Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon running high CPU cycles and page faults


  • This topic is locked This topic is locked
26 replies to this topic

#1 jnlvngstn

jnlvngstn

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 09 August 2011 - 04:24 AM

PC was slowing down, looked at taskmanager, running processes showed winlogon bouncing between 0 and 70+% of cpu. cpu usually running at 100%.
I've run adaware, spybot, eusing reg cleaner, and always have McAfee running. I also notice the priority for winlogon has been set to high, and it is the only process I can find that is set at that level. The others are set to normal. Winlogon also has a quicly mounting number of pagefaults, I've seen it as high as 56,000,000K. Also, I've noticed I'm loosing freespace on my hardrive. what was at 6GB this morning was down to almost 3GB this evening. Two nights ago and last night, while running GMER, Windows crashed from a serious error. First time, error indicated a driver problem, second time indicated a kernal stacking error.
Thanks in advance.



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by PATRICK WALSH at 5:09:26 on 2011-08-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.601 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Kitco\Kcast\Kcast.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - McAfee Phishing Filter
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110728191754.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [KITCO] c:\program files\kitco\kcast\Kcast
uRun: [LDM] \Program\BackWeb-8876480.exe
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop

messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive

manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front

parlor\WDSmartWare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft

money\system\mnyviewer.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/hsi/vzTCPConfig.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coupons.smartsource.com/download/cscmv5X.cab
DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://amiuptodate.mcafee.com/vsc/bin/2,0,0,0/McUpdatePortal.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.brightstreet.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{3B615332-C10E-4F92-99C5-E047B0F4A93E} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: ckpNotify - ckpNotify.dll
AppInit_DLLs: NVDESK32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\patrick walsh\application data\mozilla\firefox\profiles\z58h0k0v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\patrick walsh\application

data\mozilla\firefox\profiles\z58h0k0v.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\patrick walsh\application

