Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Intrusion Attempts


  • This topic is locked This topic is locked
23 replies to this topic

#1 Tony Cole

Tony Cole

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 03 May 2011 - 09:38 AM

I'm receiving constant attacks, which result from the same area of my PC "The attack was resulted from \device\harddiskvolume2\windows\system32\svchost.exe

Norton shows a pop-up which says - OS Attack: MS RPCSS Attack CVE-2004-01163

Just to update:

I have run the following scans, all-of-which detected nothing!

Kaspersky online scan
eset online scan
BitDefender online scan
SuperAntiSpyware
Spybot S&D
Norton 360 v 5
Norton Power Eraser
Malwarebytes
Sophos Anti-Rootkit

I've receiving 13 attacks, which result from the same area of my PC "The attack was resulted from \device\harddiskvolume2\windows\system32\svchost.exe

Norton shows a pop-up which says - OS Attack: MS RPCSS Attack CVE-2004-01163 - this is a 4 day old laptop, I took it back to PC World and the IT tech guy did a Combo fix scan and said all was okay, below is the scan results. I just wonder if someone could take a look as the guy from PC World only looked at it for 5-10 minutes.






ComboFix 11-05-03.02 - Tony S G Cole 03/05/2011 22:57:19.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3999.2176 [GMT 1:00]
Running from: c:\users\Tony S G Cole\Desktop\tonygcole1.exe
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-03 22:11 . 2011-05-03 22:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-03 21:28 . 2011-05-03 21:28 -------- d-----w- c:\programdata\Malwarebytes
2011-05-03 21:28 . 2011-05-03 22:08 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-03 21:28 . 2010-12-20 17:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 19:38 . 2011-05-03 20:13 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-05-03 19:37 . 2011-05-03 19:37 -------- d-----w- c:\programdata\XoftSpySE
2011-05-03 19:34 . 2011-05-03 20:10 -------- d-----w- c:\programdata\PC Tools
2011-05-03 16:07 . 2011-05-03 16:34 -------- d-----w- c:\programdata\STOPzilla!
2011-05-03 14:46 . 2011-05-03 14:46 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-03 13:29 . 2011-05-03 13:27 2048104 ----a-w- c:\windows\system32\RtPgEx64.dll
2011-05-03 13:29 . 2011-05-03 13:27 1146984 ----a-w- c:\windows\system32\RTSnMg64.cpl
2011-05-03 13:29 . 2011-05-03 13:27 332392 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2011-05-03 13:29 . 2011-05-03 13:27 2494056 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2011-05-03 13:29 . 2011-05-03 13:27 149608 ----a-w- c:\windows\system32\RtkCfg64.dll
2011-05-03 13:29 . 2011-05-03 13:27 569960 ----a-w- c:\windows\system32\RtkApi64.dll
2011-05-03 13:29 . 2011-05-03 13:27 2625640 ----a-w- c:\windows\system32\RtkAPO64.dll
2011-05-03 13:29 . 2011-05-03 13:27 1215592 ----a-w- c:\windows\system32\RTCOM64.dll
2011-05-03 13:29 . 2011-05-03 13:27 80488 ----a-w- c:\windows\system32\RCoInst64.dll
2011-05-03 13:29 . 2011-05-03 13:27 200800 ----a-w- c:\windows\system32\AERTAC64.dll
2011-05-03 10:21 . 2011-05-03 10:21 -------- d-sh--w- c:\windows\BitLockerDiscoveryVolumeContents
2011-05-03 10:21 . 2011-05-03 10:21 -------- d-----w- c:\windows\RemotePackages
2011-05-03 10:17 . 2009-05-18 12:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-03 10:17 . 2008-04-17 11:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2011-05-03 10:17 . 2008-04-17 11:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-05-03 10:16 . 2011-05-03 10:17 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-05-03 10:16 . 2011-05-03 10:17 -------- d-----w- c:\program files\iTunes
2011-05-03 10:16 . 2011-05-03 10:17 -------- d-----w- c:\program files (x86)\iTunes
2011-05-03 09:59 . 2011-05-03 10:00 -------- d-----w- c:\program files (x86)\QuickTime
2011-05-03 09:58 . 2011-05-03 10:16 -------- d-----w- c:\program files (x86)\Common Files\Apple
2011-05-03 09:58 . 2011-05-03 09:58 -------- d-----w- c:\programdata\Apple
2011-05-02 22:59 . 2011-05-02 22:59 -------- d-----w- c:\windows\system32\SPReview
