Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVCHOST.EXE 99% cpu usage, 36mb ram


  • Please log in to reply
1 reply to this topic

#1 keelay

keelay

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 13 July 2009 - 03:48 PM

Cant tell i I am infected with anything. Ive scanned my computer with adaware, spybot, malwarebytes antimalware, and combofix. Still have 8 svchost.exe's running, 1 using 99% cpu usage and 36mb ram. I have the combofix log, and dds log, and will post both below. The computer runs fairly quickly, although has hang ups every 10 minutes or so.

Logs below:

DDS


DDS (Ver_09-06-26.01) - NTFSx86
Run by Compaq_Administrator at 16:44:27.75 on 07/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.203 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Compaq_Administrator.TORREY\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [cdloader] "c:\documents and settings\compaq_administrator.torrey\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} - hxxps://video.manheim.com/lib/LiveSound.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]

=============== Created Last 30 ================

2009-07-13 15:52 <DIR> --d----- c:\docume~1\compaq~1.tor\applic~1\Malwarebytes
2009-07-13 15:52 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 15:52 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-13 15:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 15:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-13 15:42 <DIR> --ds---- C:\ComboFix
2009-07-13 15:28 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-13 15:13 219,648 a------- c:\windows\PEV.exe
2009-07-13 15:13 161,792 a------- c:\windows\SWREG.exe
2009-07-13 15:13 98,816 a------- c:\windows\sed.exe
2009-07-13 14:34 <DIR> --dsh--- c:\documents and settings\compaq_administrator.torrey\IECompatCache
2009-07-13 14:33 <DIR> --dsh--- c:\documents and settings\compaq_administrator.torrey\PrivacIE
2009-07-13 13:35 <DIR> --dsh--- c:\documents and settings\compaq_administrator.torrey\IETldCache
2009-07-13 12:59 <DIR> -cd-h--- c:\windows\ie8
2009-07-13 12:43 94 a------- c:\windows\family.ini
2009-07-10 13:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-10 11:50 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 11:49 <DIR> --d----- c:\program files\Lavasoft
2009-07-07 12:57 <DIR> --d----- c:\docume~1\compaq~1.tor\applic~1\HPQ
2009-06-30 13:04 <DIR> --d----- c:\docume~1\compaq~1.tor\applic~1\mjusbsp
2009-06-30 13:04 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-06-30 13:04 60,032 a------- c:\windows\system32\dllcache\usbaudio.sys
2009-06-29 11:41 31,504 a---h--- c:\windows\system32\mlfcache.dat
2009-06-24 12:13 <DIR> --d----- c:\program files\Bonjour
2009-06-16 10:30 129,520 -------- c:\windows\system32\pxafs.dll

==================== Find3M ====================

2009-06-15 16:50 530 a------- c:\docume~1\compaq~1.tor\applic~1\wklnhst.dat
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-09 01:14 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:55 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-21 15:17 22,328 a------- c:\docume~1\compaq~1.tor\applic~1\PnkBstrK.sys
2009-04-17 16:13 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-17 16:12 208,896 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
2009-04-17 16:12 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-04-17 16:12 341,048 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2009-04-17 16:12 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-04-17 16:12 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-04-17 16:12 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-04-17 16:12 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-04-17 16:12 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-04-17 16:12 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-15 10:34 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 16:45:04.59 ===============