data\mozilla\firefox\profiles\z58h0k0v.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-19 459728]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-19 89368]
R2 agentcd;DriverAgent Class Driver;c:\windows\system32\AgentCD.sys [2001-12-12 196096]
R2 Mojave;Dazzle Mojave Device;c:\windows\system32\drivers\Mojave.sys [2001-12-12 119276]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2009-4-24 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2009-4-24 670128]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-19 57432]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-4-24 2041744]
R3 IRCOMM;IRCOMM;c:\windows\system32\drivers\Ircomm.sys [2004-3-4 54132]
R3 KRNBRIDG;IrBridge Kernel-Level Interface;c:\windows\system32\drivers\krnbridg.sys [2004-3-4 14436]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-19 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-19 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-19 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-19 83688]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [1980-1-1 142336]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [1980-1-1 524288]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-8-22 11520]
S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [2006-3-30 44256]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-11-28 16968]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-19 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-19 85984]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2009-4-24 14924]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2001-12-12 19232]
S4 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15232]
S4 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-13 64288]
S4 motdcb;Motorola Deluxe Charger Base;c:\windows\system32\drivers\irmotdcb.sys [2004-3-4 13936]
.
=============== Created Last 30 ================
.
2011-08-07 18:54:25 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-08-07 18:54:11 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2011-08-07 18:52:24 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-08-07 18:52:13 57856 ----a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-08-07 18:50:46 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2011-08-07 18:47:20 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2011-08-07 18:43:42 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2011-08-07 18:39:33 141056 ----a-w- c:\windows\system32\dllcache\icam3.sys
2011-08-07 18:39:30 38528 ----a-w- c:\windows\system32\dllcache\ibmvcap.sys
2011-08-07 18:39:28 109085 ----a-w- c:\windows\system32\dllcache\ibmtrp.sys
2011-08-07 18:39:27 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2011-08-07 18:39:25 9216 ----a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2011-08-07 18:39:23 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys
2011-08-07 18:39:18 161020 ----a-w- c:\windows\system32\dllcache\i81xnt5.sys
2011-08-07 18:39:16 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2011-08-07 18:39:14 58592 ----a-w- c:\windows\system32\dllcache\i740nt5.sys
2011-08-07 18:39:13 353184 ----a-w- c:\windows\system32\dllcache\i740dnt5.dll
2011-08-07 18:39:09 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-08-07 18:39:02 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2011-08-07 18:37:56 28288 ----a-w- c:\windows\system32\dllcache\grserial.sys
2011-08-07 18:36:56 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys
2011-08-07 18:35:59 34816 ----a-w- c:\windows\system32\dllcache\esuimg.dll
2011-08-07 18:34:59 77386 ----a-w- c:\windows\system32\dllcache\el656nd5.sys
2011-08-07 18:33:46 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys
2011-08-07 18:32:55 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll
2011-08-07 18:31:59 93952 ----a-w- c:\windows\system32\dllcache\cwcwdm.sys
2011-08-07 18:30:56 248064 ----a-w- c:\windows\system32\dllcache\cl546xm.sys
2011-08-07 18:29:59 37916 ----a-w- c:\windows\system32\dllcache\cb102.sys
2011-08-07 18:29:55 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2011-08-07 18:29:53 164923 ----a-w- c:\windows\system32\dllcache\diapi2.sys
2011-08-07 18:29:52 54528 ----a-w- c:\windows\system32\dllcache\cap7146.sys
2011-08-07 18:29:50 121856 ----a-w- c:\windows\system32\dllcache\camext30.dll
2011-08-07 18:29:46 236032 ----a-w- c:\windows\system32\dllcache\camext20.dll
2011-08-07 18:29:41 74240 ----a-w- c:\windows\system32\dllcache\camexo20.dll
2011-08-07 18:29:38 171264 ----a-w- c:\windows\system32\dllcache\camdrv30.sys
2011-08-07 18:29:37 223232 ----a-w- c:\windows\system32\dllcache\camdrv21.sys
2011-08-07 18:29:35 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2011-08-07 18:29:32 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2011-08-07 18:29:30 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll
2011-08-07 18:26:57 37568 ----a-w- c:\windows\system32\dllcache\avmwan.sys
2011-08-07 18:25:53 77568 ----a-w- c:\windows\system32\dllcache\ati.sys
2011-08-07 18:25:51 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2011-08-07 18:25:49 97354 ----a-w- c:\windows\system32\dllcache\aspndis3.sys
2011-08-07 18:25:44 45056 ----a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2011-08-07 18:25:41 6272 ----a-w- c:\windows\system32\dllcache\apmbatt.sys
2011-08-07 18:25:39 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2011-08-07 18:25:35 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2011-08-07 18:25:33 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2011-08-07 18:25:31 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2011-08-07 18:25:07 5632 ----a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2011-08-07 18:25:04 46112 ----a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-08-07 18:25:02 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2011-08-07 18:25:00 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2011-08-07 16:07:33 388096 ----a-r- c:\documents and settings\patrick walsh\application

data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-07 16:07:27 -------- d-----w- c:\program files\Trend Micro
2011-08-07 00:43:56 -------- dc----w- C:\!KillBox
2011-08-04 00:50:03 183027 ----a-w- c:\documents and settings\patrick walsh\0.5757376977861715.exe
2011-07-31 00:10:54 -------- d-----w- c:\program files\OpenXML-ODF Translator
2011-07-28 23:17:55 24376 ----a-w- c:\program files\mozilla

firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
.
==================== Find3M ====================
.
2011-07-02 03:34:30 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys
2011-05-29 15:04:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2004-01-17 13:14:10 638544 ----a-w- c:\program files\PowerCalcPowertoySetup.exe
2003-11-02 13:45:41 2470883 ----a-w- c:\program files\4301xdat.exe
2003-10-27 21:38:20 5701438 ----a-w- c:\program files\sdat4299.exe
2003-10-05 13:30:59 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2003-10-04 14:07:16 5655738 ----a-w- c:\program files\sdat4296.exe
2003-07-10 06:57:43 562160 ----a-w- c:\program files\QuickTimeInstaller.exe
2003-05-11 02:31:18 8839120 ----a-w- c:\program files\AcroReader51_ENU.exe
2001-06-13 15:13:58 147521 ----a-w- c:\program files\PWSource.dll
2001-03-16 16:04:10 180224 ----a-w- c:\program files\tsenginewrapper.dll
2001-03-14 15:57:32 40960 ----a-w- c:\program files\OLTS98.EXT
2001-03-14 15:57:30 483328 ----a-w- c:\program files\OL98Source.dll
2001-03-12 17:14:12 86090 ----a-w- c:\program files\TSRecordEngine.dll
2001-03-12 17:02:20 90112 ----a-w- c:\program files\TimeZoneType.dll
2001-03-12 17:02:02 110592 ----a-w- c:\program files\ContactType.dll
2001-03-12 17:01:56 761856 ----a-w- c:\program files\TSControl.dll
2001-03-12 17:01:40 86016 ----a-w- c:\program files\TodoType.dll
2001-03-12 17:01:32 77824 ----a-w- c:\program files\MemoType.dll
2001-03-12 17:01:28 147456 ----a-w- c:\program files\CalendarType.dll
2001-03-12 16:51:26 712762 ----a-w- c:\program files\TSCore.dll
2001-01-24 15:45:00 352256 ----a-w- c:\program files\SKSource.dll
2001-01-24 15:44:14 24576 ----a-w- c:\program files\TimHook.dll
2001-01-16 14:01:12 36864 ------w- c:\program files\ISDll.dll
2000-12-04 17:31:58 49216 ----a-w- c:\program files\Truesync.exe
1999-08-30 14:47:58 34304 ------w- c:\program files\tstool.exe
.
============= FINISH: 5:21:01.10 ===============