2011-05-02 22:56 . 2010-12-22 13:26 117248 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2011-05-02 22:56 . 2011-05-02 22:56 -------- d-----w- c:\program files (x86)\Huawei Modems
2011-05-02 22:56 . 2011-05-02 22:56 67156 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2011-05-02 22:56 . 2011-05-02 22:56 -------- d-----w- c:\program files (x86)\3 Mobile Broadband
2011-05-02 22:56 . 2010-01-28 12:35 10240 ----a-w- c:\windows\SysWow64\drivers\mdvrmng.sys
2011-05-02 22:52 . 2010-11-20 13:28 1731936 ----a-w- c:\windows\system32\ntdll.dll
2011-05-02 22:51 . 2010-11-20 13:25 692224 ----a-w- c:\windows\system32\cscsvc.dll
2011-05-02 22:50 . 2010-11-20 13:27 611840 ----a-w- c:\windows\system32\wpd_ci.dll
2011-05-02 22:49 . 2010-11-20 13:27 124416 ----a-w- c:\windows\system32\QSVRMGMT.DLL
2011-05-02 22:48 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
2011-05-02 22:48 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
2011-05-02 22:48 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2011-05-02 22:48 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2011-05-02 22:44 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-05-02 22:44 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-05-02 22:44 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-05-02 22:44 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-05-02 22:44 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-05-02 22:43 . 2011-05-02 22:43 -------- d-----w- c:\users\Public\Symantec
2011-05-02 22:43 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-05-02 22:43 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-05-02 22:42 . 2011-02-14 02:04 44624 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2011-05-02 22:41 . 2011-05-02 22:41 -------- d-----w- c:\programdata\Diskeeper Corporation
2011-05-02 22:41 . 2011-05-02 22:41 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2011-05-02 22:41 . 2011-05-02 22:41 -------- d-----w- c:\program files\Diskeeper Corporation
2011-05-02 22:41 . 2011-05-03 22:03 -------- d-----w- c:\users\Tony S G Cole
2011-05-02 21:53 . 2011-05-02 21:53 -------- d-----w- c:\windows\en
2011-05-02 21:52 . 2011-05-03 09:47 -------- d-----w- c:\program files\Windows Live
2011-05-02 21:50 . 2009-09-04 16:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll
2011-05-02 21:50 . 2009-09-04 16:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll
2011-05-02 21:50 . 2009-09-04 16:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll
2011-05-02 21:50 . 2009-09-04 16:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-05-02 21:50 . 2011-05-02 21:50 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e558e75f1cc091208\MeshBetaRemover.exe
2011-05-02 21:50 . 2011-05-02 21:50 94040 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e43f5cf01cc091207\DSETUP.dll
2011-05-02 21:50 . 2011-05-02 21:50 525656 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e43f5cf01cc091207\DXSETUP.exe
2011-05-02 21:50 . 2011-05-02 21:50 1691480 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e43f5cf01cc091207\dsetup32.dll
2011-05-02 21:50 . 2011-05-02 21:50 94040 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e25623661cc091206\DSETUP.dll
2011-05-02 21:50 . 2011-05-02 21:50 525656 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e25623661cc091206\DXSETUP.exe
2011-05-02 21:50 . 2011-05-02 21:50 1691480 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e25623661cc091206\dsetup32.dll
2011-05-02 21:35 . 2011-05-02 21:35 -------- d-----w- C:\N360_BACKUP
2011-05-02 20:08 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-05-02 20:08 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-05-02 20:08 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-05-02 20:08 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-05-02 20:08 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-05-02 19:44 . 2011-05-02 19:44 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-05-02 19:43 . 2011-05-02 19:43 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-05-02 19:42 . 2011-05-02 19:42 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-05-02 19:37 . 2011-05-02 19:37 -------- d-----w- c:\windows\system32\appmgmt
