Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplorer.exe eats my bandwidth! multiple instances open


  • This topic is locked This topic is locked
14 replies to this topic

#1 legacy9x

legacy9x

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 11 April 2010 - 02:35 PM

My problem is that my computer has been running slow because I have multiple instances of iexplorer.exe running in the process manager for some reason.. Although I use internet explorer, even after I close it, the iexplorer.exe will stay open in process manager, and not just one instance of it, but multiple.. From 2-4.. Any help would be appreciated..

Thanks in advance..

Running windows xp LEGIT not cracked..








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:35 PM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/US/TechCon...scueControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1268096437062
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8952 bytes


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 AM

Posted 14 April 2010 - 01:42 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 legacy9x

legacy9x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 18 April 2010 - 02:54 PM

Ok... Again, my problem is that iexplorer.exe opens up in the process manager.. But not only one instance.. but multiple.. from 3-5 which eat up all my memory and slum up my machine, making it freeze and slow react..
I have ran scans with ESET, ADWARE, and online trendmicro..

This is my DSS log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 12:09:01.42 on Sun 04/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.464 [GMT -5:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://srch-us9.hpwis.com/
uDefault_Page_URL = hxxp://us9.hpwis.com/
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
uSearch Bar = hxxp://srch-us9.hpwis.com/
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Settings,ProxyOverride = localhost
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BackupNotify] c:\program files\hewlett-packard\digital imaging\bin\backupnotify.exe
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268096437062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2010-3-7 902432]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-11 108792]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-3-7 2326920]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-3-8 47640]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-3-7 159168]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-3-7 18544]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-04-11 20:05:40 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-04-11 20:05:39 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-04-11 19:32:07 0 d-----w- c:\program files\Trend Micro
2010-04-11 18:50:10 0 d-----w- c:\windows\pss
2010-04-10 09:22:37 110 ----a-w- c:\windows\GMouse.ini
2010-04-10 09:07:03 0 d-----w- C:\GMouse20
2010-04-10 09:06:47 283648 ----a-w- c:\windows\uninst.exe
2010-04-05 00:49:39 0 d-----w- c:\program files\common files\Blizzard Entertainment
2010-04-04 23:52:34 18598 ----a-w- c:\windows\DIIUnin.dat
2010-04-04 23:52:31 2829 ----a-w- c:\windows\DIIUnin.pif
2010-04-04 23:52:30 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-04 23:41:37 0 d-----w- c:\program files\Diablo II
2010-04-04 23:16:02 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-04 03:03:00 0 d-----w- c:\docume~1\owner\applic~1\LimeWire
2010-04-04 03:01:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-04 03:01:54 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-04-04 03:00:11 0 d-----w- c:\program files\LimeWire
2010-04-03 05:20:45 692 ----a-w- c:\documents and settings\owner\.plugin141_02.trace
2010-04-03 05:20:45 0 d-----w- c:\documents and settings\owner\.jpi_cache
2010-04-03 05:20:45 0 d-----w- c:\documents and settings\owner\.java
2010-04-02 01:53:56 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-04-02 01:47:50 0 d-----w- c:\windows\SHELLNEW
2010-03-25 13:50:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2010-03-25 13:50:25 0 d-----w- c:\program files\Messenger Plus! Live

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 22:41:24 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-03-07 22:41:20 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-03-07 06:49:50 159168 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-03-07 06:49:29 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2010-03-07 06:49:25 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-03-07 06:49:04 157248 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-03-07 06:37:31 4182 --sha-r- c:\windows\system32\drivers\HP_DN006A-ABA a306x_YC_Pavi_QMXM339_E34NAheBLU2_4_IMS-6577_SMICRO-STAR INTERNATIONAL CO., LTD_V020_B3.25_T030923_WXH1_L409_M1016_J38_7Intel_8Celeron_92.6_1103300F2_N10EC8139_P_Z_K_A808624C5_U808624C2_G80862562_O_DIN-KCH-.MRK
2010-03-07 06:27:12 165889 ----a-w- c:\windows\hpoins44.dat
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-01-25 16:58:06 462848 ----a-w- c:\windows\system32\ractrlkeyhook.dll
2003-12-04 05:08:08 0 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 12:09:49.23 ===============





I already followed all your steps, ran all the scans and everything.. Thanks and hopefully you can help me. Thanks

Attached Files



#4 legacy9x

legacy9x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 18 April 2010 - 03:05 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 14:48:39
Windows 5.1.2600 Service Pack 3
Running: 0q5q91yb.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwddqfob.sys


