Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have malware, Submitting a log


  • This topic is locked This topic is locked
3 replies to this topic

#1 dtway

dtway

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa, FL
  • Local time:02:28 AM

Posted 09 September 2009 - 08:33 PM

Type Status Entry Describe
Process System No Record
Process smss.exe Session Manager Subsystem
Process csrss.exe Client/Server Runtime Server Subsystem
Process wininit.exe No Record
Process csrss.exe Client/Server Runtime Server Subsystem
Process services.exe Windows Service Controller
Process lsass.exe Local Security Service
Process lsm.exe No Record
Process winlogon.exe Windows Logon Process
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process audiodg.exe No Record
Process svchost.exe Service Host Process
Process SLsvc.exe No Record
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process AAWService.exe No Record
Process svchost.exe Service Host Process
Process svchost.exe Service Host Process
Process avgwdsvc.exe No Record
Process is360srv.exe No Record
Process lxctcoms.exe No Record
Process lxdmcoms.exe No Record
Process svchost.exe Service Host Process
Process avgrsx.exe No Record
Process RalinkRegistryWriter.exe No Record
Process RichVideo.exe No Record
Process TCPSVCS.EXE TCP/IP Services
Process snmp.exe Microsoft SNMP Agent
Process WLIDSVC.EXE No Record
Process ePowerSvc.exe No Record
Process XAudio.exe No Record
Process avgemc.exe Anti-Virus 7.0 Email Cleaner. Scans incoming and outgoing email for viruses.
Process eRecoveryService.exe No Record
Process WmiPrvSE.exe No Record
Process capuserv.exe No Record
Process avgcsrvx.exe No Record
Process unsecapp.exe No Record
Process taskeng.exe No Record
Process WLIDSVCM.EXE No Record
Process SearchIndexer.exe No Record
Process taskeng.exe No Record
Process dwm.exe No Record
Process explorer.exe Windows Explorer
Process AWC.exe Advanced WindowsCare
Process IObit SmartDefrag.exe No Record
Process avgtray.exe No Record
Process Sup_SmartRAM.exe No Record
Process rundll32.exe Windows RUNDLL32 Helper
Process RaUI.exe No Record
Process ehtray.exe No Record
Process ehmsas.exe No Record
Process RegMech.exe No Record
Process VSSVC.exe No Record
Process svchost.exe Service Host Process
Process wmpnscfg.exe No Record
Process pctsAuxs.exe No Record
Process pctsSvc.exe No Record
Process pctsTray.exe No Record
Process TFService.exe No Record
Process avgnsx.exe No Record
Services avgemc.exe Related to AVG anti-virus
Services avgwdsvc.exe No Record
Services lic98rmt.exe Computer Associates
Services ccSvcHst.exe Related to Symantec_Lic_NetConnect service. Note: Located in \%Program Files%\Common Files\Symantec Shared\
Services eDSService.exe Related to eDataSecurity from Acer. Note: Located in %ROOT%\Acer\Empowering Technology\eDataSecurity\
Services eLockServ.exe Related to eLock service from Acer Empowering Technology. Note: Located in C:\Acer\Empowering Technology\eLock\Service\
Services eNet Service.exe Related to Empowering_Technology from Acer. Note: Located in \%ROOT%\Acer\Empowering Technology\eNet\
Services eRecoveryService.exe Related to eRecoveryService Management from Acer Empowering Technology Note: Located in C:\Acer\Empowering Technology\eRecovery\
Services capuserv.exe Related to Empowering_Technology from Acer. Note: Located in \%ROOT%\Acer\Empowering Technology\eSettings\Service\
Services GoogleUpdaterService.exe Related to Google_Updater_Service Note: Located in C:\Program Files\Google\Common\Google Updater\
Services IS360srv.exe No Record
Services AAWService.exe Related to Ad-Aware_2007 anti-spyware solution. This program can find and remove spyware and malware from your computer. Note: Located in C:\Program Files\Lavasoft\
Services LEXBCES.EXE Lexmark Printer Service
Services LSSrvc.exe LightScribe related to Hewlett Packard
Services LogWatNT.exe Computer Associates
Services lxctcoms.exe Related to Lexmark_International and its printer services. red]Note: Located in C:\WINDOWS\SYSTEM32\
Services lxdmcoms.exe No Record
Services RalinkRegistryWriter.exe No Record
Services RichVideo.exe CyberLink RichVideo is an advanced technology designed to save precious video editing time.
Services pctsAuxs.exe No Record
Services pctsSvc.exe No Record
Services TFService.exe No Record
Services ePowerSvc.exe Related to Empowering_Technology from Acer. Note: Located in \%ROOT%\Acer\Empowering Technology\ePower\
Services wmpnetwk.exe Related to Windows_Media_Player Network Sharing Service. Note: Located in %ProgramFiles%\Windows Media Player\
Start UP m No Record
Start UP nvsvc.dll No Record
Start UP nvsvcStart No Record
Start UP S No Record
Start UP ehTray.exe Enables the user to access Windows Messenger from within Windows Media Center Edition
Start UP avgtray.exe No Record
Start UP IS360tray.exe No Record
Start UP pctsTray.exe No Record
BHO 02478D38-C3F9-4efb-9B51-7695ECA05670 Ycomp*_*_*_*.dll, Ycomp*,*,*,*.dll, yt.dll - Yahoo Companion, http://companion.yahoo.com/
BHO 3CA2F312-6F6E-4B53-A66E-4E65E497C8C0 LinkScannerIE.dll - LinkScanner, http://linkscanner.explabs.com/linkscanner/default.asp
BHO 5C255C8A-E604-49b4-9D64-90988571CECB No Record
BHO 761497BB-D6F0-462C-B6EB-D4DAF1D92D43 ssv.dll - Related to Sun_Java_software, http://java.com/en/download/index.jsp
BHO 83A2F9B1-01A2-4AA5-87D1-45B6B8505E96 ActiveToolBand.dll - If, in File Properties, file size is 292 kb and company "HiTRUST", HiTrust, http://www.hitrust.com.hk/2-2_solution.htm browser plugin - part of Acer eDataSecurity Management software
BHO 9030D464-4C02-4ABF-8ECC-5164760863C6 WindowsLiveLogin.dll - Microsoft Windows_Live, http://ideas.live.com/
Tool Bar 5CBE3B7C-1E47-477e-A7DD-396DB0476E29 eDStoolbar.dll - Acer eDataSecurity Management, //global.acer.com/products/et/eDataSecurity.htm
Button {08B0E5C0-4FCB-11CF-AAA5-00401C608501} No Database
Button {92780B25-18CC-41C8-B9BE-3C9C571A8263} No Database
ActiveX 6E32070A-766D-4EE6-879C-DC1FA91D2FC3 muweb_site.cab Microsoft Windows Update, more here
ActiveX 7530BFB8-7293-4D34-9923-61A11451AFC5 No Record
ActiveX DBA230D1-8467-4e69-987E-5FAE815A3B45 No Record
ActiveX E06E2E99-0AA1-11D4-ABA6-0060082AA75C http://www.webex.com/overview/web-conferencing-overview.html


