Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sisyt32.exe svchost 50% at all times


  • This topic is locked This topic is locked
7 replies to this topic

#1 quax69

quax69

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 13 June 2010 - 08:01 PM

Dear all,

I kindly ask for your assistance on that new headache called sisytj32.exe, which keeps appearing at the start up programs for the last three days. My PC's getting quite slow - CPU approaching 100% and svchost eating at least 50% of this at any given time. A scan with prevx did not detect the sisytj32.exe and TDSSKiller didnot find anything as well. The Sophos anti-root tool detected the exe. but it suggested that I should not delete it. Combo's results are the following


ComboFix 10-06-11.01 - xpuser 12/06/2010 20:07:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1032.18.1014.543 [GMT 3:00]
Running from: c:\documents and settings\xpuser\Επιφάνεια εργασίας\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\xpuser\Application Data\avdrn.dat
c:\windows\system32\1384889740.dat
c:\windows\system32\aaaamonv.exe
c:\windows\system32\acctresg.exe
c:\windows\system32\adsnwm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVENTSYSTEMCOMSYSAPP
-------\Legacy_SPOOLERRPCLOCATOR
-------\Service_EventSystemCOMSysApp
-------\Service_SpoolerRpcLocator
-------\Legacy_EventSystemCOMSysAppLVPrcSrv
-------\Service_EventSystemCOMSysAppLVPrcSrv


((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-11 16:30 . 2010-06-11 16:30 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-06-11 16:30 . 2010-06-11 16:30 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-06-11 16:30 . 2010-06-11 16:30 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-06-11 16:30 . 2010-06-11 16:30 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-06-11 16:30 . 2010-06-11 16:30 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-06-11 16:28 . 2010-06-11 16:28 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-06-11 16:28 . 2010-06-11 16:28 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-06-11 16:06 . 2010-06-11 16:28 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-06-11 16:06 . 2010-06-11 16:28 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-11 16:04 . 2010-06-12 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-06-11 16:04 . 2010-06-11 16:04 -------- d-----w- c:\program files\Kaspersky Lab
2010-06-11 15:55 . 2010-06-11 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-06-06 18:48 . 2010-06-06 18:48 -------- d-----w- c:\program files\Philips
2010-06-06 18:47 . 2010-06-06 18:48 -------- d-----w- C:\temp
2010-06-05 15:46 . 2010-06-05 15:46 -------- d-----w- c:\documents and settings\xpuser\Application Data\Arkadium
2010-06-05 15:44 . 2010-06-05 16:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-05 15:44 . 2010-06-05 15:44 -------- d-----w- c:\program files\Common Files\Oberon Media
2010-06-05 15:43 . 2010-06-05 15:43 -------- d-----w- c:\program files\Oberon Media
2010-06-05 15:43 . 2010-06-05 16:50 -------- d-----w- c:\program files\Yahoo! Games
2010-05-26 19:52 . 2010-05-26 19:52 503808 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b4010bc-n\msvcp71.dll
2010-05-26 19:52 . 2010-05-26 19:52 499712 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b4010bc-n\jmc.dll
2010-05-26 19:52 . 2010-05-26 19:52 61440 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c09a3a0-n\decora-sse.dll
2010-05-26 19:52 . 2010-05-26 19:52 348160 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4b4010bc-n\msvcr71.dll
2010-05-26 19:52 . 2010-05-26 19:52 12800 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c09a3a0-n\decora-d3d.dll
2010-05-14 18:08 . 2010-05-14 18:08 -------- d-----w- c:\documents and settings\xpuser\Application Data\Playrix Entertainment
2010-05-14 18:04 . 2010-05-14 18:04 -------- d-----w- c:\program files\Fishdom
2010-05-14 18:04 . 2010-05-14 18:04 -------- d-----w- c:\windows\Fishdom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 16:36 . 2010-03-14 20:22 -------- d-----w- c:\program files\ScanSpyware v3.8.0.4
2010-06-11 17:03 . 2008-01-16 16:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-11 16:32 . 2010-06-11 16:32 4 ----a-w- c:\documents and settings\LocalService\Application Data\dhxiuw.dat
2010-06-11 16:00 . 2008-01-16 16:54 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-11 16:00 . 2008-01-16 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-11 05:58 . 2010-06-11 05:58 4 ----a-w- c:\documents and settings\xpuser\Application Data\dhxiuw.dat
2010-06-10 10:13 . 2010-06-10 10:13 4 ----a-w- c:\documents and settings\NetworkService\Application Data\dhxiuw.dat
2010-06-06 18:48 . 2008-01-16 16:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-02 19:59 . 2010-04-23 21:09 -------- d-----w- c:\program files\LeeGTs Games
2010-06-02 19:59 . 2010-03-19 20:41 -------- d-----w- c:\program files\Mystery Case Files Ravenhearst
2010-05-08 09:34 . 2010-05-08 09:34 -------- d-----w- c:\documents and settings\xpuser\Application Data\Apple Computer
2010-05-02 16:07 . 2008-01-16 17:43 -------- d-----w- c:\program files\Java
2010-04-12 14:29 . 2010-05-02 16:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-11 12:13 . 2010-04-11 12:13 503808 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68488337-n\msvcp71.dll
2010-04-11 12:13 . 2010-04-11 12:13 499712 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68488337-n\jmc.dll
2010-04-11 12:13 . 2010-04-11 12:13 348160 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-68488337-n\msvcr71.dll
2010-04-11 12:13 . 2010-04-11 12:13 61440 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47179828-n\decora-sse.dll
2010-04-11 12:13 . 2010-04-11 12:13 12800 ----a-w- c:\documents and settings\xpuser\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47179828-n\decora-d3d.dll
2010-03-28 09:01 . 2001-11-27 12:00 55854 ----a-w- c:\windows\system32\perfc008.dat
2010-03-28 09:01 . 2001-11-27 12:00 395372 ----a-w- c:\windows\system32\perfh008.dat
2010-03-27 10:09 . 2008-01-14 18:31 24024 ----a-w- c:\documents and settings\xpuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-22 20:02 . 2010-03-22 20:02 10134 ----a-r- c:\documents and settings\xpuser\Application Data\Microsoft\Installer\{BEF726DD-4037-4214-8C6A-E625C02D2870}\ARPPRODUCTICON.exe
2010-03-22 20:02 . 2010-03-22 20:02 10134 ----a-r- c:\documents and settings\xpuser\Application Data\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2010-03-22 20:01 . 2010-03-22 20:01 10134 ----a-r- c:\documents and settings\xpuser\Application Data\Microsoft\Installer\{EA516024-D84D-41F1-814F-83175A6188F2}\ARPPRODUCTICON.exe
2010-03-18 16:38 . 2010-03-18 16:37 3828846 ----a-w- c:\documents and settings\xpuser\Application Data\OpenCandy\maximus_install.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-26 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-26 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-26 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976]
"TPSMain"="TPSMain.exe" [2005-08-11 266240]
"TCtryIOHook"="TCtrlIOHook.exe" [2007-06-30 28672]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2007-06-01 53248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-04 15360]