Attached Files


Edited by jnlvngstn, 09 August 2011 - 04:30 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 15 August 2011 - 04:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/413547 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 20 August 2011 - 07:09 PM

Still experiencing the same issues as reported in the first post.
I have posted the DDS and attached the Attach file.
It takes a couple of hours to run the GMERS which I will do overnight tonight and post it in about 12 hours.
Thanks

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by PATRICK WALSH at 18:19:24 on 2011-08-20
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Kitco\Kcast\Kcast.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\PATRICK WALSH\My Documents\Downloads\dds(3).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - McAfee Phishing Filter
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110728191754.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [KITCO] c:\program files\kitco\kcast\Kcast
uRun: [LDM] \Program\BackWeb-8876480.exe
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/hsi/vzTCPConfig.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coupons.smartsource.com/download/cscmv5X.cab
DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://amiuptodate.mcafee.com/vsc/bin/2,0,0,0/McUpdatePortal.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.brightstreet.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{3B615332-C10E-4F92-99C5-E047B0F4A93E} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: ckpNotify - ckpNotify.dll
AppInit_DLLs: NVDESK32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\patrick walsh\application data\mozilla\firefox\profiles\z58h0k0v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\patrick walsh\application data\mozilla\firefox\profiles\z58h0k0v.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\patrick walsh\application data\mozilla\firefox\profiles\z58h0k0v.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? DSCVc;Video Capture
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? hitmanpro35;Hitman Pro 3.5 Support Driver
R? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? Lbd;Lbd
R? mfendisk;McAfee Core NDIS Intermediate Filter
R? motdcb;Motorola Deluxe Charger Base
R? NAUpdate;@c:\program files\nero\update\NASvc.exe,-200
R? OMVA;VPN-1 SecureClient Adapter
R? vtdg46xx;vtdg46xx
R? WinRM;Windows Remote Management (WS-Management)
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? agentcd;DriverAgent Class Driver
S? cfwids;McAfee Inc. cfwids
S? FW1;SecuRemote Miniport
S? IRCOMM;IRCOMM
S? KRNBRIDG;IrBridge Kernel-Level Interface
S? McMPFSvc;McAfee Personal Firewall Service
S? McNaiAnn;McAfee VirusScan Announcer
S? McProxy;McAfee Proxy Service
S? McShield;McAfee McShield
S? mfeavfk;McAfee Inc. mfeavfk
S? mfebopk;McAfee Inc. mfebopk
S? mfefire;McAfee Firewall Core Service
S? mfefirek;McAfee Inc. mfefirek
S? mfehidk;McAfee Inc. mfehidk
S? mfendiskmp;mfendiskmp
S? mferkdet;McAfee Inc. mferkdet
S? mfetdi2k;McAfee Inc. mfetdi2k
S? mfevtp;McAfee Validation Trust Protection Service
S? Mojave;Dazzle Mojave Device
S? Msikbd2k;DellTouch
S? MSSQL$SOSHOME309;SQL Server (SOSHOME309)
S? Nhksrv;Netropa NHK Server
S? Scap;SecureClient Application Policy Module
S? tbcspud;Santa Cruz Driver
S? tbcwdm;Santa Cruz WDM Driver
S? VPN-1;VPN-1 Module
S? WDC_SAM;WD SCSI Pass Thru driver
S? WDDMService;WD SmartWare Drive Manager
S? WDSmartWareBackgroundService;WD SmartWare Background Service
.
=============== Created Last 30 ================
.
2011-08-07 18:54:25 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-08-07 18:54:11 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2011-08-07 18:52:24 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-08-07 18:52:13 57856 ----a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-08-07 18:50:46 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2011-08-07 18:47:20 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2011-08-07 18:43:42 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2011-08-07 18:35:59 34816 ----a-w- c:\windows\system32\dllcache\esuimg.dll
2011-08-07 18:34:59 77386 ----a-w- c:\windows\system32\dllcache\el656nd5.sys
2011-08-07 18:33:46 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys
2011-08-07 18:32:55 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll
2011-08-07 18:31:59 93952 ----a-w- c:\windows\system32\dllcache\cwcwdm.sys
