Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

csrss.exe/Found 3 files with this name/probably infected


  • This topic is locked This topic is locked
12 replies to this topic

#1 snkpc

snkpc

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 24 November 2009 - 01:04 AM

Hello everyone, Ive recently noticed this process csrss.exe doing my regular look up on my task manager, i really never seen it before so i googled it a lot of results said it was a virus, spy ware and some others said its a legit windows system file, so i checked my task manager and found that indeed i couldn't end this process being that a good thing since is a critical win file, but when i did a search for it on my PC I found 3 of them on in Windows/System32 , Windows/ServicePackFiles/i386 and the other one Windows/SoftwareDistribution/Download/9866fb..... and the numbers and letters go on... all of this files have different dates on them and they all have 6KB file size. I use Windows Xp with service pack 2 and have some apps installed for virus,spyware,and a firewall (comodo)
here is the hijackthis log and start up
if there is need to create another log please let me know and i will upload it asap

thank you in advanced.
If there are any other problems i should be fixing please let me know.

I was unable to run DDS log. RSIT log is attached.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:02 PM, on 11/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - F99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [AlcWzrd] "ALCWZRD.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 6828 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:33 AM

Posted 29 November 2009 - 08:46 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 snkpc

snkpc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 29 November 2009 - 11:39 PM

Hello Elise, thanks for the welcome, and your help, basically its the same issue about csrss.exe as you can read it in my first post, i managed to get the DDS logs and gmer logs and also did a hijackthis log again since I installed SP3 on my pc and had a couple of updates right after i posted my first thread, the logs are in the next order :

- DDS ( let me know if you need the attach log as well)

- Hijackthis

- Gmer (Im attaching this log since its to big and i get an error when i post)


I hope im virus,spyware, malware, grayware and hacker free, thanks for your help I will be waiting for your answer.

please let me know if you need other information thnx


DDS (Ver_09-11-29.01) - NTFSx86
Run by one at 14:37:01.76 on Sun 11/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1561 [GMT -8:00]

AV: avast! antivirus 4.8.1356 [VPS 091129-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\one\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AGRSMMSG] "AGRSMMSG.exe"
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [AlcWzrd] "ALCWZRD.EXE"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WTClient] WTClient.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\one\applic~1\mozilla\firefox\profiles\htvn7hrv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://mx.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_mx&p=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-14 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-6-4 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-6-4 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-10-14 138680]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-6-4 723632]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-9 65536]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2009-11-20 23208]
R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2009-11-20 14504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-10-14 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-10-14 352920]

=============== Created Last 30 ================

2009-11-25 18:22:24 0 d--h--w- c:\windows\PIF
2009-11-25 18:21:29 0 d-----w- c:\docume~1\one\applic~1\Windows Search
2009-11-25 17:31:08 0 d-----w- C:\4cbd70e93f81a9519154a9cc15
2009-11-25 08:31:05 0 d-----w- c:\program files\LSI SoftModem
2009-11-25 08:28:23 0 d-----w- c:\docume~1\one\applic~1\Windows Desktop Search
2009-11-25 08:27:52 0 d-----w- c:\program files\Windows Desktop Search
2009-11-25 08:27:51 0 d-----w- c:\windows\system32\GroupPolicy
2009-11-25 08:27:08 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-11-25 08:27:08 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-11-25 08:27:08 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-11-25 08:25:12 0 d-----w- c:\windows\system32\URTTEMP
2009-11-25 07:57:01 0 d-----w- C:\c6aec361861e19beb1124d90c16492
2009-11-25 03:30:53 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-25 03:29:47 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-11-25 03:29:47 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-11-25 03:29:47 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-25 03:29:47 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-11-25 03:29:47 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-11-25 03:29:47 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-25 03:29:46 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-11-25 03:27:45 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-11-25 03:27:33 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-25 03:27:17 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-11-25 03:26:42 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-25 03:24:10 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-11-25 03:23:50 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-25 03:23:49 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-11-25 02:37:27 0 d-----w- c:\windows\system32\scripting
2009-11-25 02:37:25 0 d-----w- c:\windows\l2schemas
2009-11-25 02:37:24 0 d-----w- c:\windows\system32\en
2009-11-25 02:31:16 0 d-----w- c:\windows\network diagnostic
2009-11-25 02:20:58 5971 -c----w- c:\windows\system32\dllcache\events.js
2009-11-24 04:46:29 0 d-----w- c:\program files\Trend Micro
2009-11-24 04:31:50 12800 ----a-w- c:\windows\system32\bootdelete.exe
2009-11-24 04:24:20 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-11-24 04:24:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-11-24 04:24:02 0 d-----w- c:\program files\Hitman Pro 3.5
2009-11-23 05:17:54 0 d-----w- c:\docume~1\one\applic~1\OpenOffice.org
2009-11-23 04:45:49 0 d-----w- c:\program files\JRE
2009-11-23 04:45:41 0 d-----w- c:\program files\OpenOffice.org 3
2009-11-23 04:45:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-23 04:42:31 0 d-----w- c:\program files\OppenOffice
2009-11-21 08:02:07 240 ----a-w- c:\windows\Tablet5500x4000M.ini
2009-11-21 07:21:26 0 d-----w- c:\program files\PEN TABLET
2009-11-20 19:03:04 0 d-----w- C:\bc3adab9fc0fb7143b390e3569
2009-11-20 18:37:07 0 d-----w- c:\program files\Windows Installer Clean Up
2009-11-20 18:36:14 0 d-----w- c:\program files\MSECACHE
2009-11-15 08:52:04 14 ----a-w- c:\windows\system32\systeminfo.dll
2009-11-15 08:51:35 56832 ----a-w- c:\windows\system32\msdvbnp.ax
2009-11-15 08:51:35 363520 ----a-w- c:\windows\system32\psisdecd.dll
2009-11-15 08:51:35 33280 ----a-w- c:\windows\system32\psisrndr.ax
2009-11-15 08:51:35 1645320 ----a-w- c:\windows\system32\gdiplus.dll

