Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected XP - svchost.exe using 50% of CPU


  • This topic is locked This topic is locked
44 replies to this topic

#1 gjbnc

gjbnc

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 08 September 2010 - 07:08 PM

After running for a few minutes, CPU usage starts to be consumed by various services. It can bounce from service to service.

Cannot connect to update.microsoft.com or post to bleedingcomputer.com, The connection was reset message is displayed.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jerry at 19:46:04.00 on Tue 09/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1385 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Jerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT .exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\common files\panasonic\photofunstudio autostart\AutoStartupService.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMAsst.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab
DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} - hxxp://www.wowweesupport.com/download/rovio/WebSee_4.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280660640796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://camera.thruhere.net:1024/activex/AxisCamControl.ocx
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://datafirstcorp.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {F5131C24-E56D-11CF-B78A-444553540000} - hxxps://wc.wachovia.com/common/cab/ikcntrls.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {756A596A-A32E-4493-BB4F-B69B287A4BC4} = 24.25.5.150,24.25.5.149
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: derahoru.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdidl~1\DVDShell.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli hefewewu.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerry\applic~1\mozilla\firefox\profiles\6efy31hm.default\
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11221&client_id=fed5eb387af8c8968451bb14&camp_id=602&install_time=2010-02-03T00:31:56Z&tb_version=2.4.0000%28F%29&pr=auto&q=
FF - plugin: c:\documents and settings\jerry\application data\mozilla\firefox\profiles\6efy31hm.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 psecbdr;psecbdr;c:\windows\system32\drivers\psecbdr.sys [2008-12-5 16896]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2009-1-27 7040]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-8-25 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-8-23 212568]
R2 CVPNDRV;Cisco Systems IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2007-3-9 263751]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-3 47640]
R2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-8-25 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
R3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [2008-3-22 30168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9d98562c3f23a;Google Update Service (gupdate1c9d98562c3f23a);c:\program files\google\update\GoogleUpdate.exe [2009-5-20 133104]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2009-1-27 17792]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-9 141752]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S3 vusbser;Rovio ARM-Based MCU driver;c:\windows\system32\drivers\vusbser.sys [2009-1-26 30208]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
S4 DFSV;DFSV;c:\fl\bin\DFSV.exe [2007-3-16 1482824]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2010-09-07 23:04:30 0 ----a-w- c:\documents and settings\jerry\defogger_reenable
2010-09-07 21:14:21 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-07 19:35:13 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-09-06 04:06:42 10493952 ----a-w- c:\windows\sectest.db
2010-08-27 14:27:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-26 00:42:03 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-08-26 00:41:59 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-08-23 14:38:29 0 d-----w- c:\docume~1\jerry\applic~1\Sunbelt
2010-08-23 14:38:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-08-23 14:36:49 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-08-22 00:00:36 48 ----a-w- c:\windows\wininit.ini
2010-08-21 09:51:41 112 ----a-w- c:\docume~1\alluse~1\applic~1\4uOMvSoo.dat
2010-08-20 13:18:40 27984 ----a-w- c:\windows\system32\sbbd.exe

==================== Find3M ====================

2010-09-07 23:43:34 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-07 23:43:32 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-01 19:46:16 3350 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-08-01 19:46:00 8 --sh--r- c:\docume~1\alluse~1\applic~1\28E446047D.sys
2010-08-01 18:28:40 107 ----a-w- c:\docume~1\jerry\applic~1\netstat.bat
2010-07-28 20:03:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-07-28 20:03:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-06-30 10:26:43 286720 ------w- c:\windows\Setup1.exe
2009-04-06 13:37:27 0 ----a-w- c:\program files\common files\PrevConfig.ini
2008-03-22 21:23:56 2636 ----a-w- c:\windows\inf\Usb_inf.zip
2008-03-22 12:22:20 30924 ----a-w- c:\windows\inf\USBkey.sys
2007-05-21 02:20:20 965 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 19:47:26.75 ===============
mellow.gif

Searching on the Internet has identified my problem as Go.Google.com virus.

