Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

three or more ieplore.exe running at the same time


  • This topic is locked This topic is locked
14 replies to this topic

#1 moosifer

moosifer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 15 October 2009 - 11:16 AM

My task manager says three iexplore.exe are running. I try to close them all, but it wont let me. The process runs when ie is not open. Sometimes after I close an ie window the audio will continue to play forever it seems.

DDS (Ver_09-10-13.01) - NTFSx86
Run by User at 23:11:20.23 on Wed 10/14/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1604 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\lxbccoms.exe
C:\Program Files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\GM SPO\eSI\Apache Group\Tomcat 4.1\bin\tomcat.exe
C:\Program Files\GM SPO\eSI\Transbase\tbmux32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\GM SPO\eSI\Transbase\tbkern32.exe
C:\Program Files\GM SPO\eSI\Transbase\tbkern32.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\User\Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.0.0.136\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [<NO NAME>]
mRun: [OpenDNS Update] "c:\program files\OpenDNS U
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: iptorrents.com\www
DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/securelogin-devel.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\4gm1qucb.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-10-14 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-10-14 27656]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1100000.088\SymDS.sys [2009-10-14 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1100000.088\SymEFA.sys [2009-10-14 169008]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20090921.001\BHDrvx86.sys [2009-9-21 507440]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1100000.088\ccHPx86.sys [2009-10-14 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20090911.001\IDSvix86.sys [2009-10-14 342576]
R1 NDISAH;NDISAH;c:\windows\system32\drivers\ndisah.sys [2008-12-26 19584]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1100000.088\Ironx86.sys [2009-10-14 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1100000.088\symtdiv.sys [2009-10-14 338480]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-10-14 4368952]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.0.0.136\ccSvcHst.exe [2009-10-14 126392]
R2 SITomcat;SI Tomcat;c:\program files\gm spo\esi\apache group\tomcat 4.1\bin\tomcat.exe [2003-10-27 65536]
R2 SITransbase;SI Transbase;c:\program files\gm spo\esi\transbase\tbmux32.exe [2001-11-20 165376]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-4-27 93960]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-8 24652]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-14 102448]

=============== Created Last 30 ================

2009-10-14 22:49 <DIR> --d----- c:\program files\Trend Micro
2009-10-14 22:01 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-10-14 22:01 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-10-14 22:01 <DIR> --d----- c:\program files\Prevx
2009-10-14 22:00 <DIR> --d----- c:\programdata\PrevxCSI
2009-10-14 22:00 <DIR> --d----- c:\progra~2\PrevxCSI
2009-10-14 22:00 65 a------- c:\windows\wininit.ini
2009-10-14 19:48 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-14 19:48 7,443 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-14 19:48 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-14 19:47 <DIR> --d----- c:\program files\Symantec
2009-10-14 19:47 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-10-14 19:47 <DIR> --d----- c:\program files\Norton AntiVirus
2009-10-07 22:14 <DIR> --d----- c:\program files\DVD Decrypter
2009-10-07 21:48 <DIR> --d----- c:\users\user\appdata\roaming\HandBrake
2009-10-07 21:42 <DIR> --d----- c:\program files\HandBrake
2009-10-05 14:55 <DIR> --d----- c:\users\user\Office Genuine Advantage
2009-10-05 11:32 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-10-03 15:23 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-10-03 15:23 87,552 a------- c:\windows\system32\wudriver.dll
2009-10-03 15:23 171,608 a------- c:\windows\system32\wuwebv.dll
2009-10-03 15:23 33,792 a------- c:\windows\system32\wuapp.exe
2009-10-02 18:07 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-25 16:49 <DIR> --d----- c:\program files\iPod
2009-09-25 16:49 <DIR> --d----- c:\program files\iTunes
2009-09-25 10:15 <DIR> --d----- c:\programdata\Norton
2009-09-25 10:15 <DIR> --d----- c:\progra~2\Norton
2009-09-25 10:15 <DIR> --d----- c:\programdata\NortonInstaller
2009-09-25 10:15 <DIR> --d----- c:\program files\NortonInstaller
2009-09-25 10:15 <DIR> --d----- c:\progra~2\NortonInstaller
2009-09-25 09:44 <DIR> --d----- c:\windows\system32\Adobe
2009-09-18 11:04 <DIR> --d----- c:\windows\system32\eu-ES
2009-09-18 11:04 <DIR> --d----- c:\windows\system32\ca-ES
2009-09-18 11:04 <DIR> --d----- c:\windows\system32\vi-VN
2009-09-18 10:42 <DIR> --d----- c:\windows\system32\EventProviders
2009-09-16 19:30 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-16 19:29 185,856 a------- c:\windows\system32\SLLUA.exe