ComboFix


ComboFix 09-07-13.01 - Compaq_Administrator 07/13/2009 15:42.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.532 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator.TORREY\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 18:47 . 2009-07-13 18:47 -------- d-----w- c:\documents and settings\Compaq_Administrator.TORREY\Local Settings\Application Data\Mozilla
2009-07-13 18:34 . 2009-07-13 18:34 -------- d-sh--w- c:\documents and settings\Compaq_Administrator.TORREY\IECompatCache
2009-07-13 18:33 . 2009-07-13 18:33 -------- d-sh--w- c:\documents and settings\Compaq_Administrator.TORREY\PrivacIE
2009-07-13 17:59 . 2009-07-13 17:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-13 17:35 . 2009-07-13 17:35 -------- d-sh--w- c:\documents and settings\Compaq_Administrator.TORREY\IETldCache
2009-07-13 16:59 . 2009-07-13 17:01 -------- dc-h--w- c:\windows\ie8
2009-07-13 16:43 . 2009-07-13 16:43 -------- d-----w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\HotSync
2009-07-10 17:04 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-10 15:50 . 2009-07-10 15:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 15:50 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-10 15:49 . 2009-07-10 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 15:49 . 2009-07-10 15:49 -------- d-----w- c:\program files\Lavasoft
2009-07-07 16:57 . 2009-07-07 16:57 -------- d-----w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\HPQ
2009-07-02 18:49 . 2009-07-02 18:49 -------- d-----w- c:\documents and settings\Compaq_Administrator.TORREY\Local Settings\Application Data\tjnet
2009-06-30 17:35 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\mjusbsp\in00000\setup.exe
2009-06-30 17:35 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\mjusbsp\ar00000\install.exe
2009-06-30 17:04 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\mjusbsp\Upgrade\setup1.exe
2009-06-30 17:04 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\mjusbsp\Upgrade\install1.exe
2009-06-30 17:04 . 2009-06-30 17:35 -------- d-----w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\mjusbsp
2009-06-30 17:04 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-06-30 17:04 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-06-29 15:41 . 2009-06-29 15:41 31504 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-24 16:13 . 2009-06-24 16:13 -------- d-----w- c:\program files\Bonjour
2009-06-20 15:21 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-16 14:30 . 2008-08-20 17:58 129520 ------w- c:\windows\system32\pxafs.dll
2009-06-14 16:52 . 2009-05-19 05:36 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-06-14 16:52 . 2009-05-19 05:36 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-06-14 16:52 . 2009-05-19 05:36 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-06-14 16:52 . 2009-05-19 05:35 376568 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unagi3.exe
2009-06-14 16:51 . 2009-05-19 05:36 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-06-14 16:51 . 2009-05-19 05:35 383128 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\tbsetup.exe
2009-06-14 16:51 . 2009-05-19 05:35 11568 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\tbinst.dll
2009-06-14 16:50 . 2009-05-19 05:35 172840 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\setup.exe
2009-06-14 16:50 . 2009-05-19 05:36 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-06-14 16:50 . 2009-05-19 05:35 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\ProgUpd.dll
2009-06-14 16:49 . 2009-05-19 05:35 36704 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\postproc.exe
2009-06-14 16:48 . 2009-05-19 05:35 4480040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\ocpinst.exe
2009-06-14 16:48 . 2009-05-19 05:35 15144 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\ocpchk.dll
2009-06-14 16:48 . 2009-05-19 05:35 1225352 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\msvc9rt.exe
2009-06-14 16:47 . 2009-05-19 05:35 231216 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\migrator.exe
2009-06-14 16:47 . 2009-05-19 05:35 74536 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\instSup.dll
2009-06-14 16:47 . 2009-05-19 05:35 10544 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\imappver.dll
2009-06-14 16:46 . 2009-05-19 05:35 1025328 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\gui.dll
2009-06-14 16:45 . 2009-05-19 05:36 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-06-14 16:44 . 2007-08-17 13:34 107872 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\aolsetup.exe
2009-06-14 16:44 . 2009-05-19 05:36 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-06-14 16:44 . 2009-05-19 05:35 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLFirewallMgr.dll
2009-06-14 16:44 . 2009-05-19 05:35 120368 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\aoldlmgr.exe
2009-06-14 16:44 . 2009-05-19 05:35 69104 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\amos.exe