---- System - GMER 1.0.15 ----

SSDT 859AE580 ZwAssignProcessToJobObject
SSDT 859AF100 ZwDebugActiveProcess
SSDT 859AEB30 ZwDuplicateObject
SSDT 859ADCC0 ZwOpenProcess
SSDT 859ADFC0 ZwOpenThread
SSDT 859AE9C0 ZwProtectVirtualMemory
SSDT 859AE860 ZwSetContextThread
SSDT 859AE6E0 ZwSetInformationThread
SSDT 859AB700 ZwSetSecurityObject
SSDT 859AE420 ZwSuspendProcess
SSDT 859AE2C0 ZwSuspendThread
SSDT 859ADE50 ZwTerminateProcess
SSDT 859AE150 ZwTerminateThread
SSDT 859AEF50 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 270 804E28DC 4 Bytes JMP 317AAE7B
.text ntoskrnl.exe!_abnormal_termination + 3A0 804E2A0C 4 Bytes CALL 51ACAFAB
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF7817358]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[240] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1076] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\PeerBlock\peerblock.exe[2272] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 004510E0 C:\Program Files\PeerBlock\peerblock.exe (PeerBlock/PeerBlock, LLC)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2340] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2616] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[2340] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Forgot to post the GMER logs..

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 AM

Posted 18 April 2010 - 04:31 PM

Please download and run Process Explorer

If Process explorer won't execute rename it Iexplore.exe

Under File and Save As, create a log and post here

Copy and paste the log into your next reply
Posted Image
m0le is a proud member of UNITE

#6 legacy9x

legacy9x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 18 April 2010 - 04:45 PM

Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 67.53 0 K 16 K
Interrupts n/a 0 K 0 K Hardware Interrupts
DPCs n/a 2.60 0 K 0 K Deferred Procedure Calls
System 4 2.60 0 K 236 K
smss.exe 1392 168 K 888 K Windows NT Session Manager Microsoft Corporation
csrss.exe 1604 1.30 1,828 K 7,256 K Client Server Runtime Process Microsoft Corporation
winlogon.exe 1632 1.30 5,920 K 18,836 K Windows NT Logon Application Microsoft Corporation
services.exe 1676 2.60 4,612 K 11,464 K Services and Controller app Microsoft Corporation
svchost.exe 1848 3,208 K 19,076 K Generic Host Process for Win32 Services Microsoft Corporation
hpqgpc01.exe 2892 2,604 K 8,160 K GPCore COM object Hewlett-Packard
hpqste08.exe 3804 5,768 K 10,600 K HP CUE Status Root Hewlett-Packard Co.
hpqbam08.exe 3076 980 K 4,340 K HP CUE Alert Popup Window Objects Hewlett-Packard Co.
wlcomm.exe 3608 14,892 K 19,396 K Windows Live Communications Platform Microsoft Corporation
hpswp_clipbook.exe 3720 2,352 K 4,184 K HP Smart Web Printing add-on for Internet Explorer Hewlett-Packard Co.
svchost.exe 1944 1,960 K 17,712 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 356 23,416 K 44,800 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 536 1,808 K 17,140 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 676 4,772 K 22,160 K Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1212 9,256 K 26,676 K Spooler SubSystem App Microsoft Corporation
svchost.exe 596 1,332 K 17,692 K Generic Host Process for Win32 Services Microsoft Corporation
schedul2.exe 632 1,000 K 15,972 K Acronis Scheduler 2 Acronis
afcdpsrv.exe 560 1,048 K 16,724 K File Level CDP Manager Service Acronis
ekrn.exe 1076 54,076 K 69,564 K ESET Service ESET
svchost.exe 1284 3,812 K 20,064 K Generic Host Process for Win32 Services Microsoft Corporation
jqs.exe 1308 2,332 K 1,396 K Java™ Quick Starter Service Sun Microsystems, Inc.
ramaint.exe 1364 1,244 K 18,720 K LogMeIn Maintenance Service LogMeIn, Inc.
LogMeIn.exe 2184 11,908 K 26,504 K LogMeIn LogMeIn, Inc.
LMIGuardian.exe 2288 800 K 16,152 K LMIGuardian LogMeIn, Inc.
svchost.exe 2328 1,000 K 16,276 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2436 1,084 K 16,452 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2508 2,704 K 18,016 K Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 1436 1,136 K 16,608 K Application Layer Gateway Service Microsoft Corporation
svchost.exe 1736 1,492 K 17,252 K Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 1688 5,008 K 21,824 K LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1080 26,052 K 12,612 K Windows Explorer Microsoft Corporation
hpsysdrv.exe 1528 544 K 6,248 K hpsysdrv Hewlett-Packard Company
hkcmd.exe 1536 1,644 K 16,124 K hkcmd Module Intel Corporation
kbd.exe 1544 11,940 K 26,172 K KBD EXE Hewlett-Packard Company
shwicon2k.exe 1584 716 K 15,460 K Sunkist Alcor Micro, Corp.
egui.exe 1876 6,984 K 2,988 K ESET GUI ESET
TrueImageMonitor.exe 1884 7,092 K 20,124 K Acronis True Image Monitor Acronis
schedhlp.exe 1896 832 K 15,792 K Acronis Scheduler Helper Acronis
ALCXMNTR.EXE 1856 2,056 K 16,688 K Realtek Audio - Event Monitor Realtek Semiconductor Corp.
igfxtray.exe 1724 1,932 K 17,428 K igfxTray Module Intel Corporation
LogMeInSystray.exe 1996 2,484 K 18,760 K LogMeIn Desktop Application LogMeIn, Inc.
LMIGuardian.exe 2044 808 K 16,172 K LMIGuardian LogMeIn, Inc.
jusched.exe 2012 780 K 16,248 K Java™ Platform SE binary Sun Microsystems, Inc.
RocketDock.exe 324 2,844 K 20,888 K
ctfmon.exe 340 1,652 K 18,032 K CTF Loader Microsoft Corporation
iexplore.exe 240 11,120 K 1,452 K Internet Explorer Microsoft Corporation
iexplore.exe 2340 23,548 K 46,680 K Internet Explorer Microsoft Corporation
iexplore.exe 1000 21,624 K 26,612 K Internet Explorer Microsoft Corporation
iexplore.exe 2152 25,992 K 35,144 K Internet Explorer Microsoft Corporation
iexplore.exe 2260 40,676 K 48,108 K Internet Explorer Microsoft Corporation
iexplore.exe 2552 45,560 K 54,796 K Internet Explorer Microsoft Corporation
iexplore.exe 292 7,444 K 11,112 K Internet Explorer Microsoft Corporation
iexplore.exe 316 36,712 K 47,408 K Internet Explorer Microsoft Corporation
msnmsgr.exe 2932 23,268 K 19,284 K Windows Live Messenger Microsoft Corporation
msnmsgr.exe 3504 18,124 K 19,824 K Windows Live Messenger Microsoft Corporation
iexplore.exe 2848 4,880 K 12,428 K Internet Explorer Microsoft Corporation
iexplore.exe 3464 21,484 K 26,748 K Internet Explorer Microsoft Corporation
procexp.exe 4196 22.08 15,316 K 20,916 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com


