Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer and Svchost using 100% resources


  • This topic is locked This topic is locked
3 replies to this topic

#1 cosmo899

cosmo899

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 02 May 2011 - 08:54 AM

I'm running XP with SP3. I have some malware issues still remaining after working for the past few days. The problem started where about 6 to 8 minutes after startup my computer begins to run very slow. Looking at the Task Manger I see that one of the versions of svchost.exe is increasing its memory use. All the rest of the process are steady, and the CPU soon maxes out at 100 percent.. The only way to continue is to kill that process – this works for a while until about 10-15 minutes later another svchost.exe begins to act the same, and eventually killing that one or the following one disables much of the controls or disables the computer.

I found a strange dll in System32 "Spoolsv5.dll", but could not remove it.

Windows restore had no restore points available.

I ran Hitman pro which identified a version of Alureon rootkit and a few other things, which it tried to remove. It reported success, but after running again the rootkit was identified, or indicated. The Scvhost problem was not cured. However Spoolsv5.dll was eliminated

I ran Superantispyware which found more malware, but didn't resolve the problem.

I ran Malwarebytes a couple of times and eliminated more malware. But without a cure for the svchost issue.

My browser has been hijacked as it will not visit the site where my hijackthis log can be interpreted automatically, and it is redirected most of the time to sites that are not those indicated by Google - I used another computer to get the hijack log evaluated and I eliminated the few more obvious issues that were found using hijackthis.

Running some of the above malware removal programs in safe mode and didn't resolve the problem.
Then I found Combofix, which I ran first in safe mode last night. It identified the Rootkit issue and restarted itself - it identified that system restore is missing and reinstalled that. Then it went to work to clean the system. I finished and it appears now to have almost cured the system. However, after restart and about 1/2 hour of operation the svchost again was at 100 percent. I killed that about an hour ago, and so far it hasn't returned.

Still the browser is redirected.

The tutorial on Combofix, suggested that I post the log that it printed, which you will see below;

Any help would be greatly appreciated.