2011-08-07 18:30:56 248064 ----a-w- c:\windows\system32\dllcache\cl546xm.sys
2011-08-07 18:29:59 37916 ----a-w- c:\windows\system32\dllcache\cb102.sys
2011-08-07 18:29:55 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2011-08-07 18:29:53 164923 ----a-w- c:\windows\system32\dllcache\diapi2.sys
2011-08-07 18:29:52 54528 ----a-w- c:\windows\system32\dllcache\cap7146.sys
2011-08-07 18:29:50 121856 ----a-w- c:\windows\system32\dllcache\camext30.dll
2011-08-07 18:29:46 236032 ----a-w- c:\windows\system32\dllcache\camext20.dll
2011-08-07 18:29:41 74240 ----a-w- c:\windows\system32\dllcache\camexo20.dll
2011-08-07 18:29:38 171264 ----a-w- c:\windows\system32\dllcache\camdrv30.sys
2011-08-07 18:29:37 223232 ----a-w- c:\windows\system32\dllcache\camdrv21.sys
2011-08-07 18:29:35 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2011-08-07 18:29:32 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2011-08-07 18:29:30 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll
2011-08-07 18:26:57 37568 ----a-w- c:\windows\system32\dllcache\avmwan.sys
2011-08-07 18:25:53 77568 ----a-w- c:\windows\system32\dllcache\ati.sys
2011-08-07 18:25:51 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2011-08-07 18:25:49 97354 ----a-w- c:\windows\system32\dllcache\aspndis3.sys
2011-08-07 18:25:44 45056 ----a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2011-08-07 18:25:41 6272 ----a-w- c:\windows\system32\dllcache\apmbatt.sys
2011-08-07 18:25:39 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2011-08-07 18:25:35 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2011-08-07 18:25:33 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2011-08-07 18:25:31 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2011-08-07 18:25:07 5632 ----a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2011-08-07 18:25:04 46112 ----a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-08-07 18:25:02 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2011-08-07 18:25:00 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2011-08-07 16:07:33 388096 ----a-r- c:\documents and settings\patrick walsh\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-07 16:07:27 -------- d-----w- c:\program files\Trend Micro
2011-08-07 00:43:56 -------- dc----w- C:\!KillBox
2011-08-04 00:50:03 183027 ----a-w- c:\documents and settings\patrick walsh\0.5757376977861715.exe
2011-07-31 00:10:54 -------- d-----w- c:\program files\OpenXML-ODF Translator
2011-07-28 23:17:55 24376 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-02 03:34:30 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys
2011-05-29 15:04:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2004-01-17 13:14:10 638544 ----a-w- c:\program files\PowerCalcPowertoySetup.exe
2003-11-02 13:45:41 2470883 ----a-w- c:\program files\4301xdat.exe
2003-10-27 21:38:20 5701438 ----a-w- c:\program files\sdat4299.exe
2003-10-05 13:30:59 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2003-10-04 14:07:16 5655738 ----a-w- c:\program files\sdat4296.exe
2003-07-10 06:57:43 562160 ----a-w- c:\program files\QuickTimeInstaller.exe
2003-05-11 02:31:18 8839120 ----a-w- c:\program files\AcroReader51_ENU.exe
2001-06-13 15:13:58 147521 ----a-w- c:\program files\PWSource.dll
2001-03-16 16:04:10 180224 ----a-w- c:\program files\tsenginewrapper.dll
2001-03-14 15:57:32 40960 ----a-w- c:\program files\OLTS98.EXT
2001-03-14 15:57:30 483328 ----a-w- c:\program files\OL98Source.dll
2001-03-12 17:14:12 86090 ----a-w- c:\program files\TSRecordEngine.dll
2001-03-12 17:02:20 90112 ----a-w- c:\program files\TimeZoneType.dll
2001-03-12 17:02:02 110592 ----a-w- c:\program files\ContactType.dll
2001-03-12 17:01:56 761856 ----a-w- c:\program files\TSControl.dll
2001-03-12 17:01:40 86016 ----a-w- c:\program files\TodoType.dll
2001-03-12 17:01:32 77824 ----a-w- c:\program files\MemoType.dll
2001-03-12 17:01:28 147456 ----a-w- c:\program files\CalendarType.dll
2001-03-12 16:51:26 712762 ----a-w- c:\program files\TSCore.dll
2001-01-24 15:45:00 352256 ----a-w- c:\program files\SKSource.dll
2001-01-24 15:44:14 24576 ----a-w- c:\program files\TimHook.dll
2001-01-16 14:01:12 36864 ------w- c:\program files\ISDll.dll
2000-12-04 17:31:58 49216 ----a-w- c:\program files\Truesync.exe
1999-08-30 14:47:58 34304 ------w- c:\program files\tstool.exe
.
============= FINISH: 18:32:43.59 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:45 PM

