup window click the threads tab. Now see what is using the CPU cycles there. Tell me the average cycles used, and the start address is.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 lightsabre

lightsabre
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 21 April 2009 - 02:37 PM

OK Thanks

Top entry

TID 5608 CPU 49 Cycles: 2,784,541 ntdll.dll!RtlDecodePointer+0x9b


Does that help?

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:46 PM

Posted 21 April 2009 - 03:12 PM

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 lightsabre

lightsabre
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 21 April 2009 - 04:16 PM

Having some problems installing the combofix.

I have Kasperski and adaware live adblock turned off

Combofix is downloaded to my desktop, but when I click to install it, a message says that some components are missing, to reboot my computer and try again. However, when I close the message, the pc locks up, and I cannot either shutdown, of open any programmes. The only fix is to force it to shut down.

I'll try it again, and leave it longer this time, to see whether that helps.

I have to sign off for the evening now, but I will try again in the morning, and tomorrow evening.


Really appreciate the help, by the way!

#14 lightsabre

lightsabre
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 21 April 2009 - 05:29 PM

OK managed to run the combofix (I obviously hadn't given it long enough!)

Here are the results:



ComboFix 09-04-22.02 - Nige 21/04/2009 22:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1982.1223 [GMT 1:00]
Running from: c:\users\Nige\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-20 20:24 . 2009-04-20 20:24 -------- d-----w c:\users\Nige\AppData\Roaming\Malwarebytes
2009-04-20 20:24 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-20 20:24 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 20:24 . 2009-04-20 20:24 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-20 20:24 . 2009-04-20 20:24 -------- d-----w c:\programdata\Malwarebytes
2009-04-17 14:20 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-03-25 06:57 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-24 23:00 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-24 22:59 . 2009-03-24 22:59 -------- dc-h--w c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 22:59 . 2009-03-24 22:59 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 19:35 . 2007-06-29 14:47 34304 ----a-w c:\windows\system32\drivers\AmdLLD.sys
2009-03-24 19:31 . 2009-03-24 19:31 -------- d-----w c:\users\Nige2\AppData\Local\Downloaded Installations
2009-03-24 19:23 . 2009-03-24 19:23 -------- d-----w c:\users\Nige2\AppData\Roaming\NIKON
2009-03-24 19:23 . 2009-03-24 19:23 -------- d-----w c:\users\Nige2\AppData\Local\Nikon
2009-03-24 19:12 . 2009-03-24 19:12 -------- d-----w c:\users\Nige2\AppData\Local\Mozilla
2009-03-24 19:09 . 2009-03-24 19:09 -------- d-----w c:\users\Nige2\AppData\Roaming\Hewlett-Packard
2009-03-24 19:09 . 2009-03-24 19:09 -------- d-----w c:\users\Nige2\AppData\Local\Hewlett-Packard
2009-03-24 19:08 . 2009-03-24 19:08 92352 ----a-w c:\users\Nige2\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-24 19:08 . 2009-03-24 19:08 -------- d-----w c:\users\Nige2\AppData\Local\Apple Computer
2009-03-24 19:08 . 2009-03-24 21:47 -------- d-----w c:\users\Nige2\AppData\Local\QuickPlay
2009-03-24 19:08 . 2009-03-24 19:08 -------- d-----r c:\users\Nige2\Searches
2009-03-23 07:59 . 2009-03-23 07:59 -------- d-----w c:\users\All Users\WindowsSearch
2009-03-23 07:59 . 2009-03-23 07:59 -------- d-----w c:\programdata\WindowsSearch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 22:14 . 2008-11-30 13:17 -------- d-----w c:\programdata\Kontiki
2009-04-21 21:10 . 2008-04-15 20:32 -------- d-----w c:\programdata\Kaspersky Lab
2009-04-21 21:06 . 2009-03-20 15:20 12988 ----a-w C:\aaw7boot.log
2009-04-21 18:41 . 2008-12-25 10:33 20 ---h--w c:\users\All Users\PKP_DLbw.DAT
2009-04-21 18:41 . 2008-12-25 10:33 20 ---h--w c:\programdata\PKP_DLbw.DAT
2009-04-21 18:41 . 2008-12-25 10:25 20 ---h--w c:\users\All Users\PKP_DLbx.DAT
2009-04-21 18:41 . 2008-12-25 10:25 20 ---h--w c:\programdata\PKP_DLbx.DAT
2009-04-21 18:41 . 2008-04-13 12:31 20 ---h--w c:\users\All Users\PKP_DLbz.DAT
2009-04-21 18:41 . 2008-04-13 12:31 20 ---h--w c:\programdata\PKP_DLbz.DAT