I found a recommended product, StopZilla, but it did not cure the problem.


I have now added the ComboFix Log

ComboFix 10-09-11.02 - Jerry 09/11/2010 20:02:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1535 [GMT -4:00]
Running from: c:\documents and settings\Jerry\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jerry\g2mdlhlpx.exe
c:\program files\INSTALL.LOG
C:\Thumbs.db
c:\windows\jestertb.dll
c:\windows\system\VI30AUT.DLL
c:\windows\system32\3649561.exe
c:\windows\system32\Cache
c:\windows\system32\Install.txt

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-08-12 to 2010-09-12 )))))))))))))))))))))))))))))))
.

2010-09-11 23:57 . 2010-09-12 00:02 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-09-11 15:56 . 2010-09-11 15:56 16384 ---ha-w- C:\SZKGFS.dat
2010-09-11 15:54 . 2010-09-11 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-09-11 15:53 . 2010-09-11 15:53 -------- d-----w- c:\program files\STOPzilla!
2010-09-11 15:53 . 2010-09-11 15:53 -------- d-----w- c:\program files\Common Files\iS3
2010-09-11 15:53 . 2010-09-12 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-09 20:42 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2010-09-09 20:30 . 2010-09-09 20:30 -------- d-----r- c:\program files\Skype
2010-09-09 20:29 . 2010-09-09 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-09-09 20:28 . 2010-09-09 20:29 -------- d-----w- c:\program files\WinZip14
2010-09-07 21:16 . 2010-09-07 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-07 21:14 . 2010-09-07 21:15 80770088 ----a-w- c:\documents and settings\All Users\Application Data\PC Tools\DownloadManager\Spyware Doctor with AntiVirus8.0\sdasetup_dl.exe
2010-09-07 21:14 . 2010-09-07 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-07 19:36 . 2009-02-09 12:10 714752 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
2010-09-07 19:36 . 2009-02-09 12:10 617472 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
2010-09-01 14:37 . 2010-01-25 15:58 462848 ----a-w- c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2010-09-01 14:37 . 2010-01-15 18:25 864256 ----a-w- c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll
2010-09-01 14:37 . 2010-01-15 18:25 315392 ----a-w- c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll
2010-09-01 14:37 . 2010-01-15 18:25 372736 ----a-w- c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
2010-09-01 14:37 . 2010-06-01 15:44 3907584 ----a-w- c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2010-09-01 14:37 . 2010-01-15 18:26 70984 ----a-w- c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2010-08-29 00:20 . 2010-08-29 13:44 -------- d-----w- c:\documents and settings\Jerry\Application Data\vlc
2010-08-27 14:27 . 2010-08-27 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-26 00:42 . 2010-06-14 18:54 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-08-26 00:41 . 2010-06-14 18:54 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-08-23 14:38 . 2010-08-23 14:38 -------- d-----w- c:\documents and settings\Jerry\Application Data\Sunbelt
2010-08-23 14:38 . 2010-08-23 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-08-23 14:36 . 2010-07-27 08:48 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-08-21 11:12 . 2010-08-22 13:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-21 09:49 . 2010-08-21 09:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\LogMeIn
2010-08-20 21:57 . 2010-08-20 21:57 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-20 21:44 . 2010-08-20 21:44 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-20 13:18 . 2010-08-20 13:18 27984 ----a-w- c:\windows\system32\sbbd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-12 00:16 . 2010-09-12 00:16 288 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-12 00:12 . 2009-06-28 21:22 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-12 00:12 . 2009-06-28 21:21 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-09-11 22:49 . 2010-04-29 12:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 20:33 . 2007-12-16 19:57 -------- d-----w- c:\program files\AVIConverter
2010-09-11 15:59 . 2009-06-28 21:36 -------- d-----w- c:\documents and settings\Jerry\Application Data\Skype
2010-09-11 14:44 . 2006-12-30 21:22 -------- d-----w- c:\program files\LogMeIn
2010-09-09 20:30 . 2009-06-28 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-09-07 20:52 . 2010-04-24 13:12 5805508 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1757981266-1085031214-839522115-1003-0.dat
2010-09-07 20:52 . 2010-04-24 13:12 374638 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-09-07 20:47 . 2010-09-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-09-07 13:59 . 2006-12-27 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-06 15:06 . 2006-12-27 14:53 143280 ----a-w- c:\documents and settings\Jerry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-29 13:23 . 2009-05-23 03:17 -------- d-----w- c:\documents and settings\Jerry\Application Data\dvdcss
2010-08-29 08:06 . 2010-04-13 15:35 -------- d-----w- c:\program files\PDFCreator
2010-08-29 01:03 . 2009-05-23 04:10 -------- d-----w- c:\program files\Xilisoft
2010-08-27 15:47 . 2010-05-14 21:52 -------- d-----w- c:\program files\QuickTime
2010-08-24 13:08 . 2008-12-03 23:27 -------- d-----w- c:\documents and settings\Jerry\Application Data\Uniblue
2010-08-22 23:04 . 2010-01-21 22:34 -------- d-----w- c:\program files\CA
2010-08-22 23:04 . 2010-01-21 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-08-22 22:25 . 2009-08-29 16:04 -------- d-----w- c:\program files\Vuze
2010-08-22 12:46 . 2010-07-28 19:57 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-08-22 12:46 . 2010-07-28 19:56 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-08-22 12:46 . 2009-01-27 17:05 -------- d-----w- c:\program files\TurboHddUsb
2010-08-21 23:15 . 2010-08-21 09:51 112 ----a-w- c:\documents and settings\All Users\Application Data\4uOMvSoo.dat
2010-08-20 20:00 . 2009-06-28 21:38 -------- d-----w- c:\documents and settings\Jerry\Application Data\skypePM
2010-08-01 19:47 . 2010-08-01 19:09 -------- d-----w- c:\documents and settings\Jerry\Application Data\Ulead Systems
2010-08-01 19:46 . 2010-08-01 19:46 -------- d-----w- c:\documents and settings\Jerry\Application Data\Corel
