Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects/Svchost issues


  • Please log in to reply
8 replies to this topic

#1 brokenslug

brokenslug

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 27 July 2010 - 04:06 PM

So all the issues with my PC started after watching 3 minutes of metalocalypse on tvlinks.cc. mad.gif Anyways, I have a dell latitude that is semi-old, running windows xp with kaspersky security. When I click on links in google chrome that are supposed to be to certain websites,[even this one occaisonaly] they redirect to some nondescript website that is always different and shouldn't be where I am going.
I also have an issue with my CPU use in task manager. It jumps from 6% commited charge to anywhere in the double digits, and the three programs running the most memory usage are SYSTEM IDLE PROCESSES svchost.exe and avp.exe
I did some heavy reading on the forums here and at another forum site and ran in order:
CleanUp
Malwarebytes[which showed nothing detected]
TDSS after follwing the malware advice here.
Combofix[this was probably not the best choice since i had an issue with stopping my security first]

It was probably stupid to do so b/c I didn't read the correct set of instructions for the logs site. Then I would have know to only combofix as needed. Back at square one I did the backup and ran DDS and GMER for its logs.

GMER failed to produce a log and all I got was this error:

sys error:
BCCode : f4 BCP1 : 00000003 BCP2 : 8A57C928 BCP3 : 8A57CA9C
BCP4 : 805C86F8 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

the following files will be included in the erro report.
C:\DOCUME~1\ADMINI~1.FLV\LOCALS~1\Temp\WER1d44.dir00\Mini072610-01.dmp
C:\DOCUME~1\ADMINI~1.FLV\LOCALS~1\Temp\WER1d44.dir00\sysdata.xml

I then ran GMER in safe mode, and the only programs in the field view were as follows:
\system32\svchost.exe[568]ntdll.dll!NtProtectVirtualMemory Value:7C90D6EE 5 Bytes JMP 0094000A
\system32\svchost.exe[568]ntdll.dll!NtWriteVirtualMemory Value:7C90DFAE 5 Bytes JMP0095000A
\system32\svchost.exe[568]ntdll.dll!KiUserException Value:7C90E47C 5 Bytes JMP0093000C
\system32\svchost.exe[568]ole32.dll!CoCreateInstance Value:774FFAC3 5 Bytes JMP 00E7000A
\windows\explorer.exe[920]ntdll.dll!NtProtextVirtualMemory Value:7C90D6EE 5 Bytes JMP 0097000A
\windows\explorer.exe[920]ntdll.dll!NtWriteVirtualMemory Value:7C90DFAE 5 Bytes JMP 00C1000A
\windows\explorer.exe[920]ntdll.dll!UserExceptionDispatcher Value:7C90E47C 5 Bytes JMP 0096000C

Here is the DDS log


DDS (Ver_10-03-17.01) - NTFSx86
Run by administrator at 16:00:23.48 on Mon 07/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1480 [GMT -7:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\administrator.FLVE036XP\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.att.net
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Track-It! Workstation Manager Service Monitor] c:\windows\tiremote\TIServiceMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
mRun: [avp] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - hxxp://vs.mcafeeasap.com/MC/ENU/VS40/bin/myCioAgt.20060504175614.cab
DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - hxxp://www.blackberry.com/DST2007/patch/desktop/DSTUpdateLoaderUSB.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://cdcnews.webex.com/client/T23L/webex/ieatgpc.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.flv\applic~1\mozilla\firefox\profiles\omf6my60.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - component: c:\documents and settings\all users\application data\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\documents and settings\all users\application data\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\documents and settings\all users\application data\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-2-1 315408]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-8-8 201320]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 klnagent;Kaspersky Network Agent;c:\program files\kaspersky lab\networkagent\klnagent.exe [2008-9-22 94544]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-1 47640]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\tiremote\TIRemoteService.exe [2008-6-19 214016]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 gupdate1ca6fbc56eae590;Google Update Service (gupdate1ca6fbc56eae590);c:\program files\google\update\GoogleUpdate.exe [2009-11-27 133104]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2006-8-8 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-2-9 33832]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [2006-3-8 77952]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [2006-3-8 77952]
S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [2007-9-10 18944]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 EngineServer;EngineServer;"c:\program files\mcafee\managed virusscan\vscan\engineserver.exe" --> c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-07-24 21:32:48 0 d-sha-r- C:\cmdcons
2010-07-24 21:27:58 77312 ----a-w- c:\windows\MBR.exe
2010-07-24 21:27:57 98816 ----a-w- c:\windows\sed.exe
2010-07-24 21:27:57 256512 ----a-w- c:\windows\PEV.exe
2010-07-24 21:27:57 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-06-04 19:52:48 604 ---ha-w- c:\program files\STLL Notifier

