Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cpu usage high without obvious reason


  • This topic is locked This topic is locked
17 replies to this topic

#1 newton77

newton77

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 02 October 2011 - 10:54 AM

Task Manager "CPU usage" sometimes shows as high as 60 - 70% when individual task CPUs don't add up (System Idle Process CPU shows >90 at the same time). Sounds, such as Windows startup, stutter and take longer than usual to play. Scans with Avast and Malwarebytes turn up nothing. Also getting occasional blue-screen crashes.

DDS log files attached - After saving the attach.txt file, I tried to save it again with a different name. Seemed to save, but the newly saved file wasn't visible in Windows Explorer. I made a copy of attach.txt in the same folder (named Copy of attach.txt). Then I renamed attach.txt to attach2.txt - now I can't see attach.txt or attach2.txt. Do I have malware that's attacking the attach.txt file from DDS?

Please advise. Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 07 October 2011 - 09:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

+++++++

Please post the logs.

Wait for further instructions.

#3 newton77

newton77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 07 October 2011 - 04:06 PM

MBR log:
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-07 16:21:37
-----------------------------
16:21:37.680 OS Version: Windows 5.1.2600 Service Pack 3
16:21:37.680 Number of processors: 2 586 0xF06
16:21:37.680 ComputerName: THETOSHIBA UserName: Marc
16:22:16.789 Initialize success
16:22:19.758 AVAST engine defs: 11100700
16:22:38.695 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:22:38.695 Disk 0 Vendor: FUJITSU_MHV2160BT_PL 00000050 Size: 152627MB BusType: 3
16:22:38.758 Disk 0 MBR read successfully
16:22:38.758 Disk 0 MBR scan
16:22:38.898 Disk 0 Windows XP default MBR code
16:22:38.945 Disk 0 scanning sectors +312062625
16:22:39.476 Disk 0 scanning C:\WINDOWS\system32\drivers
16:24:47.117 Service scanning
16:24:55.258 Modules scanning
16:26:57.726 Disk 0 trace - called modules:
16:26:57.742 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
16:26:57.758 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8732dab8]
16:26:57.758 3 CLASSPNP.SYS[f779efd7] -> nt!IofCallDriver -> \Device\00000089[0x873303b8]
16:26:57.758 5 ACPI.sys[f76f5620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87364d98]
16:27:28.336 AVAST engine scan C:\WINDOWS
16:28:34.820 AVAST engine scan C:\WINDOWS\system32
16:34:27.258 AVAST engine scan C:\WINDOWS\system32\drivers
16:34:59.711 AVAST engine scan C:\Documents and Settings\Marc
16:46:44.976 AVAST engine scan C:\Documents and Settings\All Users
16:52:14.726 Scan finished successfully
16:53:46.195 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Marc\Desktop\MBR.dat"
16:53:46.211 The log file has been saved successfully to "C:\Documents and Settings\Marc\Desktop\axsxwxMxBxR.txt"