2010-08-01 19:46 . 2010-08-01 19:45 3350 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-01 19:46 . 2010-08-01 19:45 3350 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-01 19:46 . 2010-08-01 19:46 8 --sh--r- c:\documents and settings\All Users\Application Data\28E446047D.sys
2010-08-01 19:46 . 2010-08-01 19:46 8 --sh--r- c:\documents and settings\All Users\Application Data\28E446047D.sys
2010-08-01 19:07 . 2010-08-01 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2010-08-01 19:07 . 2006-12-27 15:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-01 19:07 . 2010-08-01 19:06 -------- d-----w- c:\program files\SmartSound Software
2010-08-01 19:01 . 2010-08-01 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2010-08-01 19:00 . 2010-08-01 19:00 -------- d-----w- c:\program files\Corel
2010-08-01 19:00 . 2010-08-01 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-08-01 18:59 . 2010-08-01 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-08-01 18:47 . 2010-08-01 18:47 -------- d-----w- c:\program files\Common Files\Protexis
2010-08-01 18:47 . 2010-08-01 18:47 -------- d-----w- c:\program files\Common Files\Corel
2010-08-01 18:44 . 2010-08-01 18:44 -------- d-----w- c:\program files\Windows Media Components
2010-08-01 18:44 . 2010-08-01 18:44 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-08-01 18:28 . 2010-08-01 18:28 107 ----a-w- c:\documents and settings\Jerry\Application Data\netstat.bat
2010-08-01 18:28 . 2010-08-01 18:28 107 ----a-w- c:\documents and settings\Jerry\Application Data\netstat.bat
2010-08-01 16:36 . 2010-08-01 16:36 -------- d-----w- c:\program files\Sunbelt Software
2010-08-01 14:55 . 2009-11-13 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 14:55 . 2010-08-01 14:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-01 11:42 . 2010-04-25 22:28 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-01 11:21 . 2010-08-01 11:21 -------- d-----w- c:\program files\MSXML 4.0
2010-07-30 17:50 . 2010-07-30 17:50 -------- d-----w- c:\documents and settings\Jerry\Application Data\Windows Search
2010-07-28 20:03 . 2010-07-28 20:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-07-28 20:03 . 2010-07-28 20:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-07-20 23:48 . 2009-09-27 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-14 06:16 . 2010-06-28 16:10 -------- d-----w- c:\program files\DotNet Documentation Tool
2010-06-30 10:26 . 2007-01-06 17:51 286720 ------w- c:\windows\Setup1.exe
2010-06-29 14:22 . 2010-04-24 05:42 2471424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2010-06-25 17:18 . 2010-06-25 17:18 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-06-22 21:58 . 2010-06-22 21:58 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll
2010-06-22 21:57 . 2010-01-18 22:27 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-06-14 14:31 . 2006-12-27 02:49 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2009-04-06 13:37 . 2009-04-06 13:37 0 ----a-w- c:\program files\Common Files\PrevConfig.ini
2008-02-28 18:30 . 2006-12-30 21:11 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 . 2006-12-30 21:11 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT                                                                                                                                                                                                   .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Corel\Standby\Standby .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Logitech\Logitech WebCam Software\LWS .exe
c:\program files\LogMeIn\x86\LogMeInSystray .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\Microsoft IntelliType Pro\itype .exe
c:\program files\Microsoft Office\Office14\BCSSync .exe
c:\program files\Nero\Nero 7\InCD\InCD .exe
c:\program files\Nero\Nero 7\InCD\NBHGui .exe
c:\program files\QuickTime\qttask                                                                                                                                                                                                                    .exe
c:\program files\Sunbelt Software\VIPRE\SBAMTray .exe
c:\program files\TurboHddUsb\TurboHddUsb .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe" [2007-05-21 124512]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-08-20 1348944]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO 5.1 HD Edition.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2010-5-14 172544]
RAMASST.lnk - c:\windows\system32\RAMAsst.exe [2008-12-5 167936]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDIDL~1\DVDShell.dll" [2004-10-09 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 17:20 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 16:00 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\_Sites\\Swedish\\DFSpooler.exe"=
"c:\\Program Files\\xerox\\NetworkScan\\NSCSysUI_XEROX.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"d:\\DFNet\\Products\\DFAutoRoute\\DFDS\\bin\\Debug\\DFAutoRoute.exe"=
"d:\\DFNet\\Migration\\QRSpoolers\\QRMigration\\QR_ReadSpooler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WowWee\\Rovio\\Rovio finder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\HermeTech\\UltraPort Router\\UltraHL7_RouterConfig.exe"=
"c:\\Program Files\\HermeTech\\UltraPort Listener\\UltraHL7_ListenerConfig.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\WowWee\\Rovio2\\Rovio Finder.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.EXE"=
"d:\\DFNet\\Products\\DFAutoRoute\\DFDS\\bin\\Debug\\DFAutoRoute.vshost.exe"=
"d:\\DF2008\\Tools\\HL7Router\\ExampleVB.Net.Applications\\Listener Proxy Toolkit\\TestListenerProxy\\bin\\Release\\TestListenerProxy.vshost.exe"=
"d:\\DFNet\\Migration\\QRSpoolers\\QRMigration\\QR_ReadSpooler.vshost.exe"=
"d:\\DF2010\\Products\\DFDS20SqlServer\\DFDS\\bin\\Debug\\DFDS.vshost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4500:UDP"= 4500:UDP:IPsec (IKE NAT-T)
"500:UDP"= 500:UDP:IPsec (IKE)
"135:TCP"= 135:TCP:RPC Endpoint Mapper and DCOM infrastructure
"15716:TCP"= 15716:TCP:*:Disabled:spport
"13226:TCP"= 13226:TCP:*:Disabled:spport
"16534:TCP"= 16534:TCP:*:Disabled:spport
"24058:TCP"= 24058:TCP:*:Disabled:spport
"20871:TCP"= 20871:TCP:*:Disabled:spport
"11809:TCP"= 11809:TCP:*:Disabled:spport