============= FINISH: 16:03:59.48 ===============

and combo fix

ComboFix 10-07-24.01 - administrator 07/26/2010 12:27:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1695 [GMT -7:00]
Running from: c:\documents and settings\administrator.FLVE036XP\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\administrator.FLVE036XP\Application Data\F6995D7846673B498CC7CA93D78654B2
c:\documents and settings\administrator.FLVE036XP\Application Data\F6995D7846673B498CC7CA93D78654B2\enemies-names.txt
c:\documents and settings\administrator.FLVE036XP\Application Data\F6995D7846673B498CC7CA93D78654B2\local.ini
c:\documents and settings\administrator.FLVE036XP\Application Data\F6995D7846673B498CC7CA93D78654B2\lsrslt.ini
c:\documents and settings\blackb\g2mdlhlpx.exe
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-21 19:02 . 2010-07-23 12:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-20 22:18 . 2010-07-20 22:18 -------- d-sh--w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 18:48 . 2008-03-25 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-07-24 19:41 . 2010-06-11 18:31 -------- d-----w- c:\documents and settings\administrator.FLVE036XP\Application Data\Dropbox
2010-07-24 19:27 . 2010-02-01 22:01 -------- d-----w- c:\program files\LogMeIn
2010-07-20 18:06 . 2008-12-03 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 01:17 . 2010-06-04 04:15 -------- d-----w- c:\documents and settings\administrator.FLVE036XP\Application Data\uTorrent
2010-06-27 22:23 . 2009-09-28 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
2010-06-15 18:02 . 2010-06-15 18:02 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-15 18:02 . 2010-06-15 18:02 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-11 18:32 . 2010-06-11 18:32 89831 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Dropbox\bin\Uninstall.exe
2010-06-08 23:44 . 2010-06-08 23:44 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 19:56 . 2009-09-28 01:51 48120 ----a-w- c:\documents and settings\administrator.FLVE036XP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-04 19:55 . 2010-06-04 19:51 -------- d-----w- c:\documents and settings\administrator.FLVE036XP\Application Data\Sibelius Software
2010-06-04 19:52 . 2010-06-04 19:52 604 ---ha-w- c:\program files\STLL Notifier
2010-06-04 19:52 . 2010-06-04 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sibelius Software
2010-06-04 19:43 . 2010-06-04 19:43 -------- d-----w- c:\program files\Sibelius Software
2010-06-04 04:19 . 2010-06-04 04:19 -------- d-----w- c:\program files\uTorrent
2010-05-27 21:50 . 2010-05-27 21:50 503808 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75bdfdab-n\msvcp71.dll
2010-05-27 21:50 . 2010-05-27 21:50 348160 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75bdfdab-n\msvcr71.dll
2010-05-27 21:50 . 2010-05-27 21:50 499712 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75bdfdab-n\jmc.dll
2010-05-27 21:50 . 2010-05-27 21:50 61440 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ee271ba-n\decora-sse.dll
2010-05-27 21:50 . 2010-05-27 21:50 12800 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ee271ba-n\decora-d3d.dll
2010-05-05 07:13 . 2010-02-01 22:56 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-05 07:13 . 2010-02-01 22:56 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-29 22:39 . 2008-12-03 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2008-12-03 20:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\administrator.FLVE036XP\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-11-13 166912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2008-03-24 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 03:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-505972108-3705391025-456409159-1117\Scripts\Logon\0\0]
"Script"=Data Share Drive Mapper.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-505972108-3705391025-456409159-1196\Scripts\Logon\0\0]
"Script"=Data Share Drive Mapper.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-505972108-3705391025-456409159-1196\Scripts\Logon\0\1]
"Script"=\\Flveinfrp01\NETLOGON\profile.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^administrator.FLVE036XP^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\administrator.FLVE036XP\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LapNetWizard.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LapNetWizard.exe
backup=c:\windows\pss\LapNetWizard.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-10-01 16:57 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
2006-03-09 16:26 98304 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 00:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 21:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 21:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 21:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2006-10-31 06:03 284184 ----a-w- c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2006-11-16 02:58 746520 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 20:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2006-11-16 03:01 244512 ----a-w- c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2002-12-16 20:51 36864 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2003-03-31 23:28 155648 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-04 04:19 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sony SCSI Helper Service"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"EngineServer"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\administrator.FLVE036XP\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 10:18 PM 36880]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 5:00 AM 26624]
R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [9/22/2008 4:12 PM 94544]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [6/19/2008 8:05 AM 214016]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 5:00 AM 3712]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 3:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]
S2 gupdate1ca6fbc56eae590;Google Update Service (gupdate1ca6fbc56eae590);c:\program files\Google\Update\GoogleUpdate.exe [11/27/2009 4:50 PM 133104]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [3/8/2006 5:53 PM 77952]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [3/8/2006 5:53 PM 77952]
S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [9/10/2007 10:55 AM 18944]
S4 EngineServer;EngineServer;"c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe" --> c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\BBLACK_BACKUP.job
- c:\windows\system32\ntbackup.exe [2009-10-22 12:00]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-27 23:49]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-27 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.att.net
DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - hxxp://www.blackberry.com/DST2007/patch/desktop/DSTUpdateLoaderUSB.cab
FF - ProfilePath - c:\documents and settings\administrator.FLVE036XP\Application Data\Mozilla\Firefox\Profiles\omf6my60.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - component: c:\documents and settings\All Users\Application Data\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-McAfee Managed Services Tray - c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe
AddRemove-SLABCOMM - c:\windows\system32\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 12:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A44EB4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba7197b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\system32\CSGina.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\WININET.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(4664)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\documents and settings\administrator.FLVE036XP\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\windows\system32\DWRCS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-07-26 13:00:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-26 20:00