tdss report:
16:55:06.0445 2708 TDSS rootkit removing tool 2.6.6.0 Oct 7 2011 12:45:24
16:55:08.0242 2708 ============================================================
16:55:08.0242 2708 Current date / time: 2011/10/07 16:55:08.0242
16:55:08.0242 2708 SystemInfo:
16:55:08.0242 2708
16:55:08.0242 2708 OS Version: 5.1.2600 ServicePack: 3.0
16:55:08.0242 2708 Product type: Workstation
16:55:08.0242 2708 ComputerName: THETOSHIBA
16:55:08.0242 2708 UserName: Marc
16:55:08.0242 2708 Windows directory: C:\WINDOWS
16:55:08.0242 2708 System windows directory: C:\WINDOWS
16:55:08.0242 2708 Processor architecture: Intel x86
16:55:08.0242 2708 Number of processors: 2
16:55:08.0242 2708 Page size: 0x1000
16:55:08.0242 2708 Boot type: Normal boot
16:55:08.0242 2708 ============================================================
16:55:11.0508 2708 Initialize success
16:55:27.0914 2352 ============================================================
16:55:27.0914 2352 Scan started
16:55:27.0914 2352 Mode: Manual;
16:55:27.0914 2352 ============================================================
16:55:29.0930 2352 284bB7 - ok
16:55:30.0851 2352 Aavmker4 (95d1de2a6613494e853a9738d5d9acd4) C:\WINDOWS\system32\drivers\Aavmker4.sys
16:55:30.0945 2352 Aavmker4 - ok
16:55:31.0789 2352 Abiosdsk - ok
16:55:32.0539 2352 abp480n5 - ok
16:55:33.0695 2352 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:55:33.0930 2352 ACPI - ok
16:55:34.0945 2352 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
16:55:34.0961 2352 ACPIEC - ok
16:55:35.0555 2352 adpu160m - ok
16:55:36.0476 2352 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:55:36.0555 2352 aec - ok
16:55:37.0039 2352 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
16:55:37.0055 2352 AegisP - ok
16:55:37.0680 2352 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
16:55:37.0742 2352 AFD - ok
16:55:38.0820 2352 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
16:55:39.0414 2352 AgereSoftModem - ok
16:55:40.0008 2352 Aha154x - ok
16:55:40.0742 2352 aic78u2 - ok
16:55:41.0539 2352 aic78xx - ok
16:55:42.0445 2352 AliIde - ok
16:55:43.0726 2352 amsint - ok
16:55:44.0539 2352 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:55:44.0570 2352 Arp1394 - ok
16:55:45.0008 2352 asc - ok
16:55:45.0445 2352 asc3350p - ok
16:55:46.0023 2352 asc3550 - ok
16:55:46.0601 2352 aswFsBlk (c47623ffd181a1e7d63574dde2a0a711) C:\WINDOWS\system32\drivers\aswFsBlk.sys
16:55:46.0617 2352 aswFsBlk - ok
16:55:47.0117 2352 aswMon2 (fff2dbb17a3c89f87f78d5fa72ca47fd) C:\WINDOWS\system32\drivers\aswMon2.sys
16:55:47.0164 2352 aswMon2 - ok
16:55:47.0648 2352 aswRdr (36239e24470a3dd81fae37510953cc6c) C:\WINDOWS\system32\drivers\aswRdr.sys
16:55:47.0664 2352 aswRdr - ok
16:55:48.0476 2352 aswSnx (caa846e9c83836bdc3d2d700c678db65) C:\WINDOWS\system32\drivers\aswSnx.sys
16:55:48.0711 2352 aswSnx - ok
16:55:49.0336 2352 aswSP (748ae7f2d7da33adb063fe05704a9969) C:\WINDOWS\system32\drivers\aswSP.sys
16:55:49.0523 2352 aswSP - ok
16:55:50.0023 2352 aswTdi (ca9925ce1dbd07ffe1eb357752cf5577) C:\WINDOWS\system32\drivers\aswTdi.sys
16:55:50.0055 2352 aswTdi - ok
16:55:50.0617 2352 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:55:50.0633 2352 AsyncMac - ok
16:55:51.0148 2352 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:55:51.0164 2352 atapi - ok
16:55:51.0570 2352 Atdisk - ok
16:55:52.0039 2352 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:55:52.0070 2352 Atmarpc - ok
16:55:52.0570 2352 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:55:52.0570 2352 audstub - ok
16:55:53.0086 2352 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:55:53.0086 2352 Beep - ok
16:55:53.0273 2352 catchme - ok
16:55:53.0742 2352 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:55:53.0758 2352 cbidf2k - ok
16:55:54.0226 2352 cd20xrnt - ok
16:55:54.0726 2352 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:55:54.0726 2352 Cdaudio - ok
16:55:55.0242 2352 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:55:55.0273 2352 Cdfs - ok
16:55:55.0726 2352 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:55:55.0758 2352 Cdrom - ok
16:55:56.0195 2352 Changer - ok
16:55:56.0680 2352 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:55:56.0680 2352 CmBatt - ok
16:55:57.0164 2352 CmdIde - ok
16:55:57.0648 2352 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:55:57.0648 2352 Compbatt - ok
16:55:58.0070 2352 Control - ok
16:55:58.0523 2352 Cpqarray - ok