Here we go, thanks!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 AM

Posted 18 April 2010 - 04:47 PM

QUOTE
iexplore.exe 240 11,120 K 1,452 K Internet Explorer Microsoft Corporation
iexplore.exe 2340 23,548 K 46,680 K Internet Explorer Microsoft Corporation
iexplore.exe 1000 21,624 K 26,612 K Internet Explorer Microsoft Corporation
iexplore.exe 2152 25,992 K 35,144 K Internet Explorer Microsoft Corporation
iexplore.exe 2260 40,676 K 48,108 K Internet Explorer Microsoft Corporation
iexplore.exe 2552 45,560 K 54,796 K Internet Explorer Microsoft Corporation
iexplore.exe 292 7,444 K 11,112 K Internet Explorer Microsoft Corporation
iexplore.exe 316 36,712 K 47,408 K Internet Explorer Microsoft Corporation
iexplore.exe 2848 4,880 K 12,428 K Internet Explorer Microsoft Corporation
iexplore.exe 3464 21,484 K 26,748 K Internet Explorer Microsoft Corporation


How may tabs did you have open when this was run?
Posted Image
m0le is a proud member of UNITE

#8 legacy9x

legacy9x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 18 April 2010 - 04:54 PM

Funny part is that I only had this tab.. Look, I will close all tabs and rerun that then repost it.. Ok? Give me one minute.

#9 legacy9x

legacy9x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 18 April 2010 - 04:56 PM

Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 79.10 0 K 16 K
Interrupts n/a 0 K 0 K Hardware Interrupts
DPCs n/a 1.49 0 K 0 K Deferred Procedure Calls
System 4 0 K 236 K
smss.exe 1392 168 K 888 K Windows NT Session Manager Microsoft Corporation
csrss.exe 1604 1,836 K 7,180 K Client Server Runtime Process Microsoft Corporation
winlogon.exe 1632 5,920 K 18,836 K Windows NT Logon Application Microsoft Corporation
services.exe 1676 4.48 4,612 K 11,452 K Services and Controller app Microsoft Corporation
svchost.exe 1848 3,216 K 19,084 K Generic Host Process for Win32 Services Microsoft Corporation
hpqgpc01.exe 2892 2,604 K 8,160 K GPCore COM object Hewlett-Packard
hpqste08.exe 3804 5,768 K 10,600 K HP CUE Status Root Hewlett-Packard Co.
hpqbam08.exe 3076 980 K 4,340 K HP CUE Alert Popup Window Objects Hewlett-Packard Co.
wlcomm.exe 2240 21,212 K 30,308 K Windows Live Communications Platform Microsoft Corporation
svchost.exe 1944 2,012 K 17,740 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 356 23,436 K 44,788 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 536 1,804 K 17,140 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 676 4,772 K 22,160 K Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1212 9,176 K 26,652 K Spooler SubSystem App Microsoft Corporation
svchost.exe 596 1,308 K 17,684 K Generic Host Process for Win32 Services Microsoft Corporation
schedul2.exe 632 1,000 K 15,972 K Acronis Scheduler 2 Acronis
afcdpsrv.exe 560 1,048 K 16,724 K File Level CDP Manager Service Acronis
ekrn.exe 1076 54,188 K 69,668 K ESET Service ESET
svchost.exe 1284 3,764 K 20,048 K Generic Host Process for Win32 Services Microsoft Corporation
jqs.exe 1308 2,332 K 1,780 K Java™ Quick Starter Service Sun Microsystems, Inc.
ramaint.exe 1364 1,244 K 18,720 K LogMeIn Maintenance Service LogMeIn, Inc.
LogMeIn.exe 2184 11,908 K 26,504 K LogMeIn LogMeIn, Inc.
LMIGuardian.exe 2288 800 K 16,152 K LMIGuardian LogMeIn, Inc.
svchost.exe 2328 1,000 K 16,276 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2436 1,084 K 16,452 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2508 2,704 K 18,016 K Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 1436 1,136 K 16,608 K Application Layer Gateway Service Microsoft Corporation
svchost.exe 1736 1,492 K 17,252 K Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 1688 5,056 K 21,824 K LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1080 26,116 K 13,156 K Windows Explorer Microsoft Corporation
hpsysdrv.exe 1528 544 K 6,248 K hpsysdrv Hewlett-Packard Company
hkcmd.exe 1536 1,644 K 16,124 K hkcmd Module Intel Corporation
kbd.exe 1544 11,940 K 26,172 K KBD EXE Hewlett-Packard Company
shwicon2k.exe 1584 716 K 15,460 K Sunkist Alcor Micro, Corp.
egui.exe 1876 6,984 K 3,004 K ESET GUI ESET
TrueImageMonitor.exe 1884 7,092 K 20,124 K Acronis True Image Monitor Acronis
schedhlp.exe 1896 832 K 15,792 K Acronis Scheduler Helper Acronis
ALCXMNTR.EXE 1856 2,056 K 16,688 K Realtek Audio - Event Monitor Realtek Semiconductor Corp.
igfxtray.exe 1724 1,932 K 17,428 K igfxTray Module Intel Corporation
LogMeInSystray.exe 1996 2,484 K 18,760 K LogMeIn Desktop Application LogMeIn, Inc.
LMIGuardian.exe 2044 808 K 16,172 K LMIGuardian LogMeIn, Inc.
jusched.exe 2012 780 K 16,248 K Java™ Platform SE binary Sun Microsystems, Inc.
RocketDock.exe 324 2,820 K 20,868 K
ctfmon.exe 340 1,652 K 18,016 K CTF Loader Microsoft Corporation
iexplore.exe 240 9,904 K 12,516 K Internet Explorer Microsoft Corporation
iexplore.exe 2340 23,548 K 46,680 K Internet Explorer Microsoft Corporation
iexplore.exe 1000 21,624 K 26,612 K Internet Explorer Microsoft Corporation
iexplore.exe 2152 25,992 K 35,152 K Internet Explorer Microsoft Corporation
iexplore.exe 3580 33,552 K 44,656 K Internet Explorer Microsoft Corporation
iexplore.exe 292 7,444 K 11,112 K Internet Explorer Microsoft Corporation
iexplore.exe 316 36,712 K 47,408 K Internet Explorer Microsoft Corporation
msnmsgr.exe 3188 39,556 K 24,804 K Windows Live Messenger Microsoft Corporation
WinRAR.exe 2144 7,680 K 9,864 K WinRAR archiver Alexander Roshal
procexp.exe 2272 14.93 13,968 K 5,924 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
iexplore.exe 2848 4,880 K 12,428 K Internet Explorer Microsoft Corporation
iexplore.exe 3464 21,484 K 26,748 K Internet Explorer Microsoft Corporation



I had zero Internet explorers open, that's why I came here for help! lol.. Thanks appreciate you taking ur time to help.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 AM

Posted 18 April 2010 - 05:09 PM

Let's have a more detailed look at this:

Download Autoruns

http://download.sysinternals.com/Files/Autoruns.zip
  1. Extract the Autoruns Zip file contents to a folder.
  2. Double-click the "Autoruns.exe".
  3. Go to Options and click Hide Microsoft and Windows Entries
  4. Close Autoruns and reopen it
  5. Click on the Everything tab
  6. Go to File then Export and click on Save.
  7. Close Autoruns and open Autoruns.txt (this file will be in the same folder). Copy and paste the contents in this thread..