==================== Find3M ====================

2009-11-26 03:41:33 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-26 03:41:26 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-25 08:29:39 110592 ----a-w- c:\windows\system32\services.exe
2009-11-18 00:56:04 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-10-27 06:46:02 125029 ----a-w- c:\windows\HPHins12.dat
2009-10-15 17:31:16 90112 ----a-w- c:\windows\DUMP4b03.tmp
2009-10-15 17:18:31 90112 ----a-w- c:\windows\DUMP4af3.tmp
2009-10-15 17:17:49 90112 ----a-w- c:\windows\DUMP4f29.tmp
2009-10-15 17:17:06 90112 ----a-w- c:\windows\DUMP4bb0.tmp
2009-10-15 17:16:23 90112 ----a-w- c:\windows\DUMP4b80.tmp
2009-10-15 17:15:40 90112 ----a-w- c:\windows\DUMP4b60.tmp
2009-10-15 17:05:09 90112 ----a-w- c:\windows\DUMP4baf.tmp
2009-10-15 17:04:26 90112 ----a-w- c:\windows\DUMP4c4b.tmp
2009-10-15 17:03:44 90112 ----a-w- c:\windows\DUMP4c2c.tmp
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 22:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 22:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 22:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-26 06:07:02 462848 ----a-w- c:\windows\system32\tabcfg.exe
2009-09-25 05:56:32 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-24 04:12:30 56320 ----a-w- c:\windows\system32\UCMfg.exe
2009-09-24 01:57:48 30996 ----a-w- c:\windows\fonts\Harabara.ttf
2009-09-14 21:02:14 107188 ----a-w- c:\windows\fonts\tes_bold-¬.ttf
2009-09-12 02:10:04 200704 ----a-w- c:\windows\system32\WinTab32.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 21:07:00 50724 ----a-w- c:\windows\fonts\ficus.ttf
2009-09-05 19:59:56 60184 ----a-w- c:\windows\fonts\Musa.ttf
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

============= FINISH: 14:37:33.45 ===============



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:15 PM, on 11/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - F99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [AlcWzrd] "ALCWZRD.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 7148 bytes

Attached Files

  • Attached File  gmer.log   446.4KB   1 downloads


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:33 AM

Posted 30 November 2009 - 04:20 AM

Hello snkpc,

To be honest I don't see malware on your computer. Please can you tell me if your computer has any problems that make you think you have malware (redirects, strange errors, pop ups).

About the csrss.exe file: its normal there are 3 or 4 spare copies on your computer. This is done by windows to ensure a bad copy of the file (if detected by the System File Checker) can be replaced by a legit copy. Usually those copies are found in (for example) c:\windows\system32\dllcache or in c:\windows\system32\i386. Its not uncommon to have a copy in software distribution subfolders or the like as well.