2011-05-02 19:26 . 2011-05-02 19:26 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-05-02 19:25 . 2011-03-12 12:08 1465344 ----a-w- c:\windows\system32\XpsPrint.dll
2011-05-02 19:25 . 2011-03-12 11:23 870912 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-05-02 19:25 . 2011-02-25 06:19 2871808 ----a-w- c:\windows\explorer.exe
2011-05-02 19:25 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\SysWow64\explorer.exe
2011-05-02 19:25 . 2011-02-24 06:15 476160 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-05-02 19:25 . 2011-02-24 05:38 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-05-02 19:24 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-05-02 19:24 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-05-02 19:24 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-05-02 19:24 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-05-02 19:17 . 2011-03-03 06:24 183296 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-05-02 19:17 . 2011-03-03 06:21 30208 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-05-02 19:17 . 2011-03-03 05:36 28672 ----a-w- c:\windows\SysWow64\dnscacheugc.exe
2011-05-02 19:04 . 2011-05-02 19:04 -------- d-----w- c:\windows\SysWow64\Wat
2011-05-02 19:04 . 2011-05-02 19:04 -------- d-----w- c:\windows\system32\Wat
2011-05-02 18:46 . 2010-02-23 08:16 294912 ----a-w- c:\windows\system32\browserchoice.exe
2011-05-02 18:45 . 2011-05-02 18:45 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2011-05-02 18:33 . 2011-02-19 12:03 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-05-02 18:33 . 2011-02-19 09:00 367616 ----a-w- c:\windows\system32\atmfd.dll
2011-05-02 18:33 . 2011-02-19 06:30 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-05-02 18:33 . 2011-02-19 04:34 294912 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-05-02 18:33 . 2010-09-30 10:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2011-05-02 18:33 . 2010-09-30 06:47 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2011-05-02 18:33 . 2011-03-08 06:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-02 18:33 . 2011-03-08 05:28 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-05-02 18:32 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-05-02 18:32 . 2010-11-20 13:25 974336 ----a-w- c:\windows\system32\WFS.exe
2011-05-02 18:32 . 2011-02-23 04:56 158208 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-02 18:32 . 2011-02-23 04:55 287744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-02 18:32 . 2011-02-23 04:55 128000 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-02 18:32 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-05-02 18:32 . 2011-03-03 03:52 3135488 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 18:32 . 2011-03-11 06:34 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-02 18:32 . 2011-03-11 06:34 1395712 ----a-w- c:\windows\system32\mfc42.dll
2011-05-02 18:32 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2011-05-02 18:32 . 2011-03-11 05:33 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2011-05-02 18:31 . 2011-02-23 04:56 467456 ----a-w- c:\windows\system32\drivers\srv.sys
2011-05-02 18:31 . 2011-02-23 04:56 411648 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-05-02 18:31 . 2011-02-23 04:55 167936 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-05-02 18:31 . 2011-02-05 17:10 642944 ----a-w- c:\windows\system32\winload.efi
2011-05-02 18:31 . 2011-02-05 17:06 605552 ----a-w- c:\windows\system32\winload.exe
2011-05-02 18:31 . 2011-02-05 17:06 566208 ----a-w- c:\windows\system32\winresume.efi
2011-05-02 18:31 . 2011-02-05 17:06 518672 ----a-w- c:\windows\system32\winresume.exe
2011-05-02 18:31 . 2011-02-05 17:10 20352 ----a-w- c:\windows\system32\kdusb.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-03 13:27 . 2010-11-10 08:37 1251944 ----a-w- c:\windows\RtlExUpd.dll