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2/24/2010 3:06 PM 173328]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [1/27/2009 1:05 PM 7040]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [8/25/2010 8:41 PM 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/13/2010 7:56 AM 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [8/23/2010 10:36 AM 212568]
R2 CVPNDRV;Cisco Systems IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [3/9/2007 7:46 PM 263751]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/3/2007 5:46 PM 12856]
R2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [8/20/2010 9:16 AM 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [8/25/2010 8:42 PM 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [8/20/2010 9:15 AM 181584]
R3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [3/22/2008 5:20 PM 30168]
S0 dekevh;dekevh;c:\windows\system32\drivers\cfxriy.sys --> c:\windows\system32\drivers\cfxriy.sys [?]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S0 psecbdr;psecbdr;c:\windows\system32\drivers\psecbdr.sys [12/5/2008 11:27 AM 16896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d98562c3f23a;Google Update Service (gupdate1c9d98562c3f23a);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2009 3:58 PM 133104]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [1/27/2009 1:05 PM 17792]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [12/2/2006 3:10 AM 48128]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 9:24 PM 48128]
S3 vusbser;Rovio ARM-Based MCU driver;c:\windows\system32\drivers\vusbser.sys [1/26/2009 9:34 PM 30208]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 DFSV;DFSV;c:\fl\Bin\DFSV.exe [3/16/2007 8:38 PM 1482824]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-10 c:\windows\Tasks\AutoBack.job
- d:\autoback\AutoBack.exe [2010-01-15 15:01]