In your next reply, please include the following:
  • attach.txt (will be created when you run DDS).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 snkpc

snkpc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 30 November 2009 - 01:08 PM

hi Elise

well the only thing I see is this message every time I boot: Cannot install this hardware: HID Non-User Input Data Filter, Fatal error during installation, this has to do with windows update, every time i try to reinstall i get the error im wondering if that's due to some corrupted files in my system (malware). other than that i think its working fine.. probably just paranoid :( here is the attach log from DDS

thanks :(


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/3/2009 4:39:49 PM
System Uptime: 11/29/2009 2:31:50 PM (0 hours ago)

Motherboard: Intel Corporation | | D915GRO
Processor: Intel® Pentium® 4 CPU 3.00GHz | J2E1 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 186 GiB total, 133.8 GiB free.
D: is CDROM (UDF)
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1BE2DA132000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1BE2DA132000
Service: NIC1394

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Serial
Device ID: ROOT\LEGACY_SERIAL\0000
Manufacturer:
Name: Serial
PNP Device ID: ROOT\LEGACY_SERIAL\0000
Service: Serial

==== System Restore Points ===================

RP225: 8/30/2009 5:52:43 PM - System Checkpoint
RP226: 8/31/2009 8:19:30 PM - System Checkpoint
RP227: 9/2/2009 2:26:08 PM - System Checkpoint
RP228: 9/2/2009 2:30:42 PM - Software Distribution Service 3.0
RP229: 9/3/2009 4:01:54 PM - System Checkpoint
RP230: 9/5/2009 2:10:09 AM - System Checkpoint
RP231: 9/6/2009 9:20:53 PM - System Checkpoint
RP232: 9/8/2009 2:29:31 PM - System Checkpoint
RP233: 9/9/2009 5:04:29 PM - System Checkpoint
RP234: 9/10/2009 9:47:31 PM - Unsigned driver install
RP235: 9/10/2009 10:59:48 PM - Software Distribution Service 3.0
RP236: 9/12/2009 5:02:02 PM - System Checkpoint
RP237: 9/13/2009 8:16:21 PM - System Checkpoint
RP238: 9/14/2009 8:35:50 PM - System Checkpoint
RP239: 9/14/2009 9:11:33 PM - Removed SPORE™
RP240: 9/16/2009 2:46:21 PM - System Checkpoint
RP241: 9/17/2009 3:14:10 PM - System Checkpoint
RP242: 9/19/2009 12:42:41 AM - System Checkpoint
RP243: 9/20/2009 1:24:13 AM - System Checkpoint
RP244: 9/21/2009 1:29:40 PM - System Checkpoint
RP245: 9/21/2009 7:38:07 PM - Installed SUPERAntiSpyware Free Edition
RP246: 9/22/2009 8:37:31 PM - System Checkpoint
RP247: 9/24/2009 3:42:47 AM - System Checkpoint
RP248: 9/25/2009 3:43:50 AM - System Checkpoint
RP249: 9/26/2009 5:09:51 AM - System Checkpoint
RP250: 9/27/2009 4:43:16 PM - System Checkpoint
RP251: 9/28/2009 6:06:12 PM - System Checkpoint
RP252: 9/29/2009 7:30:46 PM - System Checkpoint
RP253: 10/1/2009 12:45:24 PM - System Checkpoint
RP254: 10/2/2009 4:30:12 PM - System Checkpoint
RP255: 10/3/2009 5:05:11 PM - System Checkpoint
RP256: 10/3/2009 7:02:17 PM - Software Distribution Service 3.0
RP257: 10/4/2009 10:47:54 PM - System Checkpoint
RP258: 10/6/2009 10:53:14 AM - Avg8 Update
RP259: 10/7/2009 11:26:59 AM - Avg8 Update
RP260: 10/8/2009 11:48:43 AM - Avg8 Update
RP261: 10/9/2009 12:17:06 PM - System Checkpoint
RP262: 10/10/2009 12:17:13 PM - System Checkpoint
RP263: 10/11/2009 4:18:22 PM - System Checkpoint