Posted Image
m0le is a proud member of UNITE

#11 legacy9x

legacy9x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 18 April 2010 - 05:27 PM

It has no EXPORT option under file, I am running autoruns.exe as you said.. It only has find, open, save..
I clicked saved and saved as .txt


"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "Acronis Scheduler2 Service" "Acronis Scheduler Helper" "Acronis" "c:\program files\common files\acronis\schedule2\schedhlp.exe"
+ "AlcxMonitor" "Realtek Audio - Event Monitor" "Realtek Semiconductor Corp." "c:\windows\alcxmntr.exe"
+ "egui" "ESET GUI" "ESET" "c:\program files\eset\eset smart security\egui.exe"
+ "HotKeysCmds" "hkcmd Module" "Intel Corporation" "c:\windows\system32\hkcmd.exe"
+ "hpsysdrv" "hpsysdrv" "Hewlett-Packard Company" "c:\windows\system\hpsysdrv.exe"
+ "IgfxTray" "igfxTray Module" "Intel Corporation" "c:\windows\system32\igfxtray.exe"
+ "KBD" "KBD EXE" "Hewlett-Packard Company" "c:\hp\kbd\kbd.exe"
+ "LogMeIn GUI" "LogMeIn Desktop Application" "LogMeIn, Inc." "c:\program files\logmein\x86\logmeinsystray.exe"
+ "NvCplDaemon" "NVIDIA Display Properties Extension" "NVIDIA Corporation" "c:\windows\system32\nvcpl.dll"
+ "nwiz" "NVIDIA nView Wizard, Version 44.03 " "NVIDIA Corporation" "c:\windows\system32\nwiz.exe"
+ "PS2" "PS2 EXE" "Hewlett-Packard Company" "c:\windows\system32\ps2.exe"
+ "Recguard" "Recguard MFC Application" "" "c:\windows\sminst\recguard.exe"
+ "SunJavaUpdateSched" "Java™ Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jusched.exe"
+ "Sunkist2k" "Sunkist" "Alcor Micro, Corp." "c:\program files\multimedia card reader\shwicon2k.exe"
+ "TrueImageMonitor.exe" "Acronis True Image Monitor" "Acronis" "c:\program files\acronis\trueimagehome\trueimagemonitor.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "BackupNotify" "" "" "File not found: c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe"
+ "NVIEW" "NVIDIA nView Desktop and Window Manager 44.03 " "NVIDIA Corporation" "c:\windows\system32\nview.dll"
+ "RocketDock" "" "" "c:\program files\rocketdock\rocketdock.exe"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""
+ "0" "" "" "File not found: About:Home"
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
+ "Acronis True Image Shell Context Menu Extension" "Acronis True Image Shell Extensions" "Acronis" "c:\program files\acronis\trueimagehome\tishell.dll"
+ "ESET Smart Security - Context Menu Shell Extension" "Shell Extension" "ESET" "c:\program files\eset\eset smart security\shellext.dll"
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
+ "Acronis True Image Shell Context Menu Extension" "Acronis True Image Shell Extensions" "Acronis" "c:\program files\acronis\trueimagehome\tishell.dll"
+ "ESET Smart Security - Context Menu Shell Extension" "Shell Extension" "ESET" "c:\program files\eset\eset smart security\shellext.dll"
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
+ "igfxcui" "igfxpph Module" "Intel Corporation" "c:\windows\system32\igfxpph.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" "" "" ""
+ "Acronis True Image Shell Context Menu Extension" "Acronis True Image Shell Extensions" "Acronis" "c:\program files\acronis\trueimagehome\tishell.dll"
+ "Acronis True Image Shell Extension" "Acronis True Image Shell Extensions" "Acronis" "c:\program files\acronis\trueimagehome\tishell.dll"
+ "Desktop Explorer" "NVIDIA Desktop Explorer, Version 44.03 " "NVIDIA Corporation" "c:\windows\system32\nvshell.dll"
+ "Desktop Explorer Menu" "NVIDIA Desktop Explorer, Version 44.03 " "NVIDIA Corporation" "c:\windows\system32\nvshell.dll"
+ "Display Panning CPL Extension" "" "" "File not found: deskpan.dll"
+ "ESET Smart Security - Context Menu Shell Extension" "Shell Extension" "ESET" "c:\program files\eset\eset smart security\shellext.dll"
+ "HyperTerminal Icon Ext" "HyperTerminal Applet Library" "Hilgraeve, Inc." "c:\windows\system32\hticons.dll"
+ "SampleView" "ShellvRTF" "XSS" "c:\windows\system32\shellvrtf.dll"
+ "WinRAR shell extension" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
+ "AcroIEHlprObj Class" "Adobe Acrobat IE Helper Version 6.0 for ActivieX" "Adobe Systems Incorporated" "c:\program files\adobe\acrobat 6.0\reader\activex\acroiehelper.dll"