2011-05-02 23:10 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-05-02 23:10 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-05-02 21:52 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-04 06:19 . 2011-05-02 20:08 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2011-03-04 06:19 . 2011-05-02 20:08 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2011-02-11 18:25 . 2011-02-11 18:25 162328 ----a-w- c:\windows\system32\igfxtray.exe
2011-02-11 18:25 . 2011-02-11 18:25 509976 ----a-w- c:\windows\system32\igfxsrvc.exe
2011-02-11 18:25 . 2011-02-11 18:25 417304 ----a-w- c:\windows\system32\igfxpers.exe
2011-02-11 18:25 . 2011-02-11 18:25 223768 ----a-w- c:\windows\system32\igfxext.exe
2011-02-11 18:25 . 2011-02-11 18:25 386584 ----a-w- c:\windows\system32\hkcmd.exe
2011-02-11 18:25 . 2011-02-11 18:25 3157528 ----a-w- c:\windows\system32\GfxUI.exe
2011-02-11 18:25 . 2011-02-11 18:25 152600 ----a-w- c:\windows\system32\difx64.exe
2011-02-11 18:21 . 2011-02-11 18:21 90112 ----a-w- c:\windows\system32\igfxCoIn_v2302.dll
2011-02-11 18:16 . 2011-02-11 18:16 10628640 ----a-w- c:\windows\system32\drivers\igdkmd64.sys
2011-02-11 18:16 . 2010-11-10 08:35 6549504 ----a-w- c:\windows\system32\igdumd64.dll
2011-02-11 18:12 . 2010-11-10 08:35 4967424 ----a-w- c:\windows\SysWow64\igdumd32.dll
2011-02-11 18:09 . 2010-11-10 08:35 571904 ----a-w- c:\windows\SysWow64\igdumdx32.dll
2011-02-11 18:07 . 2010-11-10 08:35 4722176 ----a-w- c:\windows\system32\igd10umd64.dll
2011-02-11 18:04 . 2011-02-11 18:04 4411392 ----a-w- c:\windows\SysWow64\igd10umd32.dll
2011-02-11 17:59 . 2011-02-11 17:59 15035392 ----a-w- c:\windows\system32\ig4icd64.dll
2011-02-11 17:51 . 2011-02-11 17:51 11039744 ----a-w- c:\windows\SysWow64\ig4icd32.dll
2011-02-11 17:47 . 2011-02-11 17:47 88064 ----a-w- c:\windows\system32\igfxrsky.lrc
2011-02-11 17:47 . 2011-02-11 17:47 87552 ----a-w- c:\windows\system32\igfxrtrk.lrc
2011-02-11 17:47 . 2011-02-11 17:47 87552 ----a-w- c:\windows\system32\igfxrslv.lrc
2011-02-11 17:47 . 2011-02-11 17:47 88576 ----a-w- c:\windows\system32\igfxresn.lrc
2011-02-11 17:47 . 2011-02-11 17:47 88064 ----a-w- c:\windows\system32\igfxrrus.lrc
2011-02-11 17:47 . 2011-02-11 17:47 87552 ----a-w- c:\windows\system32\igfxrsve.lrc
2011-02-11 17:47 . 2011-02-11 17:47 87040 ----a-w- c:\windows\system32\igfxrtha.lrc
2011-02-11 17:47 . 2011-02-11 17:47 88064 ----a-w- c:\windows\system32\igfxrptg.lrc
2011-02-11 17:47 . 2011-02-11 17:47 88064 ----a-w- c:\windows\system32\igfxrplk.lrc
2011-02-11 17:47 . 2011-02-11 17:47 87552 ----a-w- c:\windows\system32\igfxrptb.lrc
2011-02-11 17:47 . 2011-02-11 17:47 87552 ----a-w- c:\windows\system32\igfxrnor.lrc
2011-02-11 17:46 . 2011-02-11 17:46 88064 ----a-w- c:\windows\system32\igfxrita.lrc
2011-02-11 17:46 . 2011-02-11 17:46 87552 ----a-w- c:\windows\system32\igfxrhun.lrc
2011-02-11 17:46 . 2011-02-11 17:46 86528 ----a-w- c:\windows\system32\igfxrheb.lrc
2011-02-11 17:46 . 2011-02-11 17:46 84992 ----a-w- c:\windows\system32\igfxrkor.lrc
2011-02-11 17:46 . 2011-02-11 17:46 84992 ----a-w- c:\windows\system32\igfxrjpn.lrc
2011-02-11 17:46 . 2011-02-11 17:46 88576 ----a-w- c:\windows\system32\igfxrfra.lrc
2011-02-11 17:46 . 2011-02-11 17:46 88576 ----a-w- c:\windows\system32\igfxrell.lrc
2011-02-11 17:46 . 2011-02-11 17:46 88064 ----a-w- c:\windows\system32\igfxrnld.lrc
2011-02-11 17:46 . 2011-02-11 17:46 88064 ----a-w- c:\windows\system32\igfxrdeu.lrc
2011-02-11 17:46 . 2011-02-11 17:46 87552 ----a-w- c:\windows\system32\igfxrfin.lrc
2011-02-11 17:46 . 2011-02-11 17:46 87552 ----a-w- c:\windows\system32\igfxrcsy.lrc
2011-02-11 17:46 . 2011-02-11 17:46 87040 ----a-w- c:\windows\system32\igfxrdan.lrc
2011-02-11 17:46 . 2011-02-11 17:46 86528 ----a-w- c:\windows\system32\igfxrara.lrc
2011-02-11 17:46 . 2011-02-11 17:46 83968 ----a-w- c:\windows\system32\igfxrcht.lrc
2011-02-11 17:46 . 2011-02-11 17:46 83968 ----a-w- c:\windows\system32\igfxrchs.lrc
2011-02-11 17:46 . 2011-02-11 17:46 122368 ----a-w- c:\windows\system32\igfxcpl.cpl
2011-02-11 17:46 . 2010-11-10 08:35 244224 ----a-w- c:\windows\system32\igfxpph.dll