RP264: 10/12/2009 4:38:28 PM - System Checkpoint
RP265: 10/13/2009 8:11:53 PM - Software Distribution Service 3.0
RP266: 10/14/2009 9:20:43 PM - System Checkpoint
RP267: 10/14/2009 10:07:00 PM - Removed AVG Free 8.5
RP268: 10/14/2009 10:12:15 PM - Removed AVG Free 8.5
RP269: 10/14/2009 10:13:56 PM - Installed AVG Free 8.5
RP270: 10/15/2009 9:55:06 AM - Software Distribution Service 3.0
RP271: 10/16/2009 12:45:35 AM - Software Distribution Service 3.0
RP272: 10/17/2009 3:54:44 PM - System Checkpoint
RP273: 10/18/2009 7:49:20 PM - System Checkpoint
RP274: 10/18/2009 9:35:33 PM - Software Distribution Service 3.0
RP275: 10/19/2009 10:31:13 PM - System Checkpoint
RP276: 10/20/2009 7:21:25 PM - Unsigned driver install
RP277: 10/21/2009 4:38:57 PM - Removed Microsoft ActiveSync
RP278: 10/22/2009 7:07:21 PM - System Checkpoint
RP279: 10/23/2009 10:49:53 PM - System Checkpoint
RP280: 10/26/2009 8:40:55 AM - System Checkpoint
RP281: 10/27/2009 6:08:25 PM - System Checkpoint
RP282: 10/28/2009 6:58:03 PM - System Checkpoint
RP283: 10/29/2009 7:03:40 PM - System Checkpoint
RP284: 10/30/2009 7:28:32 PM - System Checkpoint
RP285: 11/1/2009 12:33:11 PM - System Checkpoint
RP286: 11/2/2009 2:08:39 PM - System Checkpoint
RP287: 11/3/2009 2:25:12 PM - System Checkpoint
RP288: 11/4/2009 3:38:05 PM - System Checkpoint
RP289: 11/5/2009 9:16:20 PM - System Checkpoint
RP290: 11/7/2009 7:17:53 PM - System Checkpoint
RP291: 11/8/2009 8:09:20 PM - System Checkpoint
RP292: 11/9/2009 11:46:23 PM - System Checkpoint
RP293: 11/11/2009 12:06:55 PM - System Checkpoint
RP294: 11/11/2009 2:59:32 PM - Software Distribution Service 3.0
RP295: 11/12/2009 6:31:01 PM - System Checkpoint
RP296: 11/14/2009 12:17:31 PM - System Checkpoint
RP297: 11/15/2009 3:43:31 PM - System Checkpoint
RP298: 11/16/2009 10:08:53 PM - System Checkpoint
RP299: 11/18/2009 11:17:09 AM - System Checkpoint
RP300: 11/19/2009 12:07:32 PM - System Checkpoint
RP301: 11/20/2009 10:37:05 AM - Installed Windows Installer Clean Up
RP302: 11/21/2009 11:37:32 AM - System Checkpoint
RP303: 11/22/2009 8:44:00 PM - Removed Java™ 6 Update 11
RP304: 11/22/2009 8:45:00 PM - Installed Java™ 6 Update 16
RP305: 11/22/2009 8:45:35 PM - Installed OpenOffice.org 3.1
RP306: 11/23/2009 7:10:46 PM - Software Distribution Service 3.0
RP307: 11/24/2009 1:29:44 PM - Software Distribution Service 3.0
RP308: 11/24/2009 5:17:10 PM - Removed Microsoft IntelliPoint 6.2
RP309: 11/24/2009 6:22:44 PM - Software Distribution Service 3.0
RP310: 11/24/2009 7:56:33 PM - Software Distribution Service 3.0
RP311: 11/25/2009 12:24:37 AM - Software Distribution Service 3.0
RP312: 11/25/2009 1:09:44 AM - Software Distribution Service 3.0
RP313: 11/25/2009 9:51:46 AM - Software Distribution Service 3.0
RP314: 11/25/2009 1:18:54 PM - Software Distribution Service 3.0
RP315: 11/25/2009 7:43:16 PM - Software Distribution Service 3.0
RP316: 11/26/2009 12:10:53 AM - Software Distribution Service 3.0
RP317: 11/26/2009 10:20:39 AM - Software Distribution Service 3.0
RP318: 11/26/2009 12:02:47 PM - Software Distribution Service 3.0
RP319: 11/27/2009 10:32:28 AM - Software Distribution Service 3.0
RP320: 11/28/2009 4:40:07 PM - Software Distribution Service 3.0
RP321: 11/28/2009 11:05:21 PM - Installed Java™ 6 Update 17
RP322: 11/29/2009 1:39:49 PM - Software Distribution Service 3.0