==================== Find3M ====================

2009-10-01 12:19 51,200 a------- c:\windows\inf\infpub.dat
2009-10-01 12:19 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-18 11:11 86,016 a------- c:\windows\inf\infstor.dat
2009-09-18 11:04 665,600 a------- c:\windows\inf\drvindex.dat
2009-09-14 23:04 169,456 a---h--- c:\windows\system32\mlfcache.dat
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-14 08:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 06:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 06:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 06:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 06:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 06:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 06:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 06:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 06:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-21 14:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 14:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 14:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 13:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 06:54 71,680 a------- c:\windows\system32\atl.dll
2009-03-21 07:28 34 a------- c:\users\user\jagex_runescape_preferences.dat
2009-01-16 13:44 48 a---h--- c:\programdata\ezsidmv.dat
2009-01-16 13:44 48 a---h--- c:\progra~2\ezsidmv.dat
2008-09-12 16:49 22,328 a------- c:\users\user\appdata\roaming\PnkBstrK.sys
2008-08-13 22:03 857,488 a------- c:\program files\lotrosetup.exe
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:11:54.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 moosifer

moosifer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 20 October 2009 - 03:53 PM

Can anyone help me with this problem?

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 23 October 2009 - 08:52 PM.


#3 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:34 PM

Posted 28 October 2009 - 07:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#4 moosifer

moosifer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 29 October 2009 - 11:33 AM

Thank you for the help.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Dave at 9:27:02.88 on Thu 10/29/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3070.2112 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUHQI75V\dds[1].scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.0.0.136\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1100000.088\SymDS.sys [2009-10-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1100000.088\SymEFA.sys [2009-10-27 169008]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20091013.001\BHDrvx86.sys [2009-10-9 508976]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1100000.088\ccHPx86.sys [2009-10-27 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20091021.001\IDSvix86.sys [2009-10-27 342576]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1100000.088\Ironx86.sys [2009-10-27 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1100000.088\symtdiv.sys [2009-10-27 338480]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.0.0.136\ccSvcHst.exe [2009-10-27 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-28 102448]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

=============== Created Last 30 ================

2009-10-28 22:19:02 0 d-----w- c:\programdata\Adobe
2009-10-28 22:17:10 0 d-----w- c:\programdata\NOS
2009-10-28 21:59:19 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-28 16:18:26 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-10-28 16:18:23 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-10-28 16:18:23 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-10-28 16:18:23 507568 ----a-w- c:\windows\system32\winload.exe
2009-10-28 16:18:23 442920 ----a-w- c:\windows\system32\winresume.exe
2009-10-28 16:18:23 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-10-28 16:18:23 2613248 ----a-w- c:\windows\explorer.exe
2009-10-28 16:18:23 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-10-28 16:18:23 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-10-28 16:18:22 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 20:16:23 0 d-----w- c:\program files\CRS
2009-10-27 18:26:52 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-27 18:24:52 0 d-----w- c:\windows\PCHEALTH
2009-10-27 18:23:05 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-27 18:22:05 0 d-----w- c:\programdata\Microsoft Help
2009-10-27 18:13:13 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-27 18:13:13 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-27 18:13:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-27 18:13:13 0 d-----w- c:\program files\Symantec
2009-10-27 18:13:13 0 d-----w- c:\program files\common files\Symantec Shared
2009-10-27 18:12:46 0 d-----w- c:\windows\system32\drivers\NAV
2009-10-27 18:12:43 0 d-----w- c:\program files\Norton AntiVirus
2009-10-27 18:12:42 0 d-----w- c:\programdata\Norton
2009-10-27 18:11:47 0 d-----w- c:\programdata\NortonInstaller
2009-10-27 18:11:47 0 d-----w- c:\program files\NortonInstaller
2009-10-27 18:00:05 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-27 18:00:05 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-27 17:59:49 0 d-----w- c:\program files\iPod
2009-10-27 17:59:48 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-27 17:59:48 0 d-----w- c:\program files\iTunes
2009-10-27 17:59:19 0 d-----w- c:\program files\Bonjour
2009-10-27 17:59:03 0 d-----w- c:\programdata\Apple Computer
2009-10-27 17:57:51 0 d-----w- c:\programdata\Apple
2009-10-27 17:57:28 0 d-sh--w- c:\windows\Installer
2009-10-27 17:54:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-10-27 17:36:10 0 d--h--w- c:\programdata\CanonBJ
2009-10-27 17:35:51 223744 ----a-w- c:\windows\system32\CNMLM98.DLL
2009-10-27 17:11:53 0 d-----w- c:\windows\Panther
2009-10-27 17:05:26 0 d-----w- C:\Windows.old
2009-10-27 16:48:01 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 16:34:59 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-10-27 16:34:38 0 d-----w- c:\windows\system32\wbem\Performance
2009-10-27 16:33:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-10-27 16:31:50 0 d-sh--w- C:\Recovery
2009-10-27 16:15:36 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-27 16:14:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf

==================== Find3M ====================

2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-18 09:37:02 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-08-18 09:36:36 348160 ----a-w- c:\windows\system32\atieclxx.exe
2009-08-18 09:36:08 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2009-08-18 09:35:02 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2009-08-18 09:34:46 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2009-08-18 09:34:32 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2009-08-18 09:34:22 11776 ----a-w- c:\windows\system32\atimuixx.dll
2009-08-18 09:34:16 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-08-18 09:31:32 2469888 ----a-w- c:\windows\system32\atidxx32.dll
2009-08-18 09:20:38 3105280 ----a-w- c:\windows\system32\atiumdag.dll
2009-08-18 09:11:52 11650560 ----a-w- c:\windows\system32\atioglxx.dll
2009-08-18 09:05:32 2868736 ----a-w- c:\windows\system32\atiumdva.dll
2009-08-18 08:52:44 51712 ----a-w- c:\windows\system32\atimpc32.dll
2009-08-18 08:52:44 51712 ----a-w- c:\windows\system32\amdpcom32.dll
2009-08-18 08:52:08 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2009-08-18 08:49:44 53248 ----a-w- c:\windows\system32\aticalrt.dll
2009-08-18 08:49:32 53248 ----a-w- c:\windows\system32\aticalcl.dll
2009-08-18 08:48:28 3264512 ----a-w- c:\windows\system32\aticaldd.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 9:27:56.61 ===============

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 AM

Posted 29 October 2009 - 07:55 PM

It is not unusual to see more than one iexplore.exe process open, one opens for each tab you open, and the ones showing in the DDS log are all running from the correct folder below.

C:\Program Files\Internet Explorer\iexplore.exe

IE8 tabs don't always close straight after the process is stopped. See this article

Are there any other symptoms?
Posted Image
m0le is a proud member of UNITE

#6 moosifer

moosifer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 30 October 2009 - 12:59 AM

My PC will freeze at random times as the computer is thinking, sometimes not unfreezing until I press control, alt, delete then it wakes up. When i try to close some of the iexplore.exe process I will get a message telling me that it is not a valid process. The iexplore.exe processes never go away. They are always there.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 AM

Posted 30 October 2009 - 07:31 AM

Okay, let's have a look around then :(

Please download Process Explorer

If Process explorer won't execute rename it Iexplore.exe

Next time the installer starts please run the program.

Under File and Save As, create a log and post here

Copy and paste the log into your next reply



Next

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks :(
Posted Image
m0le is a proud member of UNITE

#8 moosifer

moosifer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 30 October 2009 - 12:04 PM

Root Repeal crashed when i tried to use it twice. the crash reports are attached.

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 0.77
smss.exe 272
csrss.exe 372
wininit.exe 444
services.exe 504
svchost.exe 664
rundll32.exe 2388 Windows host process (Rundll32) Microsoft Corporation
FlashUtil10c.exe 3912 Adobe Flash Player Helper 10.0 r32 Adobe Systems, Inc.
svchost.exe 740
atiesrxx.exe 844
atieclxx.exe 1336
svchost.exe 876
audiodg.exe 5272
svchost.exe 908
WUDFHost.exe 680
dwm.exe 2236 0.77 Desktop Window Manager Microsoft Corporation
svchost.exe 940
svchost.exe 1084
svchost.exe 1196
spoolsv.exe 1368
svchost.exe 1412
AppleMobileDeviceService.exe 1508
mDNSResponder.exe 1536
svchost.exe 1572
ccSvcHst.exe 1620
ccSvcHst.exe 2584
svchost.exe 1728
taskhost.exe 2184 Host Process for Windows Tasks Microsoft Corporation
iPodService.exe 3584
wmpnetwk.exe 3728
taskhost.exe 3928
SearchIndexer.exe 3572
lsass.exe 528
lsm.exe 556
csrss.exe 452
winlogon.exe 536
explorer.exe 2284 Windows Explorer Microsoft Corporation
iTunesHelper.exe 3124 iTunesHelper Module Apple Inc.
GrooveMonitor.exe 3140 GrooveMonitor Utility Microsoft Corporation
ONENOTEM.EXE 3224 Microsoft Office OneNote Quick Launcher Microsoft Corporation
iexplore.exe 6040 Internet Explorer Microsoft Corporation
iexplore.exe 5896 Internet Explorer Microsoft Corporation
procexp.exe 4608 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 AM