c:\documents and settings\xpuser\Start Menu\¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
sisytj32.exe [2004-9-4 34304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Bluetooth Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Bluetooth Monitor.lnk
backup=c:\windows\pss\Bluetooth Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Philips GoGear SA018 Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Philips GoGear SA018 Device Manager.lnk
backup=c:\windows\pss\Philips GoGear SA018 Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^xpuser^Start Menu^Προγράμματα^Εκκίνηση^sisytj32.exe]
path=c:\documents and settings\xpuser\Start Menu\Προγράμματα\Εκκίνηση\sisytj32.exe
backup=c:\windows\pss\sisytj32.exeStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-07 23:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-07 23:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-09-04 04:53 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 18:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-02 20:07 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
2005-06-06 07:58 24576 ----a-w- c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 8:18 μμ 36880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/9/2009 1:42 μμ 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2/10/2009 6:39 μμ 19472]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/1/2010 3:49 μμ 227232]
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-920026266-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]

2010-06-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-920026266-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]
.
.
------- Supplementary Scan -------
.
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\xpuser\Application Data\Mozilla\Firefox\Profiles\mv95bkm9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-nonep - c:\windows\TEMP\63.tmp
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 20:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7552)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\msi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TCtrlIOHook.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-06-12 20:17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-12 17:17

Pre-Run: 10 Κατάλογοι 37.636.730.880 διαθέσιμα byte
Post-Run: 11 Κατάλογοι 38.037.164.032 διαθέσιμα byte

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1EA69C6EBE4096D00D03FA5F7F715539