2009-06-14 16:44 . 2009-05-19 05:35 37888 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\amoinst.exe
2009-06-14 16:44 . 2009-05-19 05:36 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-06-14 16:44 . 2009-05-19 05:35 550024 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AIMLang.exe
2009-06-14 16:43 . 2009-05-19 05:35 2402104 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AIMinst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 16:47 . 2009-02-19 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-13 16:43 . 2009-04-13 20:13 -------- d-----w- c:\program files\Palm
2009-07-13 16:41 . 2007-12-10 16:48 -------- d-----w- c:\program files\Winamp
2009-07-08 16:57 . 2009-01-06 20:02 -------- d-----w- c:\program files\iTunes
2009-07-08 16:57 . 2009-01-06 20:02 -------- d-----w- c:\program files\iPod
2009-07-08 16:27 . 2009-01-06 20:00 -------- d-----w- c:\program files\Apple Software Update
2009-07-07 19:51 . 2009-05-08 14:31 -------- d-----w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\Apple Computer
2009-06-24 16:13 . 2009-01-06 20:01 -------- d-----w- c:\program files\QuickTime
2009-06-24 16:11 . 2008-05-14 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-05-18 17:49 . 2009-05-18 17:49 -------- d-----w- c:\program files\GetData
2009-05-09 05:14 . 2007-08-31 23:01 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 05:14 . 2007-08-31 22:58 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-04-21 19:48 . 2009-04-21 19:47 334912 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-04-21 19:48 . 2009-04-21 19:47 171072 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-04-21 19:47 . 2009-04-21 19:47 874660 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\pb\pbcls.dll
2009-04-21 19:47 . 2009-04-21 19:47 57344 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\pb\pbags.dll
2009-04-21 19:47 . 2009-04-21 19:47 874660 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-04-21 19:47 . 2009-04-21 19:47 57344 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-04-21 19:47 . 2009-04-21 19:47 479232 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-04-21 19:47 . 2009-04-21 19:47 2669632 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-04-21 19:17 . 2009-04-21 19:17 22328 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\PnkBstrK.sys
2009-04-21 19:17 . 2009-04-21 19:17 22328 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\PnkBstrK.sys
2009-04-20 15:27 . 2006-08-07 23:31 39752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 20:13 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-17 20:12 . 2009-04-17 20:12 208896 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-04-17 20:12 . 2009-04-17 20:12 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-04-17 20:12 . 2009-04-17 20:12 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-04-17 20:12 . 2009-04-17 20:12 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-04-17 20:12 . 2009-04-17 20:12 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-04-17 20:12 . 2009-04-17 20:12 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-04-17 20:12 . 2009-04-17 20:12 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-04-17 20:12 . 2009-04-17 20:12 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-04-17 20:12 . 2009-04-17 20:12 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-04-17 12:26 . 2004-08-10 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 14:34 . 2009-04-15 14:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-15 14:33 . 2009-04-15 14:33 152576 ----a-w- c:\documents and settings\Compaq_Administrator.TORREY\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2008-09-24 21:39 . 2008-01-03 14:42 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-09-24 21:39 . 2008-01-03 14:42 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-24 21:39 . 2008-01-03 14:42 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-09-24 21:39 . 2008-01-03 14:42 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-09-24 21:39 . 2008-01-03 14:42 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"cdloader"="c:\documents and settings\Compaq_Administrator.TORREY\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Compaq_Administrator.TORREY\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [07/03/2009 10:49 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 15:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\ieframe.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
Completion time: 2009-07-13 15:47
ComboFix-quarantined-files.txt 2009-07-13 19:47
ComboFix2.txt 2009-07-13 19:29

Pre-Run: 67,951,788,032 bytes free
Post-Run: 67,945,861,120 bytes free

187 --- E O F --- 2009-07-13 17:02


DDS log is also attached to the post. Attached File  Attach.txt   8.84KB   2 downloads

Any help is appreciated. Also, as I am typing this, the computer is going EXTREMELY slow.

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:40 PM

Posted 24 July 2009 - 04:46 PM

Hello keelay

Welcome to Welcome to BleepingComputer :thumbup2:
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users