Thanks for any help anyone can give me.

Duane

BC AdBot (Login to Remove)

 


#2 dtway

dtway
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa, FL
  • Local time:02:28 AM

Posted 10 September 2009 - 02:07 PM

My Dell Inspiron 1525 is running slow when booted normally. In safe mode it works OK. I suspect there is some malware. I've run AVG and IOBit's scanners which made some improvement, but I still suspect there are problems. The log is below:

Logfile of IObit HijackScan v1.0.0.0
Scan saved at 15:5:58, on 2009-9-10

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_15 - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}Java Plug-in 1.6.0_15 - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_15 - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown -
O23 - Service: Diagnostic Policy Service (DPS) - Unknown -
O23 - Service: Windows Media Center Service Launcher (ehstart) - Unknown - %windir%\system32\svchost.exe
O23 - Service: Group Policy Client (gpsvc) - Unknown -
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IntelŽ Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: Net.Tcp Port Sharing Service (NetTcpPortSharing) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
O23 - Service: Quality Windows Audio Video Experience (QWAVE) - Unknown - %windir%\system32\svchost.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Unknown - C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
O23 - Service: RoxMediaDB9 (RoxMediaDB9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown -
O23 - Service: Security Accounts Manager (SamSs) - Unknown -
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Secondary Logon (seclogon) - Unknown - %windir%\system32\svchost.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr (stllssvr) - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire (ThreatFire) - Unknown - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe service
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown -
O23 - Service: Windows Modules Installer (TrustedInstaller) - Unknown -
O23 - Service: Diagnostic Service Host (WdiServiceHost) - Unknown -
O23 - Service: Diagnostic System Host (WdiSystemHost) - Unknown -
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown - C:\Windows\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown - %ProgramFiles%\Windows Media Player\wmpnetwk.exe
O23 - Service: XAudioService (XAudioService) - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\


Thanks in advance for your help.

Duane

Merged topics. ~ OB

Edited by Orange Blossom, 10 September 2009 - 03:18 PM.


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:28 PM

Posted 24 September 2009 - 08:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:28 AM

Posted 30 September 2009 - 12:40 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users