2011-02-11 17:46 . 2011-02-11 17:46 380416 ----a-w- c:\windows\system32\igfxTMM.dll
2011-02-11 17:46 . 2011-02-11 17:46 27648 ----a-w- c:\windows\system32\igfxexps.dll
2011-02-11 17:46 . 2010-11-10 08:35 61952 ----a-w- c:\windows\system32\igfxsrvc.dll
2011-02-11 17:45 . 2010-11-10 08:35 108544 ----a-w- c:\windows\system32\hccutils.dll
2011-02-11 17:45 . 2011-02-11 17:45 119808 ----a-w- c:\windows\system32\gfxSrvc.dll
2011-02-11 17:45 . 2011-02-11 17:45 4096 ----a-w- c:\windows\system32\IGFXDEVLib.dll
2011-02-11 17:45 . 2011-02-11 17:45 272896 ----a-w- c:\windows\system32\igfxdev.dll
2011-02-11 17:45 . 2011-02-11 17:45 87552 ----a-w- c:\windows\system32\igfxrenu.lrc
2011-02-11 17:45 . 2011-02-11 17:45 142336 ----a-w- c:\windows\system32\igfxdo.dll
2011-02-11 17:45 . 2010-11-10 08:35 830464 ----a-w- c:\windows\system32\igfxress.dll
2011-02-11 17:41 . 2011-02-11 17:41 23552 ----a-w- c:\windows\SysWow64\igfxexps32.dll
2011-02-11 17:40 . 2011-02-11 17:40 228864 ----a-w- c:\windows\SysWow64\igfxdv32.dll
2011-02-11 17:35 . 2011-02-11 17:35 208896 ----a-w- c:\windows\SysWow64\iglhsip32.dll
2011-02-11 17:35 . 2011-02-11 17:35 206336 ----a-w- c:\windows\system32\iglhsip64.dll
2011-02-11 17:35 . 2011-02-11 17:35 188416 ----a-w- c:\windows\system32\iglhcp64.dll
2011-02-11 17:35 . 2011-02-11 17:35 147456 ----a-w- c:\windows\SysWow64\iglhcp32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-05-02 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
c:\users\Tony S G Cole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2008-11-7 517384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-5-2 1207312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LaptopSuperHero]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-02 136176]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-02 136176]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0500000.07D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0500000.07D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110430.001\BHDrvx64.sys [2011-04-15 1127032]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110429.002\IDSvia64.sys [2011-03-14 476792]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0500000.07D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\N360x64\0500000.07D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 BecHelperService;BecHelperService;c:\program files (x86)\3 Mobile Broadband\3Connect\BecHelperService.exe [2010-01-28 1737464]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-04 92216]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 LaptopSuperHero;Laptop Superhero;c:\program files\Yougetitback\Laptop Superhero\eTagService.exe [2011-02-02 306688]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.0.0.125\ccSvcHst.exe [2010-11-24 130000]
S2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-06-24 315392]
S3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-02 132656]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 18:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-02 15:27]
.
2011-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-02 15:27]
.
2011-05-03 c:\windows\Tasks\HPCeeScheduleForTony S G Cole.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-05-03 6489704]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
"eTag"="c:\program files\Yougetitback\Laptop Superhero\eTagClient.exe" [2011-02-02 427520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-Easybits Recovery - c:\program files (x86)\EasyBits For Kids\ezRecover.exe
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{CF1A69F1-4335-4322-A137-235E3AE36BB0} - c:\program files (x86)\InstallShield Installation Information\{CF1A69F1-4335-4322-A137-235E3AE36BB0}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.0.0.125\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-03 23:36:26
ComboFix-quarantined-files.txt 2011-05-03 22:36
.
Pre-Run: 197,465,915,392 bytes free
Post-Run: 196,223,938,560 bytes free
.
- - End Of File - - 6B20025C18163167208D0ED1FE7C584A

