Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer running 100cpu


  • This topic is locked This topic is locked
36 replies to this topic

#1 velho_fin

velho_fin

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 29 October 2009 - 04:01 AM

Hello BleepingComputer!

My laptop started to run on 100cpu and acts slower than before. Taskmanager tells that explorer.exe and svchost.exe are using the cpu most. Explorer.exe runs at like 40-60% which is very much more than week earlier when the problem showed up. I wish I could have help from people which know much about hjt-logs etc. viruses. Thanks in advance!

Here's my hjt-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:20, on 29.10.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\Npm\bin\NJEEVES.EXE
C:\Program Files\Norman\nse\bin\NSESVC.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Norman\Npm\Bin\Zlh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [Wbutton] C:\Program Files\Launch Manager\WButton.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [recinfo] c:\recinfo\recinfo.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Verkkopalvelu')
O4 - HKUS\S-1-5-18\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe (User 'Default user')
O8 - Extra context menu item: V&ie Microsoft Exceliin - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Lähetä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Läh&etä OneNoteen - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA645DFA-6741-4B52-BE8A-2D99164A2D31}: NameServer = 62.241.198.245 62.241.198.246
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program Files\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Program Files\Norman\Npm\bin\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\scheduler.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 8538 bytes

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 04 November 2009 - 06:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 velho_fin

velho_fin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 04 November 2009 - 04:00 PM

Hello and thank you from your answer!

I'm already having some help from a friend of mine and he told me not to download any programs and do only the thing he says. So is it okay to you guys that I post you later if I can't resolve the problem with my friend?

Thanks again for your reply and thanks for your time.

-V

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 04 November 2009 - 05:47 PM

I will close the topic. PM me if you need help. :(

---------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 09 November 2009 - 02:40 PM

Reopened at user's request

---------------------------------------------------

Okay, velho_fin, please follow the instructions for posting the DDS and RootRepeal logs above.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#6 velho_fin

velho_fin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 09 November 2009 - 04:20 PM

Hello again and thanks for reopening my topic! :(

Okay, so I tried to run RootRepeal, first it jammed to one spot and then it crashed. Next time when I tried to run it, it says "Could not initialize driver, contact an author", when I was about to run the scan just like told in your 1st post. But I'm trying to run it again after school tomorrow and tell more to you then.

But i ran DDS and heres the log - hopefully it tells something about whats going on with my laptop:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Samppa at 21:44:45,34 on ma 09.11.2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.358.1035.18.3062.1823 [GMT 2:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norman\Npm\Bin\Zlh.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\Npm\bin\NJEEVES.EXE
C:\Program Files\Norman\nse\bin\NSESVC.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Samppa\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader -linkkiavustaja: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Liven kirjautumisapuohjelma: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: V&ie Microsoft Exceliin - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: {AA645DFA-6741-4B52-BE8A-2D99164A2D31} = 62.241.198.245 62.241.198.246
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samppa\appdata\roaming\mozilla\firefox\profiles\fy46w90i.default\
FF - prefs.js: browser.startup.homepage - www.google.fi
FF - plugin: c:\users\samppa\appdata\roaming\mozilla\firefox\profiles\fy46w90i.default\extensions\npfax@microgaming.co.uk\platform\winnt_x86-msvc\plugins\npfax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2008-5-30 9867]
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2009-2-27 25032]
R1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2009-5-12 56136]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2009-10-16 24168]
R2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2009-5-12 124232]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2008-8-16 128328]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2009-10-16 320840]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcv32mf.sys [2009-2-19 23392]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2009-2-19 197960]
R3 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2009-5-12 132424]
S3 NVCScheduler;Norman Virus Control Scheduler;"c:\program files\norman\npm\bin\nvcsched.exe" --> c:\program files\norman\npm\bin\NVCSCHED.EXE [?]
S3 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2008-5-30 118784]

