Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious process - PING.EXE and other detections


  • Please log in to reply
3 replies to this topic

#1 contortfx

contortfx

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:50 PM

Posted 03 August 2011 - 11:43 AM

Hello, firstly I'd like to apologize for making my first post on these forums a plead for your help.

Basically a couple of days ago I was browsing a website or something on my music production computer (shamefully no noscript or anything on this as I hardly touch the browser/use it for anything apart from music) and had a strange detection in Avira (I can't remember the name, have since switched to Microsoft Security Essentials based on a friends recommendation foolishly without saving logs) then a BSOD. Obviously I was very suspicious after this, ran a complete scan with Avira and found a few things which were supposedly easily cleaned up by the program and deleted. However, I noticed that PING.EXE (in Windows\SysWOW64\) was continuously running after this and kept popping back up after I ended it in process manager. Still worried and suspicious, I switched to MSE2 and ran a full deep scan in normal mode and in safe mode, the first initial scan with MSE2 found 11 items and seemingly cleaned these up with no problems (silly things I had downloaded like http://www.filehippo.com/download_unlocker/ or whatever) but the PING.EXE remained to my confusion! So next up I ran MalwareBytes and supposedly found 4-5 infections, again supposedly cleaned up with no problems but again, the PING.EXE is still there scaring me.

I've searched through your forums with little luck, as far as I know or can find out, PING.EXE by itself isn't a particularly threatening process but I have no idea what it's doing or why and obviously would like it to stop (I have a DJ set on the 20th and need to use this computer to finish songs but I'm too scared to with this problem), so I am here humbly requesting your help upon recommendation by a friend of mine.

I've seen in your stickies that I should post a DDS log and recommended by a friend to also post a HijackThis log (I'm running Windows Vista 64 Bit so I can't use GMER) so here goes:

DDS

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 7.0.6002.18005
Run by Hen at 17:20:35 on 2011-08-03
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.4060.2682 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Syswow64\ping.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\System32\notepad.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
dRun: [8DDYX0ZBPZ] C:\Windows\TEMP\Rmk.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3877C57D-BE5B-4BF3-8B36-79B9F7C3B4FA} : DhcpNameServer = 10.0.0.1 10.0.0.2 10.0.0.5
TCP: Interfaces\{733F01F9-1A85-403C-83EE-E7E5AAA65125} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Hen\AppData\Roaming\Mozilla\Firefox\Profiles\vkqt12er.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA008Ufd.sys --> C:\Windows\system32\DRIVERS\OA008Ufd.sys [?]
R3 OA008Vid;Creative Camera OA008 Function Driver;C:\Windows\system32\DRIVERS\OA008Vid.sys --> C:\Windows\system32\DRIVERS\OA008Vid.sys [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
S3 MADFUAP;Service for M-Audio Audiophile DFU;C:\Windows\system32\DRIVERS\madfuap.sys --> C:\Windows\system32\DRIVERS\madfuap.sys [?]
S3 MAUSBAP;Service for M-Audio Audiophile;C:\Windows\system32\DRIVERS\mausbap.sys --> C:\Windows\system32\DRIVERS\mausbap.sys [?]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys --> C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
.
=============== Created Last 30 ================
.
2011-08-02 21:58:00 -------- d-----w- C:\Users\Hen\AppData\Roaming\Malwarebytes
2011-08-02 21:57:15 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-02 21:57:14 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-02 21:57:11 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-02 21:57:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-02 17:55:15 89048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2011-08-02 17:55:15 781272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-08-02 17:55:15 465880 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2011-08-02 17:55:15 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-08-02 17:55:15 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-08-02 17:55:15 1850328 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2011-08-02 17:55:15 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2011-08-02 17:55:15 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-08-02 17:49:33 601424 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4E9BF9B8-EAC9-4C5D-95BC-8B64D834F48F}\gapaengine.dll
2011-08-02 17:49:27 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{688CAB55-5372-40FB-8BE2-DC3BFEDE27A1}\mpengine.dll
2011-08-02 17:42:56 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-08-02 17:42:37 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-08-02 17:42:21 345984 ----a-w- C:\Windows\System32\drivers\netio.sys
2011-08-02 17:41:31 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3B091F3E-741C-4256-8A8C-F2B16481B775}\mpengine.dll
2011-08-01 22:08:27 -------- d-----w- C:\Users\Hen\AppData\Roaming\Unkyut
2011-08-01 22:08:27 -------- d-----w- C:\Users\Hen\AppData\Roaming\Ehqyec
2011-08-01 19:39:07 112004 ----a-w- C:\Windows\SysWow64\0.8259526675073882.exe
2011-08-01 17:50:44 -------- d-----w- C:\ballantinex
2011-07-18 07:50:52 233472 ----a-w- C:\Windows\SysWow64\REX Shared Library.dll
2011-07-18 05:30:59 310272 ----a-w- C:\Windows\System32\WsmWmiPl.dll
2011-07-18 05:30:59 252416 ----a-w- C:\Windows\SysWow64\WSManMigrationPlugin.dll
2011-07-18 05:30:59 246272 ----a-w- C:\Windows\SysWow64\WSManHTTPConfig.exe
2011-07-18 05:30:59 241152 ----a-w- C:\Windows\SysWow64\winrscmd.dll
2011-07-18 05:30:59 214016 ----a-w- C:\Windows\SysWow64\WsmWmiPl.dll
2011-07-18 05:30:59 180736 ----a-w- C:\Windows\System32\WsmAuto.dll
2011-07-18 05:30:59 145408 ----a-w- C:\Windows\SysWow64\WsmAuto.dll
2011-07-18 05:30:58 370688 ----a-w- C:\Windows\System32\winrscmd.dll
2011-07-18 05:30:58 352768 ----a-w- C:\Windows\System32\WSManMigrationPlugin.dll
2011-07-18 05:30:58 348672 ----a-w- C:\Windows\System32\WSManHTTPConfig.exe
2011-07-18 05:30:58 2050048 ----a-w- C:\Windows\System32\WsmSvc.dll
2011-07-18 05:30:58 1181696 ----a-w- C:\Windows\SysWow64\WsmSvc.dll
2011-07-18 05:28:59 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
2011-07-18 05:27:59 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2011-07-16 05:06:29 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-07-16 05:06:18 85504 ----a-w- C:\Windows\System32\csrsrv.dll
2011-07-16 05:06:18 451072 ----a-w- C:\Windows\System32\winsrv.dll
.
==================== Find3M ====================
.
2011-06-18 02:56:12 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 17:21:15.68 ===============