Pre-Run: 26,480,951,296 bytes free
Post-Run: 27,003,068,416 bytes free

- - End Of File - - 4F6AF114A66DCB1B30D0384979C64A76


Thanks in advance to whomever helps me fix this.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 PM

Posted 05 August 2010 - 08:50 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 brokenslug

brokenslug
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 06 August 2010 - 01:50 PM

Hi M0le,
I ended up taking this POS into a computer contractor for a complete system wipe since my work tends to be time sensitive. However, it still seems that I've got some issues still. SVchost is memory hogging but not slowing my computer. When I shut down two programs whose names I can't read close. My google redirects are gone though so that's good.

I'm not sure what the hell is going on(if anything) but I will post this log anyway. Sorry to change it up on you but any info on what happened(so I can prevent it again) and what may still be going wrong is thoroughly appreciated.

Relevant New DDS log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tim Black at 13:46:31.84 on Fri 08/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1340 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Works\wksss.exe
C:\PROGRA~1\MICROS~3\WkDStore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tim Black\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\tim black\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timbla~1\applic~1\mozilla\firefox\profiles\ripklydw.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 TDOEM;TDOEM;c:\windows\system32\drivers\TDOEM.SYS [2010-8-3 3996]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-3 136176]

=============== Created Last 30 ================

2010-08-06 16:53:55 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-06 16:53:55 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-05 18:53:31 780 ----a-w- c:\docume~1\timbla~1\applic~1\wklnhst.dat
2010-08-04 00:36:49 0 d-----w- c:\docume~1\timbla~1\applic~1\Malwarebytes
2010-08-04 00:36:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 00:36:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-04 00:36:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-04 00:36:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-03 22:48:23 0 d-----w- c:\windows\system32\appmgmt
2010-08-03 22:39:26 0 d-----w- c:\windows\pss
2010-08-03 22:35:45 0 d-----w- c:\program files\Windows Media Connect 2
2010-08-03 22:30:51 0 d-sh--w- c:\documents and settings\tim black\IETldCache
2010-08-03 22:29:17 61440 ----a-w- c:\windows\system32\KPower.dll
2010-08-03 22:29:17 307200 ----a-w- c:\windows\system32\BMAPI.dll
2010-08-03 22:29:17 172032 ----a-w- c:\windows\system32\NicConfigSvc.cpl
2010-08-03 22:29:16 0 d-----w- c:\program files\Dell
2010-08-03 22:29:09 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-03 22:28:53 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2010-08-03 22:27:19 0 d-sh--w- c:\documents and settings\tim black\IECompatCache
2010-08-03 22:27:05 0 d-sh--w- c:\documents and settings\tim black\PrivacIE
2010-08-03 22:22:11 95511 ----a-r- c:\windows\system32\Vxdif.dll
2010-08-03 22:22:11 113847 ----a-r- c:\windows\system32\drivers\Apfiltr.sys
2010-08-03 22:22:11 0 d-----w- c:\program files\Apoint
2010-08-03 22:21:29 0 d-----w- c:\program files\CONEXANT
2010-08-03 22:17:38 936960 ----a-w- c:\windows\system32\drivers\HSX_DPV.sys
2010-08-03 22:17:38 669696 ----a-w- c:\windows\system32\drivers\HSX_CNXT.sys
2010-08-03 22:17:38 192512 ----a-w- c:\windows\system32\drivers\HSXHWAZL.sys
2010-08-03 22:17:38 141497 ----a-w- c:\windows\system32\drivers\del1028.cty
2010-08-03 22:17:38 114688 ----a-w- c:\windows\system32\Uci32103.dll
2010-08-03 22:16:59 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 22:04:56 3996 ----a-w- c:\windows\system32\drivers\TDOEM.SYS
2010-08-03 22:04:56 0 d-----w- c:\program files\ThinkPad
2010-08-03 22:04:50 306688 ----a-w- c:\windows\IsUninst.exe
2010-08-03 21:41:59 7552 -c--a-w- c:\windows\system32\dllcache\mskssrv.sys
2010-08-03 21:41:33 0 d-----w- c:\program files\SigmaTel
2010-08-03 21:26:56 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-08-03 19:51:26 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-08-03 19:49:22 4444 ----a-w- c:\windows\system32\pid.PNF
2010-08-03 19:45:00 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-08-03 19:45:00 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-08-03 19:44:59 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-08-03 19:41:52 6656 ----a-w- c:\windows\system32\c_is2022.dll