ComboFix 11-05-01.01 - Lloyd 05/01/2011 23:20:30.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1631 [GMT -4:00]
Running from: c:\documents and settings\Lloyd\Desktop\desktopstuff\malware combofix\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Lloyd\Application Data\FFSJ
c:\documents and settings\Lloyd\Application Data\FFSJ\FFSJ.cfg
c:\documents and settings\Lloyd\Application Data\MiniDm
c:\documents and settings\Lloyd\Application Data\MiniDm\conf.ini
c:\documents and settings\Lloyd\Application Data\MiniDm\history.dat
c:\documents and settings\Lloyd\Application Data\Yahoo!
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\bookmarks.yahoo.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\news.yahoo.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\online.wsj.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.bbc.co.uk.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.ebay.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.expressnews.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.huffingtonpost.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.news-press.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.nytimes.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.soapcentral.com.ico
c:\documents and settings\Lloyd\Application Data\Yahoo!\Companion\Buttons\www.tvguide.com.ico
c:\documents and settings\Lloyd\SendTo\RemoveOnReboot.exe
c:\documents and settings\Lloyd\System
c:\documents and settings\Lloyd\System\win_qs8.jqx
c:\documents and settings\Lloyd\WINDOWS
c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\drivers\etc\host5
c:\windows\system32\office.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MKDRV
-------\Legacy_TDSSSERV
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-02 01:57 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-02 01:57 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 00:54 . 2011-05-02 00:54 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2011-05-02 00:53 . 2011-05-02 00:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-01 17:14 . 2011-05-01 17:12 72192 ----a-w- C:\tasklist.exe
2011-05-01 15:56 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-01 15:56 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-01 15:56 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-01 15:56 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-01 15:56 . 2011-05-01 15:56 -------- d-----w- c:\program files\Avira
2011-05-01 15:56 . 2011-05-01 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-01 02:13 . 2011-05-01 02:13 -------- d-----w- c:\documents and settings\Lloyd\Application Data\SUPERAntiSpyware.com
2011-05-01 02:13 . 2011-05-01 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-01 02:13 . 2011-05-01 02:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-30 23:23 . 2011-04-30 23:23 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-30 23:23 . 2011-04-30 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2011-04-30 21:57 . 2008-04-14 04:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-04-30 21:57 . 2008-04-14 04:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2011-04-30 21:30 . 2011-05-02 03:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-04-30 21:16 . 2011-05-02 02:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-30 21:16 . 2011-04-30 21:16 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-30 21:15 . 2011-04-30 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-29 08:44 . 2011-04-29 08:44 388096 ----a-r- c:\documents and settings\Lloyd\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-29 08:44 . 2011-04-29 08:44 -------- d-----w- C:\Trend Micro
2011-04-28 01:29 . 2011-04-28 01:29 -------- d-----w- C:\!KillBox
2011-04-27 10:46 . 2011-04-27 10:46 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-04-27 10:17 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000001_.tmp
2011-04-27 09:16 . 2011-04-30 22:01 -------- d-----w- c:\program files\WhatsRunning
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-28 03:07 . 2011-04-28 03:07 22 ----a-w- C:\spoolsv5.zip
2011-03-07 05:33 . 2007-07-13 12:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2003-07-16 20:49 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2003-07-16 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2007-03-14 10:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2003-07-16 20:30 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2003-07-16 20:34 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-07-16 20:46 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-02-02 03:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2007-03-14 10:10 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2003-07-16 20:24 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2007-07-13 12:36 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2003-07-16 20:43 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-07-16 20:27 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2003-07-16 20:33 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2003-07-16 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2007-07-13 12:36 2067456 ----a-w- c:\windows\system32\mstscax.dll
1998-02-10 23:34 . 2004-11-14 15:34 128000 ----a-w- c:\program files\UNWISE.EXE
2005-04-14 04:11 . 2007-06-23 17:31 53283 ----a-w- c:\program files\mozilla firefox\plugins\NCScnet.dll
2005-04-14 04:33 . 2007-06-23 17:31 1044514 ----a-w- c:\program files\mozilla firefox\plugins\NCSEcw.dll
2005-04-14 04:11 . 2007-06-23 17:31 98339 ----a-w- c:\program files\mozilla firefox\plugins\NCSUtil.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Camio Viewer.lnk - c:\program files\PhotoWise\quicklnk.exe [2004-2-17 59904]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-3-20 113664]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^forteManager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\forteManager.lnk
backup=c:\windows\pss\forteManager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2011-03-04 18:36 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 05:04 114741 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 13:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON NX510 Series (Copy 1)]
2009-11-04 12:07 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\flockbox]
2007-12-14 21:59 1071472 ----a-w- c:\program files\My Lockbox\flockbox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2011-02-25 14:49 6449984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 02:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
2008-04-14 00:12 208896 ----a-w- c:\windows\inf\unregmp2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG]
2005-12-03 14:02 94208 ----a-w- c:\windows\MXOALDR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-04-24 21:58 4616192 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-05 03:32 53248 ----a-w- c:\program files\REGSHAVE\Regshave.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-05 21:16 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2004-12-30 16:12 1156096 ----a-w- c:\program files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-05-07 12:36 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TomTomHOMEService"=2 (0x2)
"TivoBeacon2"=2 (0x2)
"spkrmon"=2 (0x2)
"osppsvc"=3 (0x3)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"Microsoft SharePoint Workspace Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c9d1891f4c334"=2 (0x2)
"FlipShare Service"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\New Opera\\opera.exe"=
"c:\\Program Files\\LG Soft India\\forteManager\\bin\\Monitor.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\OSA.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\RealRhapsody\\rhapsody.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1200:TCP"= 1200:TCP:dc++ TCP
"1201:TCP"= 1201:TCP:DC++ UDP
.
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [3/16/2008 12:37 PM 17264]
R1 myWIFIzone;myWIFIzone Driver;c:\windows\system32\drivers\myWIFIzone.sys [2/21/2005 8:16 PM 19712]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/1/2011 11:56 AM 135336]
S1 ATMhelpr;ATMhelpr; [x]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [4/19/2008 5:14 PM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [4/19/2008 5:14 PM 13312]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [6/12/2008 7:30 AM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/12/2008 7:30 AM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [6/12/2008 7:30 AM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/12/2008 7:30 AM 23680]
S4 gupdate1c9d1891f4c334;Google Update Service (gupdate1c9d1891f4c334);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2009 12:04 PM 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2009 12:04 PM 133104]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S4 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [12/30/2004 12:11 PM 853504]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [5/7/2010 8:36 AM 92008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-03 21:44]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 16:04]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 16:04]
.
2011-05-02 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-08-17 17:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
IE: Translate - file://c:\program files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
FF - ProfilePath - c:\documents and settings\Lloyd\Application Data\Mozilla\Firefox\Profiles\typ56516.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=14542&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\ConverterUninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files\DivX\DivXPlayerUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\ConverterUninstall.exe
AddRemove-{B7050CBDB2504B34BC2A9CA0A692CC29} - c:\program files\DivX\DivXWebPlayerUninstall.exe
AddRemove-{D050D7362D214723AD585B541FFB6C11} - c:\program files\DivX\DivXContentUploaderUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 23:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75CAA0 rev.16.06V16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A78833B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\corel\Graphics8\programs\CMFFld80.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-01 23:54:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-02 03:53
.
Pre-Run: 8,288,468,992 bytes free
Post-Run: 9,004,204,032 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E9846DF2C400D124EFAFD2D35379708F

Edited by Orange Blossom, 02 May 2011 - 09:02 AM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:16 PM

Posted 10 May 2011 - 01:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 cosmo899

cosmo899
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 15 May 2011 - 12:11 PM

Hello and thank you for your response to my message. Fortunately, I have already resolved my problem.
Cheers -

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:16 PM

Posted 15 May 2011 - 02:57 PM

Hello

Thank you for posting back. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users