2009-04-21 06:35 . 2008-07-17 18:41 942112 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-21 06:35 . 2008-07-17 18:41 5734432 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-21 06:35 . 2008-07-17 18:41 5348 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-21 06:35 . 2008-07-17 18:41 49024 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-21 06:01 . 2009-02-16 20:13 83348 ----a-w c:\users\All Users\nvModes.dat
2009-04-21 06:01 . 2009-02-16 20:13 83348 ----a-w c:\programdata\nvModes.dat
2009-04-20 20:24 . 2009-04-20 20:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 18:41 . 2008-04-20 12:07 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-20 18:37 . 2009-04-20 18:37 -------- d-----w c:\program files\CCleaner
2009-04-20 05:29 . 2007-10-24 17:27 -------- d-----w c:\program files\Java
2009-04-19 20:55 . 2008-04-20 16:36 20 ---h--w c:\users\All Users\PKP_DLdw.DAT
2009-04-19 20:55 . 2008-04-20 16:36 20 ---h--w c:\programdata\PKP_DLdw.DAT
2009-04-03 14:00 . 2009-03-23 07:35 -------- d-----w c:\program files\Norton Security Scan
2009-03-24 22:59 . 2009-03-24 22:59 -------- d-----w c:\program files\Lavasoft
2009-03-24 22:59 . 2008-05-28 20:30 -------- d-----w c:\programdata\Lavasoft
2009-03-24 19:35 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-03-24 19:35 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-03-24 19:35 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-03-24 19:35 . 2009-03-24 19:35 -------- d-----w c:\program files\AMD
2009-03-24 19:09 . 2008-01-16 11:10 -------- d-----w c:\programdata\NVIDIA
2009-03-23 07:37 . 2007-10-24 15:28 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 13:43 . 2009-03-22 13:43 -------- d-----w c:\program files\CDex_150
2009-03-20 07:29 . 2009-03-20 07:29 -------- d-----w c:\program files\Trend Micro
2009-03-19 11:48 . 2009-03-13 18:11 680 ----a-w c:\users\Nige\AppData\Local\d3d9caps.dat
2009-03-18 21:29 . 2009-03-18 21:29 -------- d-----w c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-18 21:29 . 2009-03-18 21:29 -------- d-----w c:\program files\iPod
2009-03-18 21:29 . 2008-10-18 12:07 -------- d-----w c:\program files\Common Files\Apple
2009-03-18 21:28 . 2009-03-18 21:28 -------- d-----w c:\program files\Bonjour
2009-03-18 21:27 . 2009-03-18 21:27 -------- d-----w c:\program files\QuickTime
2009-03-17 03:38 . 2009-04-17 14:19 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-17 14:19 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 14:19 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-14 17:23 . 2009-03-14 17:23 -------- d-----w c:\program files\Lavasoft(0)
2009-03-13 19:21 . 2008-10-19 16:44 -------- d-----w c:\program files\Roni Music
2009-03-12 10:56 . 2008-04-20 12:07 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 04:19 . 2008-12-06 13:18 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-05 23:59 . 2009-03-05 23:59 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 23:59 . 2009-03-05 23:59 1900544 ----a-w c:\windows\System32\usbaaplrc.dll
2009-03-03 04:46 . 2009-04-17 14:19 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 14:19 3547632 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-17 14:18 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-17 14:19 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 14:19 551424 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 14:19 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 14:18 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 14:19 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 14:19 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-17 14:19 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 03:04 . 2009-04-17 14:19 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 14:19 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-17 14:18 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-02 09:27 . 2008-04-13 12:54 92352 ----a-w c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-02-27 17:33 . 2008-04-29 18:30 -------- d-----w c:\program files\Canon
2009-02-26 21:00 . 2009-02-26 21:00 -------- d-----w c:\program files\exPressit S.E. 2.1
2009-02-26 20:02 . 2008-04-08 18:52 92352 ----a-w c:\users\Nige\AppData\Local\GDIPFONTCACHEV1.DAT
2009-02-26 19:52 . 2009-02-26 19:51 -------- d-----w c:\program files\SureThing CD Labeler 5
2009-02-26 19:52 . 2009-02-26 19:52 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-02-26 19:40 . 2009-02-26 19:40 -------- d-----w c:\program files\NCH Software
2009-02-13 08:49 . 2009-04-17 14:19 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 08:49 . 2009-04-17 14:19 1255936 ----a-w c:\windows\System32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 06:59 2033152 ----a-w c:\windows\System32\win32k.sys