+ "HP Print Enhancer" "HP Smart Web Printing add-on for Internet Explorer" "Hewlett-Packard Co." "c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll"
+ "HP Smart BHO Class" "HP Smart Web Printing add-on for Internet Explorer" "Hewlett-Packard Co." "c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll"
+ "Java™ Plug-In 2 SSV Helper" "Java™ Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jp2ssv.dll"
+ "Java™ Plug-In SSV Helper" "Java™ Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\ssv.dll"
+ "JQSIEStartDetectorImpl Class" "Java™ Quick Starter binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "AcrSch2Svc" "Task scheduling for Acronis applications." "Acronis" "c:\program files\common files\acronis\schedule2\schedul2.exe"
+ "afcdpsrv" "Provides nonstop backup for partitions of the computer" "Acronis" "c:\program files\common files\acronis\cdp\afcdpsrv.exe"
+ "AppMgmt" "Provides software installation services such as Assign, Publish, and Remove." "" "File not found: C:\WINDOWS\System32\appmgmts.dll"
+ "EhttpSrv" "ESET HTTP Server" "ESET" "c:\program files\eset\eset smart security\ehttpsrv.exe"
+ "ekrn" "ESET Service" "ESET" "c:\program files\eset\eset smart security\ekrn.exe"
+ "hpqcxs08" "HP CUE Context Manager Objects" "Hewlett-Packard Co." "c:\program files\hp\digital imaging\bin\hpqcxs08.dll"
+ "hpqddsvc" "This service detects and monitors CUE devices on the system." "Hewlett-Packard Co." "c:\program files\hp\digital imaging\bin\hpqddsvc.dll"
+ "JavaQuickStarterService" "Prefetches JRE files for faster startup of Java applets and applications" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jqs.exe"
+ "LMIMaint" "LogMeIn Maintenance Service" "LogMeIn, Inc." "c:\program files\logmein\x86\ramaint.exe"
+ "LogMeIn" "LogMeIn" "LogMeIn, Inc." "c:\program files\logmein\x86\logmein.exe"
+ "Net Driver HPZ12" "Dot4Net Module" "Hewlett-Packard" "c:\windows\system32\hpzinw12.dll"
+ "NVSvc" "NVIDIA Driver Helper Service, Version 44.03" "NVIDIA Corporation" "c:\windows\system32\nvsvc32.exe"
+ "Pml Driver HPZ12" "PmlDrv Module" "Hewlett-Packard" "c:\windows\system32\hpzipm12.dll"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "afcdp" "Acronis File Level CDP Helper" "Acronis" "c:\windows\system32\drivers\afcdp.sys"
+ "AFS2K" "Audio File System" "Oak Technology Inc." "c:\windows\system32\drivers\afs2k.sys"
+ "ALCXWDM" "Realtek AC'97 Audio Driver (WDM)" "Realtek Semiconductor Corp." "c:\windows\system32\drivers\alcxwdm.sys"
+ "Changer" "" "" "File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
+ "eamon" "Eset file on-access scanner" "ESET" "c:\windows\system32\drivers\eamon.sys"
+ "ehdrv" "Eset Helper driver" "ESET" "c:\windows\system32\drivers\ehdrv.sys"
+ "epfw" "EPFW Filter Driver" "ESET" "c:\windows\system32\drivers\epfw.sys"
+ "Epfwndis" "ESET Personal Firewall NDIS filter" "ESET" "c:\windows\system32\drivers\epfwndis.sys"
+ "epfwtdi" "EPFW Filter Driver" "ESET" "c:\windows\system32\drivers\epfwtdi.sys"
+ "FETNDISB" "NDIS 5.0 miniport driver" "VIA Technologies, Inc. " "c:\windows\system32\drivers\fetnd5b.sys"
+ "HPZid412" "IEEE-1284.4-1999 Driver (Windows 2000)" "HP" "c:\windows\system32\drivers\hpzid412.sys"
+ "HPZipr12" "IEEE-1284.4-1999 Print Class Driver" "HP" "c:\windows\system32\drivers\hpzipr12.sys"
+ "HPZius12" "1284.4<->Usb Datalink Driver (Windows 2000)" "HP" "c:\windows\system32\drivers\hpzius12.sys"
+ "i2omgmt" "" "" "File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys"
+ "ialm" "Intel Graphics Miniport Driver" "Intel Corporation" "c:\windows\system32\drivers\ialmnt5.sys"
+ "lbrtfdc" "" "" "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
+ "LMIInfo" "RemotelyAnywhere Kernel Information Provider" "LogMeIn, Inc." "c:\program files\logmein\x86\rainfo.sys"
+ "lmimirr" "LogMeIn Mirror Miniport Driver" "LogMeIn, Inc." "c:\windows\system32\drivers\lmimirr.sys"
+ "LMIRfsDriver" "LogMeIn Rfs Drivemap Driver" "LogMeIn, Inc." "c:\windows\system32\drivers\lmirfsdriver.sys"
+ "nv" "NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 " "NVIDIA Corporation" "c:\windows\system32\drivers\nv4_mini.sys"