=============== Created Last 30 ================

2009-11-09 15:09:52 0 d-----w- c:\program files\Microsoft
2009-11-09 15:08:24 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-05 17:52:08 0 d-----w- C:\RegSeeker
2009-11-05 14:56:40 0 d-----w- C:\_OTM
2009-11-04 14:30:46 98816 ----a-w- c:\windows\sed.exe
2009-11-04 14:30:46 77312 ----a-w- c:\windows\MBR.exe
2009-11-04 14:30:46 236544 ----a-w- c:\windows\PEV.exe
2009-11-04 14:30:46 161792 ----a-w- c:\windows\SWREG.exe
2009-11-02 19:58:10 0 d-----w- c:\users\samppa\appdata\roaming\Malwarebytes
2009-11-02 19:58:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 19:58:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 19:58:01 0 d-----w- c:\programdata\Malwarebytes
2009-11-02 19:58:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 12:50:41 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 12:50:21 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 12:50:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-29 12:50:12 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-28 19:39:17 0 d-----w- c:\program files\CCleaner
2009-10-28 13:28:49 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 13:28:48 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-28 13:01:49 0 d-----w- c:\program files\Trend Micro
2009-10-20 18:56:32 0 d-----w- c:\program files\Full Tilt Poker
2009-10-16 20:09:02 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 20:03:36 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-16 20:00:14 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 20:00:14 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 19:54:30 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-10-16 19:54:29 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-16 19:54:28 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-16 19:54:28 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-16 19:54:28 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2009-10-16 19:45:22 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 19:45:19 144896 ----a-w- c:\windows\system32\drivers\srv2.sys

==================== Find3M ====================

2009-11-09 10:29:22 80720 ----a-w- c:\windows\system32\perfc00B.dat
2009-11-09 10:29:22 435626 ----a-w- c:\windows\system32\perfh00B.dat
2009-11-06 13:32:16 38 ----a-w- c:\users\samppa\jagex_runescape_preferences.dat
2009-11-06 13:29:52 63 ----a-w- c:\users\samppa\jagex_runescape_preferences2.dat
2009-11-02 18:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-20 18:13:45 758 ----a-w- c:\users\samppa\appdata\roaming\wklnhst.dat
2009-10-09 11:06:44 23392 ----a-w- c:\windows\system32\drivers\nvcv32mf.sys
2009-10-07 12:07:04 214344 ----a-w- c:\windows\system32\nscrnsav.scr
2009-09-25 14:02:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32:41 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58:58 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-17 20:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:29:41 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 16:29:41 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 14:16:55 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16:55 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16:52 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16:51 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16:50 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16:49 10240 ----a-w- c:\windows\system32\finger.exe
2008-11-07 14:25:16 86016 ----a-w- c:\windows\inf\infstrng.dat
2008-11-07 14:25:16 51200 ----a-w- c:\windows\inf\infpub.dat
2008-11-07 14:25:13 86016 ----a-w- c:\windows\inf\infstor.dat
2008-08-17 09:21:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-04-10 07:55:16 36790 ----a-w- c:\windows\inf\perflib\040b\perfd.dat
2008-04-10 07:55:16 36790 ----a-w- c:\windows\inf\perflib\040b\perfc.dat
2008-04-10 07:55:16 274158 ----a-w- c:\windows\inf\perflib\040b\perfi.dat
2008-04-10 07:55:16 274158 ----a-w- c:\windows\inf\perflib\040b\perfh.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-08-16 07:45:12 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008081620080817\index.dat

============= FINISH: 21:47:47,56 ===============


I'm glad having help from you guys, I appreciate that!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 09 November 2009 - 06:02 PM

If RootRepeal is a problem then run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#8 velho_fin

velho_fin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 10 November 2009 - 07:39 AM

Okay, heres the GMER log:

Rootkit scan 2009-11-10 14:37:11
Windows 6.0.6001 Service Pack 1
Running: c35umknv.exe; Driver: C:\Users\Samppa\AppData\Local\Temp\uwryqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateProcess [0x8EA040D4]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateProcessEx [0x8EA04104]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateThread [0x8EA036FC]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwTerminateProcess [0x8EA04488]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwWriteVirtualMemory [0x8EA04134]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateThreadEx [0x8EA0399E]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateUserProcess [0x8EA03EFE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 43C 820C5A00 8 Bytes [D4, 40, A0, 8E, 04, 41, A0, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 454 820C5A18 4 Bytes [FC, 36, A0, 8E]
.text ntkrnlpa.exe!KeSetTimerEx + 854 820C5E18 4 Bytes [88, 44, A0, 8E] {MOV [EAX-0x72], AL}
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 820C5E78 4 Bytes [34, 41, A0, 8E]
.text ntkrnlpa.exe!KeSetTimerEx + 914 820C5ED8 8 Bytes [9E, 39, A0, 8E, FE, 3E, A0, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] kernel32.dll!LoadLibraryExW 76AE30C3 6 Bytes JMP 5F070F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!htons 769C3010 6 Bytes JMP 5F040F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!WSAGetLastError + 2 769C3037 4 Bytes [1E, 00, 0B, 5F] {PUSH DS; ADD [EBX], CL; POP EDI}
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!closesocket 769C330C 6 Bytes JMP 5F0D0F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!connect 769C40D9 6 Bytes JMP 5F130F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!WSAEventSelect 769C5BFA 6 Bytes JMP 5F1F0F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!WSAConnect 769CD7B0 6 Bytes JMP 5F190F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!WSAAsyncSelect 769DA17C 6 Bytes JMP 5F1C0F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!WSAAccept 769DBB56 6 Bytes JMP 5F160F5A
.text C:\Users\Samppa\Desktop\c35umknv.exe[2304] WS2_32.dll!accept 769DBDF6 6 Bytes JMP 5F100F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] kernel32.dll!LoadLibraryExW 76AE30C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!GetScrollPos 7642C090 5 Bytes JMP 00351FD0 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!GetScrollRange 7642C33B 5 Bytes JMP 00352000 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!SetScrollRange 7642E173 5 Bytes JMP 003520C0 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!GetSysColorBrush 7642EECC 5 Bytes JMP 003521B0 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!GetScrollInfo 76430804 7 Bytes JMP 00351F90 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!ShowScrollBar 76430E7C 2 Bytes JMP 00352110 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!ShowScrollBar + 3 76430E7F 2 Bytes [F2, 89]
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!SetScrollInfo 76438663 7 Bytes JMP 00352040 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!GetSysColor 76439D02 5 Bytes JMP 00352150 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!EnableScrollBar 7644B11E 7 Bytes JMP 00351F50 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] USER32.dll!SetScrollPos 76453A1E 5 Bytes JMP 00352080 C:\Program Files\Mobile Partner\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!htons 769C3010 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!WSAGetLastError + 2 769C3037 4 Bytes [1E, 00, 0B, 5F] {PUSH DS; ADD [EBX], CL; POP EDI}
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!closesocket 769C330C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!connect 769C40D9 6 Bytes JMP 5F130F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!WSAEventSelect 769C5BFA 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!WSAConnect 769CD7B0 6 Bytes JMP 5F190F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!WSAAsyncSelect 769DA17C 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!WSAAccept 769DBB56 6 Bytes JMP 5F160F5A
.text C:\Program Files\Mobile Partner\Mobile Partner.exe[2864] WS2_32.dll!accept 769DBDF6 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\taskeng.exe[3000] kernel32.dll!LoadLibraryExW 76AE30C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!htons 769C3010 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!WSAGetLastError + 2 769C3037 4 Bytes [1E, 00, 0B, 5F] {PUSH DS; ADD [EBX], CL; POP EDI}
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!closesocket 769C330C 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!connect 769C40D9 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!WSAEventSelect 769C5BFA 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!WSAConnect 769CD7B0 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!WSAAsyncSelect 769DA17C 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!WSAAccept 769DBB56 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\taskeng.exe[3000] WS2_32.dll!accept 769DBDF6 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\Dwm.exe[3120] kernel32.dll!LoadLibraryExW 76AE30C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!htons 769C3010 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!WSAGetLastError + 2 769C3037 4 Bytes [1E, 00, 0B, 5F] {PUSH DS; ADD [EBX], CL; POP EDI}
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!closesocket 769C330C 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!connect 769C40D9 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!WSAEventSelect 769C5BFA 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!WSAConnect 769CD7B0 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!WSAAsyncSelect 769DA17C 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!WSAAccept 769DBB56 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\Dwm.exe[3120] WS2_32.dll!accept 769DBDF6 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] kernel32.dll!LoadLibraryExW 76AE30C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!htons 769C3010 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!WSAGetLastError + 2 769C3037 4 Bytes [1E, 00, 0B, 5F] {PUSH DS; ADD [EBX], CL; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!closesocket 769C330C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!connect 769C40D9 6 Bytes JMP 5F130F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!WSAEventSelect 769C5BFA 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!WSAConnect 769CD7B0 6 Bytes JMP 5F190F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!WSAAsyncSelect 769DA17C 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!WSAAccept 769DBB56 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3564] WS2_32.dll!accept 769DBDF6 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] kernel32.dll!LoadLibraryExW 76AE30C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!htons 769C3010 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!WSAGetLastError + 2 769C3037 4 Bytes [1E, 00, 0B, 5F] {PUSH DS; ADD [EBX], CL; POP EDI}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!closesocket 769C330C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!connect 769C40D9 6 Bytes JMP 5F130F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!WSAEventSelect 769C5BFA 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!WSAConnect 769CD7B0 6 Bytes JMP 5F190F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!WSAAsyncSelect 769DA17C 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!WSAAccept 769DBB56 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3628] WS2_32.dll!accept 769DBDF6 6 Bytes JMP 5F100F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] kernel32.dll!LoadLibraryExW 76AE30C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!htons 769C3010 6 Bytes JMP 5F040F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!WSAGetLastError + 2 769C3037 4 Bytes [1E, 00, 0B, 5F] {PUSH DS; ADD [EBX], CL; POP EDI}
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!closesocket 769C330C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!connect 769C40D9 6 Bytes JMP 5F130F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!WSAEventSelect 769C5BFA 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!WSAConnect 769CD7B0 6 Bytes JMP 5F190F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!WSAAsyncSelect 769DA17C 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!WSAAccept 769DBB56 6 Bytes JMP 5F160F5A
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3644] WS2_32.dll!accept 769DBDF6 6 Bytes JMP 5F100F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 10 November 2009 - 04:58 PM