2010-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 19:58]

2010-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 19:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: {756A596A-A32E-4493-BB4F-B69B287A4BC4} = 24.25.5.150,24.25.5.149
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab
DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} - hxxp://www.wowweesupport.com/download/rovio/WebSee_4.0.cab
FF - ProfilePath - c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11221&client_id=fed5eb387af8c8968451bb14&camp_id=602&install_time=2010-02-03T00:31Z&tb_version=2.4.0000%28F%29&pr=auto&q=
FF - plugin: c:\documents and settings\Jerry\Application Data\Mozilla\Firefox\Profiles\6efy31hm.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-TPSvc - TPSvc.dll
SafeBoot-ounwqcy32



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 20:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(7248)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\System32\DVDRAMSV.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\STOPzilla!\STOPzilla.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-09-11 20:21:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-12 00:21

Pre-Run: 11,981,733,888 bytes free
Post-Run: 15,127,744,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CCCC75DCBF8E564ECF9CCC18C2AE133F

EDIT: Posts merged ~BP

Edited by Budapest, 12 September 2010 - 05:53 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:59 AM

Posted 15 September 2010 - 07:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 17 September 2010 - 06:28 AM

m0le,

Your reputation preceeds you and thanks for your assistance with my problem.

I have successfully removed the Alureon.H virus from my computer after struggling with its affects for over 2 months. Here is the link to the blog that put me on the right path to removing this terrible virus.

http://social.answers.microsoft.com/Forums...5b-afa6007c3b43

This works very well but I highly recommend regular scans of your system thereafter.