==================== Find3M ====================


============= FINISH: 13:46:51.10 ===============

Advice is appreciated on what caused the problem(first log) and any other issues you notice from this newer log.

Again...Thank You!!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 PM

Posted 06 August 2010 - 02:29 PM

Sounds like the reinstall/reformat has taken care of the issue so let's first check that that is the case.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.


Then let's see if the svchost hog can be tracked down.

Please download Process Explorer

Please open Process Explorer.

Select the Svchost process that is using the high CPU.

Right click it and select Properties, then the Services tab.

Under Services Registered in Process, you will find the Service and Display name.

Please take note of what these are and include it in your next reply.

Edited by m0le, 06 August 2010 - 02:31 PM.

Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 PM

Posted 08 August 2010 - 06:57 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 brokenslug

brokenslug
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 09 August 2010 - 10:31 AM

Apologies,
I will run that first step tonight and post results. I'm flying accross country.

Thanks again.

#7 brokenslug

brokenslug
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 10 August 2010 - 01:08 PM

Hey Mole,
Here is the MBR Log


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBADA8000 \WINDOWS\system32\KDCOM.DLL
0xBACB8000 \WINDOWS\system32\BOOTVID.dll
0xBA779000 ACPI.sys
0xBADAA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xBA768000 pci.sys
0xBA8A8000 isapnp.sys
0xBACBC000 compbatt.sys
0xBACC0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBAE70000 pciide.sys
0xBAB28000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xBADAC000 intelide.sys
0xBA74A000 pcmcia.sys
0xBA8B8000 MountMgr.sys
0xBA72B000 ftdisk.sys
0xBAB30000 PartMgr.sys
0xBA8C8000 VolSnap.sys
0xBA713000 atapi.sys
0xBAB38000 cercsr6.sys
0xBA6FB000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA8D8000 disk.sys
0xBA8E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xBA6DB000 fltmgr.sys
0xBA6C9000 sr.sys
0xBA6B2000 KSecDD.sys
0xBA625000 Ntfs.sys
0xBA5F8000 NDIS.sys
0xBA8F8000 ohci1394.sys
0xBA908000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA5DE000 Mup.sys
0xBA978000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBAA48000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBAD64000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBAD68000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA3EC000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA20E000 \SystemRoot\system32\DRIVERS\NETw3x32.sys
0xBABD0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA1EA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBABD8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA1D6000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBAA58000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA1BB000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBABE0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBABE8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBAA68000 \SystemRoot\system32\DRIVERS\serial.sys
0xBAD70000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA1A7000 \SystemRoot\system32\DRIVERS\parport.sys
0xBAFC4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBAA78000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBAD74000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA190000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBAA88000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBAA98000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBABF0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA157000 \SystemRoot\system32\DRIVERS\psched.sys
0xBAAA8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBAC00000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBAC08000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA127000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBAAB8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBADC6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA104000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA0A6000 \SystemRoot\system32\DRIVERS\update.sys
0xBAD90000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBAAC8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9EAE000 \SystemRoot\system32\drivers\sthda.sys
0xA9E8A000 \SystemRoot\system32\drivers\portcls.sys
0xBAAE8000 \SystemRoot\system32\drivers\drmk.sys
0xA9E50000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xA9D59000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xA9CA3000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBAC10000 \SystemRoot\System32\Drivers\Modem.SYS
0xBAB18000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBADCA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBADF0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBAF91000 \SystemRoot\System32\Drivers\Null.SYS
0xBADF2000 \SystemRoot\System32\Drivers\Beep.SYS
0xBAC50000 \SystemRoot\System32\drivers\vga.sys