Posted 30 October 2009 - 05:24 PM

Please try Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#10 moosifer

moosifer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 01 November 2009 - 08:37 PM

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-01 17:35:04
Windows 6.1.7600
Running: bv2eqkjr.exe; Driver: C:\Users\Dave\AppData\Local\Temp\kwlyipow.sys


---- System - GMER 1.0.15 ----

SSDT 86E10C90 ZwAlertResumeThread
SSDT 86E0E510 ZwAlertThread
SSDT 86F34A90 ZwAllocateVirtualMemory
SSDT 861F4740 ZwAlpcConnectPort
SSDT 86E57048 ZwAssignProcessToJobObject
SSDT 86F34090 ZwCreateMutant
SSDT 86F34328 ZwCreateSymbolicLinkObject
SSDT 86F34EA0 ZwCreateThread
SSDT 86F77B28 ZwCreateThreadEx
SSDT 86E49048 ZwDebugActiveProcess
SSDT 86F34BE8 ZwDuplicateObject
SSDT 86F348F0 ZwFreeVirtualMemory
SSDT 86E25048 ZwImpersonateAnonymousToken
SSDT 86E11F50 ZwImpersonateThread
SSDT 861F42F8 ZwLoadDriver
SSDT 86F34810 ZwMapViewOfSection
SSDT 86E37048 ZwOpenEvent
SSDT 86F34D88 ZwOpenProcess
SSDT 86D851D8 ZwOpenProcessToken
SSDT 86E41E90 ZwOpenSection
SSDT 86F34CB8 ZwOpenThread
SSDT 86F77C08 ZwProtectVirtualMemory
SSDT 86E1EDD0 ZwResumeThread
SSDT 86DCC810 ZwSetContextThread
SSDT 86F346B8 ZwSetInformationProcess
SSDT 86E45048 ZwSetSystemInformation
SSDT 86E3A048 ZwSuspendProcess
SSDT 86DCF750 ZwSuspendThread
SSDT 86E0B4F0 ZwTerminateProcess
SSDT 86DCEF90 ZwTerminateThread
SSDT 86E0CD50 ZwUnmapViewOfSection
SSDT 86F349C0 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E48AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E48104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E483F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E30634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E30898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E481DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E48958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E486F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E48F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E491A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A61579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A85F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82A8D724 8 Bytes [90, 0C, E1, 86, 10, E5, E0, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82A8D73C 4 Bytes [90, 4A, F3, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82A8D748 4 Bytes [40, 47, 1F, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82A8D79C 4 Bytes [48, 70, E5, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82A8D818 4 Bytes [90, 40, F3, 86]
.text ...
.text peauth.sys 9A224C9D 28 Bytes [D5, 2B, 30, 7E, F7, FB, 53, ...]
.text peauth.sys 9A224CC1 28 Bytes [D5, 2B, 30, 7E, F7, FB, 53, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\System32\rundll32.exe[2388] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2388] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2388] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[2388] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75925D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 AM

Posted 02 November 2009 - 06:21 AM

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#12 moosifer

moosifer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 03 November 2009 - 12:07 PM

The install told me not to run the program on a live machine so I was not comfortable installing the program, sorry.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 AM

Posted 03 November 2009 - 03:18 PM

Hi moosifer,

I'm a bit confused. You say you are a bit unsure about installing the program because it would have to be on a live computer? Is that right?

If so, that is the only way it could be done. Any programs which remove malware will need to be run on the live PC.

Let me know if I've read that right.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 AM

Posted 06 November 2009 - 06:34 AM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 AM

Posted 07 November 2009 - 06:42 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users