EDIT: Topics and posts merged ~Budapest

Attached Files


Edited by Budapest, 04 May 2011 - 04:17 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 PM

Posted 12 May 2011 - 10:33 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Tony Cole

Tony Cole
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 13 May 2011 - 01:32 AM

Hi Myrti


I keep gettings continous intrusion attempts from Norton 360 v 5. When I lloked on their forum it said that the attacks were coming from my computer and not outside, so they said contact you guys. I am running Windows 7 Professional with 64 bit Operating System. I have attached the scan results on one on page and the other attached as it said was too long



OTL Extras logfile created on: 5/13/2011 7:07:44 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Tony Cole\Desktop
64bit- An unknown product Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 216.28 Gb Total Space | 181.83 Gb Free Space | 84.07% Space Free | Partition Type: NTFS
Drive D: | 16.31 Gb Total Space | 2.31 Gb Free Space | 14.18% Space Free | Partition Type: NTFS
Drive H: | 28.33 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: TONYCOLE-HP | User Name: Tony Cole | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{091A0130-A82F-4A6D-9C61-3BBBB3289030}" = RtVOsd
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0E543634-7E25-4B8F-8D5B-97880E5E5088}" = Bonjour
"{18155797-EF2E-4699-9A16-FE787C4C10DB}" = iTunes
"{1A547389-6053-442D-8582-AF9C8D03C1D3}" = Laptop Superhero
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{8F473675-D702-45F9-8EBC-342B40C17BF5}" = Apple Mobile Device Support
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{C03E5AA6-457D-4986-A1C1-1A91CA394C21}" = Diskeeper 2011 Pro Premier
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F3F18612-7B5D-4C05-86C9-AB50F6F71727}" = KhalInstallWrapper
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java™ 6 Update 25
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Windows 7
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel® Rapid Storage Technology
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = Recovery Manager
"{46BA053F-57B3-4153-BDB6-D37EEC8B12D7}" = LightScribe System Software
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B156358-CE9C-4E9F-8CAD-79AE86A68C60}" = HP Power Manager
"{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72D90DB3-A16A-4545-B555-868471101833}" = HP Setup
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7C36414C-DC87-4943-A525-BC1717BA17C9}" = HP Documentation
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{901F0D4C-009D-1112-8DE4-03599E7B0C5C}" = REALTEK Wireless LAN Software
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{95140000-007D-0409-0000-0000000FF1CE}" = Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
"{97174E88-52F9-445A-A28E-704A45332D19}" = HP Software Framework
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"{A899DA1F-D626-401C-8651-F2921E3B4CB3}" = 3Connect
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}" = Energy Star Digital Logo
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF1A69F1-4335-4322-A137-235E3AE36BB0}" = HP Support Assistant
"{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow!
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{EB58480C-0721-483C-B354-9D35A147999F}" = HP Quick Launch
"{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel® Control Center
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"HP Photo Creations" = HP Photo Creations
"Huawei Modems" = Huawei modem
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow!
"N360" = Norton 360
"Office14.SingleImage" = Microsoft Office Professional 2010
"WinLiveSuite" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/11/2011 6:57:15 AM | Computer Name = TonyCole-HP | Source = Application Hang | ID = 1002
Description = The program iTunes.exe version 10.2.2.14 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: b38 Start
Time: 01cc0fc9c47ad6c7 Termination Time: 28 Application Path: C:\Program Files (x86)\iTunes\iTunes.exe

Report
Id:

Error - 5/11/2011 7:15:19 AM | Computer Name = TonyCole-HP | Source = VSS | ID = 8193
Description =

Error - 5/11/2011 8:41:55 AM | Computer Name = TonyCole-HP | Source = ESENT | ID = 215
Description = WinMail (3364) WindowsMail0: The backup has been stopped because it
was halted by the client or the connection with the client failed.

Error - 5/11/2011 8:42:05 AM | Computer Name = TonyCole-HP | Source = ESENT | ID = 215
Description = WinMail (3460) WindowsMail0: The backup has been stopped because it
was halted by the client or the connection with the client failed.

Error - 5/11/2011 9:24:12 AM | Computer Name = TonyCole-HP | Source = MsiInstaller | ID = 11316
Description =

Error - 5/11/2011 11:28:08 AM | Computer Name = TonyCole-HP | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16421 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1180 Start
Time: 01cc0feff1cecf1e Termination Time: 0 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id:

Error - 5/11/2011 1:03:59 PM | Computer Name = TonyCole-HP | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16421 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 614 Start
Time: 01cc0ff77456b83a Termination Time: 739 Application Path: C:\Program Files (x86)\Internet
Explorer\iexplore.exe Report Id:

Error - 5/11/2011 5:11:41 PM | Computer Name = TonyCole-HP | Source = Microsoft-Windows-RestartManager | ID = 10006
Description = Application or service 'Laptop Superhero' could not be shut down.

Error - 5/11/2011 5:12:24 PM | Computer Name = TonyCole-HP | Source = MsiInstaller | ID = 11921
Description =

Error - 5/11/2011 5:15:37 PM | Computer Name = TonyCole-HP | Source = Microsoft-Windows-RestartManager | ID = 10007
Description = Application or service 'Laptop Superhero' could not be restarted.

[ HP Wireless Assistant Events ]
Error - 5/10/2011 8:24:18 AM | Computer Name = TonyCole-HP | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException The RPC server is unavailable.
(Exception from HRESULT: 0x800706BA) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object
o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 5/10/2011 8:25:19 AM | Computer Name = TonyCole-HP | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException The RPC server is unavailable.
(Exception from HRESULT: 0x800706BA) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object
o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 5/10/2011 8:26:22 AM | Computer Name = TonyCole-HP | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException The RPC server is unavailable.
(Exception from HRESULT: 0x800706BA) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object
o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 5/11/2011 4:59:44 AM | Computer Name = TonyCole-HP | Source = HP WA Application | ID = 0
Description = HardwareAccess.UnableToConnectException Application.ApplicationStartup;
failed to create hardware layer Error in the application. at HardwareAccess.Hardware..ctor(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HardwareAccess.Hardware.Create(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HPWA_Main.App.ApplicationStartup(Object
sender, StartupEventArgs args)

Error - 5/11/2011 4:59:46 AM | Computer Name = TonyCole-HP | Source = HP WA Application | ID = 0
Description = MainWindow.ShowImpl; not initialized, closing application...