0xBADF4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBADF6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBAC58000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBAC60000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA170000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9BA8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9B4F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9B27000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA9B05000 \SystemRoot\System32\drivers\afd.sys
0xBA9A8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBAC68000 \SystemRoot\System32\drivers\TDOEM.SYS
0xA9ADA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9A6A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA9D8000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9A44000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA9E8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA08A000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xBA9F8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBAC98000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBAA18000 \SystemRoot\system32\DRIVERS\usbccid.sys
0xBAD5C000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xBAA28000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBAA38000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xA9C93000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBACA8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xA9A04000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBAE16000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9BD7000 \SystemRoot\System32\drivers\Dxapi.sys
0xBAB58000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xBAFC0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E3000 \SystemRoot\System32\ialmdnt5.dll
0xBF9D5000 \SystemRoot\System32\ialmrnt5.dll
0xBFA05000 \SystemRoot\System32\ialmdev5.DLL
0xBFA3A000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9904000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA95B7000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9764000 \SystemRoot\system32\drivers\sysaudio.sys
0xA91C4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA91C0000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA9309000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA905A000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8C81000 \SystemRoot\System32\Drivers\HTTP.sys
0xBAB40000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA8C2D000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA9614000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBAB60000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA8C29000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA8936000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
588 C:\WINDOWS\system32\smss.exe
656 csrss.exe
684 C:\WINDOWS\system32\winlogon.exe
728 C:\WINDOWS\system32\services.exe
740 C:\WINDOWS\system32\lsass.exe
892 C:\WINDOWS\system32\svchost.exe
968 svchost.exe
1004 C:\WINDOWS\system32\svchost.exe
1052 svchost.exe
1160 svchost.exe
1428 C:\WINDOWS\explorer.exe
1528 C:\WINDOWS\system32\spoolsv.exe
1576 scardsvr.exe
1772 C:\Program Files\iTunes\iTunesHelper.exe
1892 C:\WINDOWS\system32\hkcmd.exe
1908 C:\WINDOWS\system32\igfxpers.exe
1916 C:\WINDOWS\stsystra.exe
1924 C:\Program Files\Apoint\Apoint.exe
1932 C:\Program Files\Dell\QuickSet\quickset.exe
1940 C:\WINDOWS\system32\rundll32.exe
1948 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1956 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
128 C:\WINDOWS\system32\igfxsrvc.exe
448 C:\Program Files\Apoint\hidfind.exe
456 C:\Program Files\Apoint\ApntEx.exe
616 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
652 C:\Program Files\Bonjour\mDNSResponder.exe
664 svchost.exe
1100 C:\Program Files\Java\jre6\bin\jqs.exe
1216 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
1268 C:\Program Files\CyberLink\Shared files\RichVideo.exe
2092 C:\Program Files\iPod\bin\iPodService.exe
2280 C:\WINDOWS\system32\wscntfy.exe
2308 wmiprvse.exe
2432 alg.exe
3080 C:\WINDOWS\system32\wuauclt.exe
3884 C:\WINDOWS\system32\wuauclt.exe
148 C:\WINDOWS\system32\svchost.exe
1460 C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2644 C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2840 C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3036 C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3148 C:\Documents and Settings\Tim Black\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2752 C:\Documents and Settings\Tim Black\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK6008GAH, Rev: BU011A

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

And I ran the process explorer.
The main SVchost that takes up so much memory is running all of the following processes
AudioSrv
BITS
Browser
CryptSvc
Dhcp
ERSsrvc
EventSystem
FastUserSwitchingCompatibility
helpsvc
lanmanserver
lanmanowrkstation
netman
Nla
RasMan
Schedule
seclogon
SENS
Sharedaccess
ShellHWDetection
srservice
TapiSrv
Themes
TrkWks
W32time
winmgmt
wcssvc
wuauserv
WZCSVC

Let me know if you need me to look up any other information.

Thanks

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 PM

Posted 10 August 2010 - 04:56 PM

The MBRCheck was fine and the processes on svchost were also legit.


Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 PM

Posted 14 August 2010 - 06:43 PM

Are you still there, brokenslug?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users