+ "nv_agp" "NVIDIA nForce AGP Filter" "NVIDIA Corporation" "c:\windows\system32\drivers\nv_agp.sys"
+ "PCIDump" "" "" "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
+ "PDCOMP" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
+ "PDFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
+ "PDRELI" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
+ "PDRFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
+ "pfc" "Padus® ASPI Shell" "Padus, Inc." "c:\windows\system32\drivers\pfc.sys"
+ "Ps2" "PS2 SYS" "Hewlett-Packard Company" "c:\windows\system32\drivers\ps2.sys"
+ "Ptilink" "Direct Parallel Link Driver" "Parallel Technologies, Inc." "c:\windows\system32\drivers\ptilink.sys"
+ "pwddqfob" "" "" "File not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwddqfob.sys"
+ "PxHelp20" "Px Engine Device Driver for Windows 2000/XP" "Sonic Solutions" "c:\windows\system32\drivers\pxhelp20.sys"
+ "RTL8023xp" "Realtek 10/100/1000 NDIS 5.1 Driver " "Realtek Semiconductor Corporation " "c:\windows\system32\drivers\rtnicxp.sys"
+ "rtl8139" "Realtek RTL8139/810x Family NDIS 5.1 Drv" "Realtek Semiconductor Corporation " "c:\windows\system32\drivers\r8139n51.sys"
+ "S3Psddr" "S3 ProSavage(DDR) & Twister Miniport Driver" "S3 Graphics, Inc." "c:\windows\system32\drivers\s3gnbm.sys"
+ "Secdrv" "SafeDisc driver" "Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K." "c:\windows\system32\drivers\secdrv.sys"
+ "SiS315" "SiS Compatible Super VGA Driver" "Silicon Integrated Systems Corporation" "c:\windows\system32\drivers\sisgrp.sys"
+ "SISAGP" "SiS AGPv3.5 Filter" "Silicon Integrated Systems Corporation" "c:\windows\system32\drivers\sisagpx.sys"
+ "SiSkp" "SiS VGA Driver Manager" "Silicon Integrated Systems Corporation" "c:\windows\system32\drivers\srvkp.sys"
+ "snapman" "Acronis Snapshot API" "Acronis" "c:\windows\system32\drivers\snapman.sys"
+ "SunkFilt" "SunkFilt" "Alcor Micro Corp." "c:\windows\system32\drivers\sunkfilt.sys"
+ "Sunkfiltp" "" "" "File not found: C:\WINDOWS\System32\Drivers\sunkfiltp.sys"
+ "tdrpman251" "Acronis Try&Decide Volume Filter Driver" "Acronis" "c:\windows\system32\drivers\tdrpm251.sys"
+ "timounter" "Acronis Backup Archive Explorer" "Acronis" "c:\windows\system32\drivers\timntr.sys"
+ "viaagp1" "VIA NT AGP Filter" "VIA Technologies, Inc." "c:\windows\system32\drivers\viaagp1.sys"
+ "WDICA" "" "" "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"
+ "{6080A529-897E-4629-A488-ABA0C29B635E}" "Intel Graphics Platform (SoftBIOS) Driver for Windows 2000® & Windows XP™" "Intel Corporation" "c:\windows\system32\drivers\ialmsbw.sys"
+ "{D31A0762-0CEB-444e-ACFF-B049A1F6FE91}" "Intel Graphics Chipset (KCH) Driver for Windows 2000® & Windows XP™" "Intel Corporation" "c:\windows\system32\drivers\ialmkchw.sys"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
+ "msacm.iac2" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "msacm.l3acm" "MPEG Layer-3 Audio Codec for MSACM" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codeca.acm"
+ "msacm.sl_anet" "Audio codec for MS ACM" "Sipro Lab Telecom Inc." "c:\windows\system32\sl_anet.acm"
+ "msacm.trspch" "DSP Group TrueSpeech™ Audio Codec for MSACM V3.50" "DSP GROUP, INC." "c:\windows\system32\tssoft32.acm"
+ "vidc.cvid" "Cinepak® Codec" "Radius Inc." "c:\windows\system32\iccvid.dll"
+ "vidc.DIVX" "DivX" "DivX, Inc." "c:\windows\system32\divx.dll"
+ "vidc.iv31" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv32" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv41" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "vidc.iv50" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "vidc.yv12" "DivX" "DivX, Inc." "c:\windows\system32\divx.dll"
"HKLM\Software\Classes\Filter" "" "" ""
+ "Indeo® video 4.4 Compression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Decompression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
+ "ACELP.net Audio Decoder" "ACELP.net Audio Decoder" "Sipro Lab Telecom Inc." "c:\windows\system32\acelpdec.ax"
+ "Arcsoft LPCM Decoder" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\lpcm2pcm.ax"
+ "Arcsoft Mpeg Mplex Filter" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\MplexFilter.ax"