GMER froze the PC twice
whereas DDS provided the following





DDS (Ver_10-03-17.01) - NTFSx86
Run by xpuser at 23:12:34,67 on Κυρ 13/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1032.18.1014.415 [GMT 3:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\xpuser\Επιφάνεια εργασίας\dds(2).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Βοηθός εισόδου του Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\xpuser\start menu\προγράμματα\εκκίνηση\sisytj32.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xpuser\applic~1\mozilla\firefox\profiles\mv95bkm9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys --> c:\windows\system32\drivers\pxscan.sys [?]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-6-11 315408]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-6-13 93320]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys --> c:\windows\system32\drivers\pxrts.sys [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1ab.tmp --> c:\windows\system32\1AB.tmp [?]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys --> c:\windows\system32\drivers\pxkbf.sys [?]
S2 0243971276458422mcinstcleanup;McAfee Application Installer Cleanup (0243971276458422);c:\docume~1\xpuser\locals~1\temp\024397~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\xpuser\locals~1\temp\024397~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2010-06-13 20:10:18 0 ----a-w- c:\documents and settings\xpuser\defogger_reenable
2010-06-13 19:47:02 0 d-----w- c:\program files\common files\McAfee
2010-06-13 19:46:52 0 d-----w- c:\program files\McAfee
2010-06-13 18:51:41 0 d-----w- c:\program files\Sophos
2010-06-13 18:35:50 61952 ----a-w- c:\windows\system32\PxSecure.dll-13575312
2010-06-13 18:29:15 49 ----a-w- c:\windows\wininit.ini
2010-06-12 17:04:44 98816 ----a-w- c:\windows\sed.exe
2010-06-12 17:04:44 77312 ----a-w- c:\windows\MBR.exe
2010-06-12 17:04:44 256512 ----a-w- c:\windows\PEV.exe
2010-06-12 17:04:44 161792 ----a-w- c:\windows\SWREG.exe
2010-06-11 16:06:05 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-06-11 16:06:05 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-11 16:04:51 0 d-----w- c:\program files\Kaspersky Lab
2010-06-11 16:04:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-06-11 15:55:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-06-11 05:58:36 4 ----a-w- c:\docume~1\xpuser\applic~1\dhxiuw.dat
2010-06-06 18:48:13 0 d-----w- c:\program files\Philips
2010-06-06 18:47:46 0 d-----w- C:\temp
2010-06-05 15:46:12 0 d-----w- c:\docume~1\xpuser\applic~1\Arkadium
2010-06-05 15:44:34 0 d-----w- c:\program files\common files\Oberon Media
2010-06-05 15:43:50 0 d-----w- c:\program files\Oberon Media
2010-06-05 15:43:49 0 d-----w- c:\program files\Yahoo! Games
2010-06-02 19:59:47 0 d-----w- c:\windows\system32\appmgmt
2010-05-29 10:43:27 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-04-12 14:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-28 09:01:10 55854 ----a-w- c:\windows\system32\perfc008.dat
2010-03-28 09:01:10 395372 ----a-w- c:\windows\system32\perfh008.dat
2010-03-25 20:06:27 24024 ----a-w- c:\docume~1\xpuser\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 23:13:18,81 ===============



Thank you very much for your time and attention

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 19 June 2010 - 03:05 AM

Hi quax69,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 quax69

quax69
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 21 June 2010 - 05:25 PM

Hi Farbar,

thank you for your reply. Since friday the sisytj32.exe has disappeared from the start up, svchost.exe eats the normal percentage of cpu and the pc is back to normal. On thursday my wife had scanned with scanspyware and deleted kukudro.c. I don't know whether it did the trick.

Scan with the Sophos anti-root tool revealed nothing

Below is the DDS log-


DDS (Ver_10-03-17.01) - NTFSx86
Run by xpuser at 0:21:28,57 on ‰¬¨ 20/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1032.18.1014.508 [GMT 3:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\xpuser\Τα έγγραφά μου\Ληφθέντα αρχεία\Defogger(2).exe
C:\Documents and Settings\xpuser\Τα έγγραφά μου\Ληφθέντα αρχεία\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Βοηθός εισόδου του Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xpuser\applic~1\mozilla\firefox\profiles\mv95bkm9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-6-11 315408]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-6-13 93320]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1ab.tmp --> c:\windows\system32\1AB.tmp [?]