2008-11-21 20:04 . 2008-04-09 20:40 53948 ----a-w c:\users\Nige\AppData\Roaming\nvModes.dat
2008-09-27 15:48 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-07-14 15:24 . 2008-07-14 15:24 27335 ----a-w c:\users\Guest\AppData\Roaming\nvModes.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"DetectTray"="c:\program files\USB DVB-T TV Tuner\DetectTray.exe" [2007-09-21 131072]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-04 206088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="F:\iTunesHelper.exe" [2009-03-12 342312]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"YouTubeDownloader_upgrade"="c:\program files\E-Zsoft\YouTubeDownloader\YouTubeDownloader.exe" [2008-11-03 361472]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\users\Nige\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll c:\progra~1\KASPER~1\KASPER~1\adialhk.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5191A9EB-D83B-46A2-A81C-07F66711C7C8}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{715D1CA7-C01C-479C-9F71-DB42EE39C5C8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5DFAF0BD-504C-495F-8BBE-5C79D95BF853}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{ED6BE426-1153-4FF8-A6EF-0A8457F137BD}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{62C835C1-8C41-437F-8D54-903E65308DC3}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{BE4A4674-020B-4D07-94D8-4FE9C99D817F}c:\\programdata\\kaspersky lab setup files\\kaspersky internet security 7.0.1.325\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky internet security 7.0.1.325\english\setup.exe:Kaspersky Internet Security 7.0 Setup
"UDP Query User{42ACB035-C753-445A-89D1-46640D945233}c:\\programdata\\kaspersky lab setup files\\kaspersky internet security 7.0.1.325\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky internet security 7.0.1.325\english\setup.exe:Kaspersky Internet Security 7.0 Setup
"TCP Query User{AEAACF3B-2416-4E2A-8AA3-2024E13EC53A}c:\\programdata\\kaspersky lab setup files\\kaspersky internet security 2009\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\english\setup.exe:Kaspersky Internet Security 2009 Setup
"UDP Query User{E234F6AC-D1E1-49C5-A45E-0F5A411BBC81}c:\\programdata\\kaspersky lab setup files\\kaspersky internet security 2009\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\english\setup.exe:Kaspersky Internet Security 2009 Setup
"{A0E90D11-2816-4D7E-B538-FF581D7D173A}"= UDP:f:\itunes\iTunes.exe:iTunes
"{929C08EF-26C9-40F9-B5DD-1E4A1C05C2D6}"= TCP:f:\itunes\iTunes.exe:iTunes
"{1C792BB7-E874-4160-AD5B-015F00953DE1}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{3BEF1C16-4AAF-4720-A0A5-8047C2D5867C}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{D9B45952-3E5A-4986-B5DE-A9F5E960CBD5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A0B42A18-6A94-4D90-AFCF-C8484E7170E8}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{17DF0A2D-AC30-4B7D-9FB6-C1989F6AD30E}"= UDP:F:\iTunes.exe:iTunes
"{E1FF9D57-857C-414E-A492-C999D45CA6DA}"= TCP:F:\iTunes.exe:iTunes

R3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [2009-01-29 74392]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-02-04 33808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2008-07-09 20496]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 809296]
S3 EC168BDA;EC168BDA service;c:\windows\system32\DRIVERS\EC168BDA.sys [2007-10-05 107264]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-03 c:\windows\Tasks\Norton Security Scan for Nige.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 20:20]

2009-04-21 c:\windows\Tasks\User_Feed_Synchronization-{F08DB460-BA99-4D08-A7E4-8A4D343B2F82}.job
- c:\windows\system32\msfeedssync.exe [2008-09-24 07:33]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.timesonline.co.uk/tol/news/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nige\AppData\Roaming\Mozilla\Firefox\Profiles\mthl3lc1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.timesonline.co.uk/tol/news/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\mozilla plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 23:17
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-04-21 23:18
ComboFix-quarantined-files.txt 2009-04-21 22:18

Pre-Run: 75,381,805,056 bytes free
Post-Run: 74,820,067,328 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
243 --- E O F --- 2009-04-18 18:39

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:46 PM

Posted 21 April 2009 - 06:13 PM

Can you go to c:/qoobox and open combofix1.txt and post it.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users