Error - 5/11/2011 5:38:12 AM | Computer Name = TonyCole-HP | Source = HP WA Application | ID = 0
Description = HardwareAccess.UnableToConnectException Application.ApplicationStartup;
failed to create hardware layer Error in the application. at HardwareAccess.Hardware..ctor(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HardwareAccess.Hardware.Create(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HPWA_Main.App.ApplicationStartup(Object
sender, StartupEventArgs args)

Error - 5/11/2011 5:38:15 AM | Computer Name = TonyCole-HP | Source = HP WA Application | ID = 0
Description = MainWindow.ShowImpl; not initialized, closing application...

Error - 5/11/2011 10:33:18 AM | Computer Name = TonyCole-HP | Source = HP WA Application | ID = 0
Description = HardwareAccess.UnableToConnectException Application.ApplicationStartup;
failed to create hardware layer Error in the application. at HardwareAccess.Hardware..ctor(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HardwareAccess.Hardware.Create(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HPWA_Main.App.ApplicationStartup(Object
sender, StartupEventArgs args)

Error - 5/11/2011 10:33:28 AM | Computer Name = TonyCole-HP | Source = HP WA Application | ID = 0
Description = MainWindow.ShowImpl; not initialized, closing application...

Error - 5/11/2011 3:11:18 PM | Computer Name = TonyCole-HP | Source = HP WA Application | ID = 0
Description = HardwareAccess.UnableToConnectException Application.ApplicationStartup;
failed to create hardware layer Error in the application. at HardwareAccess.Hardware..ctor(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HardwareAccess.Hardware.Create(Dispatcher
dispatcher, ServicePort port, Int32 timeout) at HPWA_Main.App.ApplicationStartup(Object
sender, StartupEventArgs args)

[ System Events ]
Error - 5/12/2011 3:51:44 AM | Computer Name = TonyCole-HP | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275

Error - 5/12/2011 7:11:41 AM | Computer Name = TonyCole-HP | Source = Application Popup | ID = 1060
Description = \??\C:\Windows\SysWow64\drivers\mdvrmng.sys has been blocked from
loading due to incompatibility with this system. Please contact your software vendor
for a compatible version of the driver.

Error - 5/12/2011 7:11:41 AM | Computer Name = TonyCole-HP | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275

Error - 5/12/2011 8:23:30 AM | Computer Name = TonyCole-HP | Source = Application Popup | ID = 1060
Description = \??\C:\Windows\SysWow64\drivers\mdvrmng.sys has been blocked from
loading due to incompatibility with this system. Please contact your software vendor
for a compatible version of the driver.

Error - 5/12/2011 8:23:30 AM | Computer Name = TonyCole-HP | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275

Error - 5/12/2011 8:24:49 AM | Computer Name = TonyCole-HP | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the HPWMISVC service.

Error - 5/12/2011 9:32:22 AM | Computer Name = TonyCole-HP | Source = Application Popup | ID = 1060
Description = \??\C:\Windows\SysWow64\drivers\mdvrmng.sys has been blocked from
loading due to incompatibility with this system. Please contact your software vendor
for a compatible version of the driver.

Error - 5/12/2011 9:32:22 AM | Computer Name = TonyCole-HP | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275

Error - 5/12/2011 9:56:58 AM | Computer Name = TonyCole-HP | Source = Application Popup | ID = 1060
Description = \??\C:\Windows\SysWow64\drivers\mdvrmng.sys has been blocked from
loading due to incompatibility with this system. Please contact your software vendor
for a compatible version of the driver.

Error - 5/12/2011 9:56:58 AM | Computer Name = TonyCole-HP | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275


< End of report >


Attached Files



#4 Tony Cole

Tony Cole
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 13 May 2011 - 02:06 AM

Hi Myrti



Operating System - 64-bit
Version - Windows 7 Professional Service Pack 1



Many thanks for all your time etc.,!



Tony Cole.