Nothing there on Gmer and I think that RootRepeal probably struggled with a high cpu.

I'm not seeing any malware but there are a large amount of possible reasons. Before we look at that let's see if we can pin down the cause.


Please download and run Process Explorer

If Process explorer won't execute rename it Iexplore.exe


1. Please open Process Explorer.

2. Select the Svchost process that is using the high CPU.

3. Right click it and select Properties, then the Services tab.

4. Under Services Registered in Process, you will find the Service and Display name.

5. Please take note of what these are and include it in your next reply.


Thanks :(
Posted Image
m0le is a proud member of UNITE

#10 velho_fin

velho_fin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 11 November 2009 - 08:04 AM

Okay, I take explorer.exe on a main problem, but here's those svchost Service names:

AeLookupSvc
Appinfo
BITS
EapHost
gpsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
ProfSvc
RasMan
Schedule
seclogon
SENS
ShellHWDetection
Themes
Winmgmt
wuauserv

So Display names were on Finnish so i didn't find it so important to get those on the list.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 11 November 2009 - 05:20 PM

Nothing malicious there.

Let's take a look at all the processes

Run Process Explorer

Under File and Save As, create a log and post here

Copy and paste the log into your next reply
Posted Image
m0le is a proud member of UNITE

#12 velho_fin

velho_fin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 12 November 2009 - 03:20 AM

Okay, here we go =)