=============== Created Last 30 ================

2010-06-19 21:21:08 0 ----a-w- c:\documents and settings\xpuser\defogger_reenable
2010-06-16 01:17:10 0 ----a-w- c:\windows\TPTray.INI
2010-06-13 19:47:02 0 d-----w- c:\program files\common files\McAfee
2010-06-13 19:46:52 0 d-----w- c:\program files\McAfee
2010-06-13 18:51:41 0 d-----w- c:\program files\Sophos
2010-06-13 18:29:15 49 ----a-w- c:\windows\wininit.ini
2010-06-12 17:04:44 98816 ----a-w- c:\windows\sed.exe
2010-06-12 17:04:44 77312 ----a-w- c:\windows\MBR.exe
2010-06-12 17:04:44 256512 ----a-w- c:\windows\PEV.exe
2010-06-12 17:04:44 161792 ----a-w- c:\windows\SWREG.exe
2010-06-11 16:06:05 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-06-11 16:06:05 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-11 16:04:51 0 d-----w- c:\program files\Kaspersky Lab
2010-06-11 16:04:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-06-11 15:55:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-06-11 05:58:36 4 ----a-w- c:\docume~1\xpuser\applic~1\dhxiuw.dat
2010-06-06 18:48:13 0 d-----w- c:\program files\Philips
2010-06-06 18:47:46 0 d-----w- C:\temp
2010-06-05 15:46:12 0 d-----w- c:\docume~1\xpuser\applic~1\Arkadium
2010-06-05 15:44:34 0 d-----w- c:\program files\common files\Oberon Media
2010-06-05 15:43:50 0 d-----w- c:\program files\Oberon Media
2010-06-05 15:43:49 0 d-----w- c:\program files\Yahoo! Games
2010-06-02 19:59:47 0 d-----w- c:\windows\system32\appmgmt
2010-05-29 10:43:27 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-04-12 14:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-28 09:01:10 55854 ----a-w- c:\windows\system32\perfc008.dat
2010-03-28 09:01:10 395372 ----a-w- c:\windows\system32\perfh008.dat
2010-03-25 20:06:27 24024 ----a-w- c:\docume~1\xpuser\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 0:21:58,64 ===============


Thank you again


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 21 June 2010 - 05:57 PM

Yes the log looks clean. But there are security vulnerabilities. Let's take a look at this log:

Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

"C:\Qoobox\Add-Remove Programs.txt"

A text file opens up, copy and paste the content to your reply.

#5 quax69

quax69
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 22 June 2010 - 12:24 PM

here's the log

Βοηθός εισόδου του Windows Live
Βοηθητικό πρόγραμμα TOSHIBA HotKey
Βοηθητικό πρόγραμμα TouchPad On/Off
Εργαλείο αποστολής του Windows Live
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0 - Greek
Adobe Stock Photos 1.0
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
Bluetooth Monitor 3
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
CloneDVD2
Combined Community Codec Pack 2009-09-09
Compatibility Pack for the 2007 Office system
Compel Adaptec WinASPI
Fishdom
Fishdom 2 Premium Edition
GoGear SA018 Device Manager
High Definition Audio Driver Package - KB888111
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 1
Java Auto Updater
Java™ 6 Update 20
JellyFish Light 3.5
K-Lite Codec Pack 2.36 Standard
Kaspersky Internet Security 2010
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
McAfee Security Scan Plus
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office XP Professional με FrontPage
Monopoly by Parker Brothers
Mozilla Firefox (3.6.3)
MSVCRT
MVision
Nero 6
PowerDVD
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.0
ScanSpyware v3.8.0.4
Segoe UI
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls Driver
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA HW Setup
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Power Saver Driver
TOSHIBA Software Modem
TOSHIBA Zooming Hook
TOSHIBA Zooming Utility
TouchPad On/Off Utility
Utility Common Driver
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
WinRAR 3.50 – Εφαρμογή Διαχείρισης Συμπιεσμένων Αρχείων



cheers man

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 22 June 2010 - 02:04 PM

It looks good. thumbup2.gif
  1. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please unisntall the following:

    J2SE Runtime Environment 5.0 Update 1

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. You may delete any tool or log we used from your computer.

Happy Surfing quax69. smile.gif

#7 quax69

quax69
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 27 June 2010 - 08:53 AM

thanks a lot for your time



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 27 June 2010 - 10:32 AM

You are welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users