Posted 21 August 2011 - 04:17 AM

Hello, my name is Elise and I'll assist you with this issue.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 21 August 2011 - 10:58 AM

I was running GMERS when I was your post. I stopped GMERS, as it had another x hours to run. I've attached it.
I will not follow the instructions in your latest post.

thank you for taking the time to assist.

Attached Files

  • Attached File  ark.txt   91.13KB   2 downloads


#6 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 21 August 2011 - 12:39 PM

Here's the combofix.txt log from today.
Last night, McAffee tried to update. It was not able to. I started the PC in safemode and it was successful in allowing the update. While in safemode, I caused McAffee to scan, it found nothing. I noticed the winlogon was not running away while running in safemode.
I restarted the PC as normal before running combofix.

thanks

Attached Files


Edited by jnlvngstn, 21 August 2011 - 02:03 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:45 PM

Posted 21 August 2011 - 03:20 PM

HI, how are things running at this point? It looks like combofix removed some legit Newsoft applications. Please let me know if you can reinstall this, or if the files need to be restored.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 21 August 2011 - 04:05 PM

The Newsoft software was from an Epson scanner. I have the original install disks, so I can reinstall it later.
Winlogon is still running from 0 to 50+ percent of CPU cycles causing the cpu to run at close to 100%.

#9 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 21 August 2011 - 08:49 PM

I could attach a screen shot of the Windows Task Manager showing the CPU Performance History. The only cause of the high usage is the bounding winlogon process. System Idle Process and some Mcafee process are using some cycles but they are the only other processes showing any activity. Problem is the file is 240kb which exceeds my upload quota. I would need to increase the global upload quota to be able to send the doc.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:45 PM

Posted 22 August 2011 - 03:46 AM

Please reboot your computer in safe mode, does the same thing happen there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 22 August 2011 - 03:52 AM

It does not happen in safe mode.
Thanks for your time and efforts.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:45 PM

Posted 22 August 2011 - 09:10 AM

Please do a clean boot, does it still happen? If not, re-enable programs one at a time until you pinpoint the culprit.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 22 August 2011 - 06:42 PM

I performed the clean boot.
First time, under the normal administrative account, I received a message - System Configuration, An access denied error was returned while attempting to change a service. You may need to log on using an administrative account to make the specified changes.

I then went to the control panel and created a new profile with administrative privileges. I tried to clean boot again and received the same message.

Then I started under safe mode, used the 'Administrator' profile (that is only available under safe mode) and tried clean boot again. And again I received the same message.

After making the allowable changes in system configuration utility (per clean boot instructions) and restarting the PC, the problem remains. I still have the process winlogon bounding cpu usage between 0 and 50+ causing cpu to bounce between <40 to 100%.

Thanks to you for your help with this matter.

Edited by jnlvngstn, 23 August 2011 - 03:01 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:45 PM

Posted 23 August 2011 - 05:35 AM

Hi again, did it mention what service this concerned?

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 jnlvngstn

jnlvngstn
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 23 August 2011 - 08:11 PM

It did not mention which service it concerned. When under safe mode it stopped every one of the services listed.
I will run the program offered as directed.
Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users