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a 1.18 Deferred Procedure Calls
System 4 0.79
smss.exe 504 Windows Session Manager Microsoft Corporation
csrss.exe 600 Suorituksenaikainen asiakas-palvelin-prosessi Microsoft Corporation
csrss.exe 644 Suorituksenaikainen asiakas-palvelin-prosessi Microsoft Corporation
wininit.exe 652 Windowsin käynnistyssovellus Microsoft Corporation
services.exe 688 Palvelu- ja ohjainohjelma Microsoft Corporation
svchost.exe 900 1.18 Windows-palveluiden isäntäprosessi Microsoft Corporation
elogsvc.exe 944 Norman eLogger service Norman ASA
nprosec.exe 956 Norman Security service Norman ASA
svchost.exe 992 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 1028 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 1120 Windows-palveluiden isäntäprosessi Microsoft Corporation
audiodg.exe 1272 Windows Audio Device Graph Isolation Microsoft Corporation
svchost.exe 1144 1.18 Windows-palveluiden isäntäprosessi Microsoft Corporation
dwm.exe 2732 3.54 Desktop Window Manager Microsoft Corporation
svchost.exe 1160 4.33 Windows-palveluiden isäntäprosessi Microsoft Corporation
taskeng.exe 2760 0.39 Tehtävien ajoitus -moduuli Microsoft Corporation
wuauclt.exe 3708 0.39 Windows Update Microsoft Corporation
SLsvc.exe 1312 Microsoftin ohjelmien käyttöoikeuspalvelu Microsoft Corporation
svchost.exe 1368 Windows-palveluiden isäntäprosessi Microsoft Corporation
Zanda.exe 1544 Norman Zanda service Norman ASA
nvoy.exe 1556 Nvoy Norman ASA
svchost.exe 1604 Windows-palveluiden isäntäprosessi Microsoft Corporation
spoolsv.exe 1780 Spooler SubSystem App Microsoft Corporation
svchost.exe 1812 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 560 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 1172 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 1576 Windows-palveluiden isäntäprosessi Microsoft Corporation
SearchIndexer.exe 1508 0.39 Microsoft Windows Search -indeksointi Microsoft Corporation
scheduler.exe 2352 Norman Scheduler Service (x86) Norman ASA
Njeeves.exe 2364 NJeeves Norman ASA
Nsesvc.exe 2468 1.18 Norman Scanner Engine Service Norman ASA
Nvcoas.exe 3432 NVC OnAccess virus scanner Norman ASA
lsass.exe 700 Local Security Authority Process Microsoft Corporation
lsm.exe 716 Local Session Manager Service Microsoft Corporation
winlogon.exe 788 Windowsin kirjautumissovellus Microsoft Corporation
explorer.exe 2788 6.30 Resurssienhallinta Microsoft Corporation
MSASCui.exe 3044 Windows Defender User Interface Microsoft Corporation
Zlh.exe 3060 Norman ZLH Norman ASA
Nip.exe 2680 NVC Internet Protection Norman ASA
sidebar.exe 3068 Windowsin sivupalkki Microsoft Corporation
TSVNCache.exe 3268 TortoiseSVN status cache http://tortoisesvn.net
Mobile Partner.exe 1448 10.63
firefox.exe 1036 Firefox Mozilla Corporation
procexp.exe 3544 61.81 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
TSVNCache.exe 2804 3.54 TortoiseSVN status cache http://tortoisesvn.net
CClaw.exe 1216 CClaw Norman ASA

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 12 November 2009 - 06:23 PM

There isn't anything strange there either. There was only one explorer.exe process running when you ran Process Explorer.

When the CPU is at its highest run the program again and post the log.

In the meantime, please look at this article and see if any of these may be the reason
Posted Image
m0le is a proud member of UNITE

#14 velho_fin

velho_fin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 13 November 2009 - 06:38 AM

Hello again.

I read that article and any of them didn't seem to fit to my situtation. Could it be possible that there is something broken/wounded inside my laptop?

Heres new ProcessExplorer log:

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a 0.76 Deferred Procedure Calls
System 4 0.76
smss.exe 440 Windows Session Manager Microsoft Corporation
csrss.exe 592 Suorituksenaikainen asiakas-palvelin-prosessi Microsoft Corporation
csrss.exe 644 0.76 Suorituksenaikainen asiakas-palvelin-prosessi Microsoft Corporation
wininit.exe 652 Windowsin käynnistyssovellus Microsoft Corporation
services.exe 688 Palvelu- ja ohjainohjelma Microsoft Corporation
svchost.exe 900 3.81 Windows-palveluiden isäntäprosessi Microsoft Corporation
dllhost.exe 3880 COM Surrogate Microsoft Corporation
elogsvc.exe 944 Norman eLogger service Norman ASA
nprosec.exe 956 Norman Security service Norman ASA
svchost.exe 992 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 1028 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 1124 Windows-palveluiden isäntäprosessi Microsoft Corporation
audiodg.exe 1288 Windows Audio Device Graph Isolation Microsoft Corporation
svchost.exe 1176 3.81 Windows-palveluiden isäntäprosessi Microsoft Corporation
dwm.exe 2952 9.14 Desktop Window Manager Microsoft Corporation
svchost.exe 1200 27.42 Windows-palveluiden isäntäprosessi Microsoft Corporation
taskeng.exe 1840 Tehtävien ajoitus -moduuli Microsoft Corporation
taskeng.exe 2876 Tehtävien ajoitus -moduuli Microsoft Corporation
wuauclt.exe 2904 Windows Update Microsoft Corporation
taskeng.exe 4000 Tehtävien ajoitus -moduuli Microsoft Corporation
wuauclt.exe 2828 Windows Update Microsoft Corporation
SLsvc.exe 1316 Microsoftin ohjelmien käyttöoikeuspalvelu Microsoft Corporation
svchost.exe 1360 Windows-palveluiden isäntäprosessi Microsoft Corporation
Zanda.exe 1488 Norman Zanda service Norman ASA
nvoy.exe 1512 Nvoy Norman ASA
svchost.exe 1608 Windows-palveluiden isäntäprosessi Microsoft Corporation
spoolsv.exe 1848 Spooler SubSystem App Microsoft Corporation
svchost.exe 1880 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 468 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 580 Windows-palveluiden isäntäprosessi Microsoft Corporation
svchost.exe 1276 Windows-palveluiden isäntäprosessi Microsoft Corporation
scheduler.exe 2348 Norman Scheduler Service (x86) Norman ASA
Njeeves.exe 2364 NJeeves Norman ASA
TrustedInstaller.exe 2396 Windowsin moduulien asennusohjelma Microsoft Corporation
Nsesvc.exe 2480 Norman Scanner Engine Service Norman ASA
Nvcoas.exe 2656 NVC OnAccess virus scanner Norman ASA
msiexec.exe 3320 5.33 Windows® installer Microsoft Corporation
msiexec.exe 720 0.76 Windows® installer Microsoft Corporation
lsass.exe 704 Local Security Authority Process Microsoft Corporation
lsm.exe 712 Local Session Manager Service Microsoft Corporation
winlogon.exe 804 Windowsin kirjautumissovellus Microsoft Corporation
explorer.exe 3000 38.85 Resurssienhallinta Microsoft Corporation
MSASCui.exe 3268 Windows Defender User Interface Microsoft Corporation
Zlh.exe 3292 Norman ZLH Norman ASA
Nip.exe 3148 NVC Internet Protection Norman ASA
sidebar.exe 3324 Windowsin sivupalkki Microsoft Corporation
TSVNCache.exe 3340 TortoiseSVN status cache http://tortoisesvn.net
winamp.exe 3872 Winamp Nullsoft
Mobile Partner.exe 1736 5.33
firefox.exe 1192 0.76 Firefox Mozilla Corporation
procexp.exe 1740 3.05 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
CClaw.exe 2908 CClaw Norman ASA

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 13 November 2009 - 10:29 PM

Could it be possible that there is something broken/wounded inside my laptop?


It's possible. There are other scans that could determine if you have any conflicts but first let's take a look at the log.


From the Process Explorer log it seems that Norman is quite a resource hog.

elogsvc.exe 944 Norman eLogger service Norman ASA
nprosec.exe 956 Norman Security service Norman ASA
Zanda.exe 1488 Norman Zanda service Norman ASA
nvoy.exe 1512 Nvoy Norman ASA
scheduler.exe 2348 Norman Scheduler Service (x86) Norman ASA
Njeeves.exe 2364 NJeeves Norman ASA
Nsesvc.exe 2480 Norman Scanner Engine Service Norman ASA
Nvcoas.exe 2656 NVC OnAccess virus scanner Norman ASA
Zlh.exe 3292 Norman ZLH Norman ASA
Nip.exe 3148 NVC Internet Protection Norman ASA
CClaw.exe 2908 CClaw Norman ASA

I would suggest that as an experiment it may be an idea to disable some of Norman's services and see if the performance improves.

I would be tempted to remove it completely and try a slightly lighter antivirus, but that's your call.

Let me know what you find out. :(
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users