Sincerely,
gjbnc


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:59 AM

Posted 17 September 2010 - 04:01 PM

QUOTE
Your reputation preceeds you


Does it really? I hope it's a good reputation... tongue.gif


Does this mean that you are happy for the topic to be closed? Sorry, it's not clear if the Alureon issue was/is the only thing going on.
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:59 AM

Posted 20 September 2010 - 10:41 AM

Last chance, gjbnc smile.gif
Posted Image
m0le is a proud member of UNITE

#6 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 20 September 2010 - 02:17 PM

m0le,

Thanks for reviewing my posted documents.

If you feel there may be other issues then I am anxious to have any assistance you would be able to offer.

I am all ears and ready to proceed as per your direction.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:59 AM

Posted 20 September 2010 - 03:11 PM

Please run Combofix and post the log. The log posted shows a file infector was active, let's see if it's still there.
Posted Image
m0le is a proud member of UNITE

#8 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 20 September 2010 - 03:31 PM

m0le,

ok, I am on it. thumbup2.gif

#9 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 20 September 2010 - 04:23 PM

m0le,

I use VIPRE and StopZilla in real time and periodically Malware MalBytes. They do identify and resolve several REG key issues, popups and bad files. I wonder if I still have some issues or it is common to have these tools always finding things. My offic esystem is equipped with Symantec and I rarely see an issue there.

I attached the ComboFix log, which was run in SAFE mode, because it is 31k in size.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:59 AM

Posted 20 September 2010 - 04:50 PM

Let's deal with the file infector first.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

CODE
RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT                                                                                                                                                                                                   .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Corel\Standby\Standby .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Logitech\Logitech WebCam Software\LWS .exe
c:\program files\LogMeIn\x86\LogMeInSystray .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\Microsoft IntelliType Pro\itype .exe
c:\program files\Microsoft Office\Office14\BCSSync .exe
c:\program files\Nero\Nero 7\InCD\InCD .exe
c:\program files\Nero\Nero 7\InCD\NBHGui .exe
c:\program files\QuickTime\qttask                                                                                                                                                                                                                    .exe
c:\program files\Sunbelt Software\VIPRE\SBAMTray .exe
c:\program files\TurboHddUsb\TurboHddUsb .exe


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 20 September 2010 - 05:25 PM

m0le,

Here is the ComboFix log file.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:59 AM

Posted 20 September 2010 - 06:16 PM

The file infector has been removed and the log is clean now.


Please run MBAM next, don't expect to find anything much.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Finally let's find the original cause via ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#13 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 20 September 2010 - 06:29 PM

m0le,

Excellent. I am on it. thumbup2.gif


#14 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 21 September 2010 - 12:18 AM

m0le,

The MalBytes log is posted below.

I could not execute the ESET Online Scanner because every time I clicked the START button:

It would think for about 15 seconds and then return to the page with the START button for me to click.
After a couple of attempts the window simply disappears. Hmmm..


There were other artifacts such as slow running computer after turning on the VIPRE, StopZilla and Windows Firewall.
And the SYSTEM service is using 6-24% of the CPU cycles as shown in Task Manager.
And Task Manager is now behind any foreground window. That has NEVER happened before.
This might be part of a recent Windows Update but I would doubt that.

These all went away after a reboot.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4660

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/20/2010 11:58:55 PM
mbam-log-2010-09-20 (23-58-55).txt

Scan type: Full scan (C:\|D:\|E:\|W:\|X:\|)
Objects scanned: 1000676
Time elapsed: 4 hour(s), 26 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by gjbnc, 21 September 2010 - 12:34 AM.


#15 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:59 AM

Posted 21 September 2010 - 07:42 AM

m0le,

When I ran the StopZilla Intelligent scan it found these items this morning:

1. 2-Gen Malware Detection.NN
2. 2-Cognac
3. 2-GASF
4. 1-Winexec32
5. 1-lpv4mous
6. 7-Non-restorable cookies

I removed them all. Without reboot, I ran again and there were NO issues. Then rebooted.

I guess they are spreading when I shut off the system protection to run other tools.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users