+ "ArcSoft Mpeg Writer" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\MPEGWriter.ax"
+ "DivX Decoder Filter" "DivX Decoder Filter" "DivX, Inc." "c:\program files\divx\divx codec\divxdec.ax"
+ "DivX Demux" "DivX® Media Filter" "DivXNetworks" "c:\program files\divx\divx codec\divxmedia.ax"
+ "DivX Subtitle Decoder" "DivX® Media Filter" "DivXNetworks" "c:\program files\divx\divx codec\divxmedia.ax"
+ "File Dump" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\filedump.ax"
+ "Indeo Video ® 5.1 Progressive Download Source" "Intel Indeo® video IVF Source Filter 5.10" "Intel Corporation" "c:\windows\system32\ivfsrc.ax"
+ "Indeo® audio software" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "Indeo® video 5.10 Compression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "Indeo® video 5.10 Decompression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "Ligos Audio Decoder Filter" "" "" "File not found: C:\WINDOWS\System32\lmpgad.ax"
+ "Ligos DV Intercept (Version 2.0)" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\DvIntcpt.ax"
+ "Ligos GoMotion Capture Encoder Filter (ArcSoft)" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\GoMotionCaptureEncoder.ax"
+ "Ligos GoMotion DV to MPEG Filter (Version 2.0)" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\GoMotionDVtoMPEG.ax"
+ "Ligos MPEG Splitter" "" "" "File not found: C:\WINDOWS\System32\lmpgspl.ax"
+ "Ligos MPEG Video Decoder" "" "" "File not found: C:\WINDOWS\System32\lmpgvd.ax"
+ "Ligos Virtual Source (Version 2.0)" "" "" "File not found: C:\PROGRA~1\ArcSoft\SHOWBI~1\VirtSrc.ax"
+ "LogMeIn Video Decoder" "LogMeIn Video Codec" "LogMeIn, Inc." "c:\program files\logmein\x86\racodec.ax"
+ "LogMeIn Video Encoder" "LogMeIn Video Codec" "LogMeIn, Inc." "c:\program files\logmein\x86\racodec.ax"
+ "MPEG Layer-3 Decoder" "MPEG Layer-3 Audio Decoder" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codecx.ax"
+ "WIA Stream Snapshot Filter" "WIA Stream Snapshot Filter" "MyCompanyName" "c:\windows\system32\wiasf.ax"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" ""
+ "igfxcui" "igfxsrvc Module" "Intel Corporation" "c:\windows\system32\igfxsrvc.dll"
+ "LMIinit" "LogMeIn Remote Control Helper" "LogMeIn, Inc." "c:\windows\system32\lmiinit.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" ""
+ "hpf3l70v.dll" "LanguageMonitor" "Hewlett-Packard Company" "c:\windows\system32\hpf3l70v.dll"
+ "LogMeIn Printer Port Monitor" "RemotelyAnywhere Printer Port Monitor" "LogMeIn, Inc." "c:\windows\system32\lmiport.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "" "" ""
+ "LMIRfsClientNP" "LogMeIn Virtual Disk Network" "LogMeIn, Inc." "c:\windows\system32\lmirfsclientnp.dll"


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 AM

Posted 18 April 2010 - 06:47 PM

Okay, I have checked this out with a colleague, Budapest, this is what they say:

QUOTE
Multiple iexplore.exe processes running is normal if the user has multiple tabs open. It is not normal if the user has only one tab open.

However, one thing I have noticed is that if you open multiple tabs in IE multiple iexplore.exe processes will be created. If you then close all the tabs except one the multiple iexplore.exe processes will continue running until you completely close IE.

You could also try this: http://support.microsoft.com/kb/318378


That sounds like the answer then, IE8 is flawed - who'da thunk it?

The Autoruns scan was normal so that confirms it.
Posted Image
m0le is a proud member of UNITE

#13 legacy9x

legacy9x
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 18 April 2010 - 07:02 PM

Well, the iexplorer.exe stays open multiple times even after I close the IE8.. I have another laptop, with IE8 aswell and that doesn't happen on that computer..

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 AM

Posted 19 April 2010 - 03:41 PM

No, but sometimes it does. The link above shows you how to reinstall IE8 which, in this case, is the way to go. It is a known bug and is certainly not malware.


Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 AM

Posted 23 April 2010 - 07:55 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users