==== Installed Programs ======================

µTorrent
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 9.1.2
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Agere Systems PCI Soft Modem
AHV content for Acrobat and Flash
Apple Software Update
Autodesk 3ds Max 2009 32-bit
Autodesk Backburner 2008.1
avast! Antivirus
BufferChm
CCleaner
Choice Guard
COMODO Internet Security
DeviceManagementQFolder
FBX Plugin 2009.0 for Max 2009
FinalBurner Free v2.12.0.160
Full Tilt Poker
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
hph_software_req
Intel® Network Connections Drivers
Java™ 6 Update 17
LSI PCI Soft Modem
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Home and Student 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6 Service Pack 2 (KB973686)
NVIDIA Drivers
OpenOffice.org 3.1
PDF Settings
QuickTime
Realtek High Definition Audio Driver
Requiem
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SUPERAntiSpyware Free Edition
Toolbox
Trapcode 3DStroke
Trapcode Form
Trapcode Shine
Trapcode Starglow
Unlocker 1.8.5
Unreal Tournament 2004
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V-Ray for 3dsmax 2009 for x86
VLC media player 1.0.0
WebFldrs XP
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format Runtime
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
XAMPP 1.6.5
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

11/23/2009 9:42:37 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
11/23/2009 9:41:58 PM, error: Service Control Manager [7034] - The mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit service terminated unexpectedly. It has done this 1 time(s).
11/23/2009 9:41:56 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
11/23/2009 8:06:40 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/23/2009 7:58:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Windows XP Service Pack 3 (KB936929).

==== End Of File ===========================

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:33 AM

Posted 30 November 2009 - 01:25 PM

Hello snkpc,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


POKER WARNING
--------------------

Your logs show that you have been visiting online poker sites with applets installed on your computer. I know that you may use these programs on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose.
There are so many online poker games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:
  • Go to Start > Control Panel > Add or Remove Programs.
  • Remove the following poker programs (if they are present):
    Full Tilt Poker
If you are unsure of how to use Add or Remove Programs, the please see this tutorial


Before we get to that hardware installer problem, I would like to know how you got SP3 for XP to install. I saw in your logs it caused some problems.
Can you also post me the error code you get when the hardware fails to install?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 snkpc

snkpc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 01 December 2009 - 02:18 AM

Hello Elise , Done I will uninstall utorrent & full tilt poker to avoid problems. question..

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

If you wish to keep it, please do not use it until your computer is cleaned.


so i am infected? what infection is it ?

please let me know what precautions should i take so i can have a completely cleaned PC


Before we get to that hardware installer problem, I would like to know how you got SP3 for XP to install. I saw in your logs it caused some problems.
Can you also post me the error code you get when the hardware fails to install?


The first time i installed SP3(probably some weeks after it was released) I did had a lot of problems , i couldn't connect to the internet and well that's the only problem visible atm so i uninstalled and was stuck with SP2, a couple of days ago i went to windows update on the start menu and i reinstalled, i had an error the first attempt and the second time it let me installed and everything went well the only visible changes is that now every time i boot windows the welcome log in screen appears and i have the indexing search icon on my system tray.

what kind of problems did SP3 caused?


as for the error i really don't know what this could be, I have plugged in: mouse, speakers, and that's it, sometimes i do plug in printer and a pen tablet

HID Class
Cannot Install this hardware

There was a problem during the installation of this hardware

HID Non-User Input Data Filter

Fatal error during installation

Error Code: 0x80070643

thanks :(

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:33 AM

Posted 01 December 2009 - 03:04 AM

Hello snkpc,

so i am infected? what infection is it ?

No, I don't see any sign of infection. The p2p warning contains that text as standard.

The error code you provided indicates there is a problem with Windows Installer. Lets try to fix it.
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program. Note - you might see an error message regarding Internet Explorer. Just ignore this and continue.
  • Place a checkmark in front of Repair Windows Installer.
  • Click on go
  • Exit/Close Dial-A-Fix
On the next reboot, see if the hardware installs correctly.

Edited by elise025, 01 December 2009 - 03:05 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 snkpc

snkpc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 01 December 2009 - 02:45 PM

Hello Elise

Good to know there are no signs of infection.

as for the hardware problem i did everything as instructed, sadly this hasn't change anything the same message appears, should i also fix windows update? i haven't done it because i don't know if this can give me problems if i don't need to, but let me know.

thanks :(

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:33 AM

Posted 01 December 2009 - 03:11 PM

Yes, you can try to do that as well.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 snkpc

snkpc
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 01 December 2009 - 06:03 PM

Elise hi :)

Dial-a-fix didn't worked for me sadly to say but i finally found out what the problem was, it was a file causing problems with my installation, in C:/windows/sys32/drivers/ the file name is wdf01000 i just deleted that file and reinstalled the hid class and worked just fine and i don't get that message anymore at boot up just in case you ever run with that problem on the forums.

thanks for all your help :) :(

if there isn't any other issue i should be taking care of you can close this thread :(

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:33 AM

Posted 02 December 2009 - 05:49 AM

Glad you found the problem, but you deleted a legit Microsoft file. You might encounter problems now with your NET.Framework based application. If somehow you get an error try uninstalling and re-downloading the application.

Although you were not infected, please consider the following information (just a heads up)...

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:33 AM

Posted 06 December 2009 - 08:07 AM

This topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users