HijackThis log in next post:

BC AdBot (Login to Remove)

 


#2 contortfx

contortfx
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:50 PM

Posted 03 August 2011 - 11:45 AM

HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:29:38, on 03/08/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Users\Hen\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/USCON/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [8DDYX0ZBPZ] C:\Windows\TEMP\Rmk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [8DDYX0ZBPZ] C:\Windows\TEMP\Rmk.exe (User 'Default user')
O4 - .DEFAULT User Startup: ercee.exe (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7011 bytes

Thank you again for your time in reading my posts and I hope somebody can help me on this matter.

#3 contortfx

contortfx
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:50 PM

Posted 03 August 2011 - 01:41 PM

Sorry to bump again so quickly but been told it might be helpful to post my netstat -an as this is something related to PING.EXE (hopefully there won't be any risky info in it) so here goes:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 192.168.1.136:139 0.0.0.0:0 LISTENING
TCP 192.168.1.136:49166 92.123.153.35:80 ESTABLISHED
TCP 192.168.1.136:49168 212.36.9.52:443 TIME_WAIT
TCP 192.168.1.136:49169 212.36.9.52:443 ESTABLISHED
TCP 192.168.1.136:49170 212.36.9.52:443 TIME_WAIT
TCP 192.168.1.136:49171 212.36.9.52:443 ESTABLISHED
TCP 192.168.1.136:49172 65.55.185.26:443 ESTABLISHED
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:63651 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:52929 *:*
UDP 127.0.0.1:58685 *:*
UDP 192.168.1.136:137 *:*
UDP 192.168.1.136:138 *:*
UDP 192.168.1.136:1900 *:*
UDP 192.168.1.136:58684 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:5355 *:*
UDP [::]:63652 *:*
UDP [::1]:1900 *:*
UDP [::1]:58682 *:*
UDP [fe80::1c7f:2128:8cc4:1681%12]:1900 *:*
UDP [fe80::1c7f:2128:8cc4:1681%12]:58680 *:*
UDP [fe80::1ce8:3ec2:3f57:fe77%10]:1900 *:*
UDP [fe80::1ce8:3ec2:3f57:fe77%10]:58683 *:*
UDP [fe80::b176:f3af:41f1:28cc%11]:1900 *:*
UDP [fe80::b176:f3af:41f1:28cc%11]:58681 *:*

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:50 AM

Posted 10 August 2011 - 04:24 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users