#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 PM

Posted 14 May 2011 - 03:08 PM

Hi,

please run aswMBR next:

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Tony Cole

Tony Cole
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 14 May 2011 - 03:30 PM

As requested results from aswMBR scan:



aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-14 21:27:44
-----------------------------
21:27:44.154 OS Version: Windows x64 6.1.7601 Service Pack 1
21:27:44.154 Number of processors: 2 586 0x170A
21:27:44.154 ComputerName: TONYCOLE-HP UserName: Tony Cole
21:27:45.776 Initialize success
21:27:49.708 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:27:49.708 Disk 0 Vendor: WDC_WD25 02.0 Size: 238475MB BusType: 3
21:27:49.723 Disk 0 MBR read successfully
21:27:49.723 Disk 0 MBR scan
21:27:49.723 Disk 0 unknown MBR code
21:27:49.739 Service scanning
21:27:51.002 Disk 0 trace - called modules:
21:27:51.018 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:27:51.034 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049cf060]
21:27:51.034 3 CLASSPNP.SYS[fffff88001b9443f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004772050]
21:27:51.034 Scan finished successfully
21:28:32.343 Disk 0 MBR has been saved successfully to "C:\Users\Tony Cole\Documents\MBR.dat"
21:28:32.358 The log file has been saved successfully to "C:\Users\Tony Cole\Documents\aswMBR.txt"

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 PM

Posted 14 May 2011 - 06:09 PM

Hi,

the logs are looking rather good so far. Do you share the network with other PCs? It might be that other PCs on your network are infected and are trying to infect your new laptop too. (Or that Norton is simply hypersensitive, but let's keep all options open until we know more).

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Tony Cole

Tony Cole
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 14 May 2011 - 10:20 PM

Hi Myrti,



No, it is just me on the network. I am pleased that the logs are looking good - how you read them, I do not know, people keep saying Norton is good, then you read they are terrible I never know whom to believe. How do you make a donation?



Best wishes,



Tony


Edited by Tony Cole, 14 May 2011 - 10:22 PM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 PM

Posted 15 May 2011 - 04:16 AM

Hi,

it's a little early to say that all is clean. The messages surely are intriguing. Do you go online through a router or do you connect online directly?

Please run a scan with Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Tony Cole

Tony Cole
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 15 May 2011 - 06:55 AM

Hi Myrti

Scan results from MalwareBytes'

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database
version: 6583

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

15/05/2011 12:52:51
mbam-log-2011-05-15 (12-52-51).txt

Scan type: Quick scan
Objects scanned: 162471
Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



This is the results of a full system scan:



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database
version: 6583

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

15/05/2011 14:43:17
mbam-log-2011-05-15 (14-43-17).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 337668
Time elapsed: 1 hour(s), 0 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Best wishes,

Tony Cole.





Edited by Tony Cole, 15 May 2011 - 08:47 AM.


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 PM

Posted 15 May 2011 - 09:12 AM

Hi,

thanks. It's important to know whether you go online directly or not?

Can you please give the exact message you got from Norton about the attacks. Are you continuing to receive them?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Tony Cole

Tony Cole
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 15 May 2011 - 09:40 AM

Hi Myrti

I connect to the internet via a USB dongle, and I'm the onlyone who uses it etc., Yes I keep getting the messages. This is what Norton on each ocassion shows :

OS Attack: MS RPCSS Attack CVE-2004-01163 The attack was resulted from\device\harddiskvolume2\windows\system32\svchost.exe

Best wishes

Tony Cole


Edited by Tony Cole, 15 May 2011 - 10:38 AM.


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 PM

Posted 15 May 2011 - 10:48 AM

Hi,

do you get those messages when you are offline too? What do you store on your D: partition? Only data or do you have programs installed there too?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Tony Cole

Tony Cole
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton, UK
  • Local time:02:11 PM

Posted 16 May 2011 - 01:19 AM

Hi Myrti,

No, I only get them whilst online, however Norton said it could be a virus trying to communicate to the outside world. On my D Drive is an HP System Image/Recovery Partition



Best wishes,


Tony Cole




#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 PM

Posted 16 May 2011 - 04:06 AM

Hi,

the issue I'm having at the moment is that Norton is not using correct English. :whistle: The OS Attack would normally be an attack coming from the outside probing your PC for vulnerabilities. This is something totally normal to happen if you connect to the internet directly. The fact that it is "random" or not specifically targetted by you is supported by the fact that the Attack carried out is based ona vunlerability patched in 2004 and actually only effective against an unpatched Windows XP.
So it would seem that you are seeing the firewall at works.

However the second part (besides being grammatically incorrect) suggests that svchost.exe is attacking (or due to the weird way of formulating it, is being attacked.)

Do you have the Windows firewall enabled?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users