16:55:58.0664 2352 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
16:55:58.0680 2352 cpudrv - ok
16:55:59.0148 2352 dac2w2k - ok
16:55:59.0617 2352 dac960nt - ok
16:56:00.0117 2352 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:56:00.0133 2352 Disk - ok
16:56:00.0586 2352 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
16:56:00.0601 2352 DLABOIOM - ok
16:56:01.0023 2352 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
16:56:01.0023 2352 DLACDBHM - ok
16:56:01.0445 2352 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
16:56:01.0445 2352 DLADResN - ok
16:56:01.0898 2352 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
16:56:01.0945 2352 DLAIFS_M - ok
16:56:02.0398 2352 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
16:56:02.0414 2352 DLAOPIOM - ok
16:56:02.0789 2352 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
16:56:02.0789 2352 DLAPoolM - ok
16:56:03.0258 2352 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
16:56:03.0273 2352 DLARTL_N - ok
16:56:03.0805 2352 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
16:56:03.0851 2352 DLAUDFAM - ok
16:56:04.0289 2352 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
16:56:04.0336 2352 DLAUDF_M - ok
16:56:05.0211 2352 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:56:05.0680 2352 dmboot - ok
16:56:06.0320 2352 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:56:06.0398 2352 dmio - ok
16:56:06.0805 2352 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:56:06.0805 2352 dmload - ok
16:56:07.0258 2352 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:56:07.0289 2352 DMusic - ok
16:56:07.0695 2352 dpti2o - ok
16:56:08.0101 2352 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:56:08.0101 2352 drmkaud - ok
16:56:08.0555 2352 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
16:56:08.0601 2352 DRVMCDB - ok
16:56:09.0039 2352 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
16:56:09.0070 2352 DRVNDDM - ok
16:56:09.0617 2352 E100B (2646883e6dd867cd872d5b51b6036710) C:\WINDOWS\system32\DRIVERS\e100b325.sys
16:56:09.0711 2352 E100B - ok
16:56:10.0211 2352 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
16:56:10.0305 2352 e1express - ok
16:56:10.0867 2352 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:56:10.0945 2352 Fastfat - ok
16:56:11.0476 2352 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
16:56:11.0492 2352 Fdc - ok
16:56:11.0961 2352 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:56:11.0992 2352 Fips - ok
16:56:12.0430 2352 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
16:56:12.0445 2352 Flpydisk - ok
16:56:12.0992 2352 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:56:13.0055 2352 FltMgr - ok
16:56:13.0476 2352 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:56:13.0476 2352 Fs_Rec - ok
16:56:14.0055 2352 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:56:14.0117 2352 Ftdisk - ok
16:56:14.0617 2352 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:56:14.0633 2352 Gpc - ok
16:56:15.0148 2352 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:56:15.0226 2352 HDAudBus - ok
16:56:15.0695 2352 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:56:15.0695 2352 HidUsb - ok
16:56:16.0164 2352 hpn - ok
16:56:16.0773 2352 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:56:16.0914 2352 HTTP - ok
16:56:17.0351 2352 i2omgmt - ok
16:56:17.0773 2352 i2omp - ok
16:56:18.0320 2352 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:56:18.0351 2352 i8042prt - ok
16:56:21.0867 2352 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:56:24.0820 2352 ialm - ok
16:56:25.0289 2352 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:56:25.0320 2352 Imapi - ok
16:56:25.0758 2352 ini910u - ok
16:56:28.0367 2352 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
16:56:30.0539 2352 IntcAzAudAddService - ok
16:56:31.0039 2352 IntelIde - ok
16:56:31.0570 2352 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:56:31.0586 2352 intelppm - ok
16:56:31.0601 2352 IO_Memory - ok
16:56:32.0055 2352 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:56:32.0070 2352 Ip6Fw - ok
16:56:32.0508 2352 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:56:32.0523 2352 IpFilterDriver - ok
16:56:32.0961 2352 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:56:32.0976 2352 IpInIp - ok
16:56:33.0492 2352 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:56:33.0570 2352 IpNat - ok
16:56:34.0101 2352 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:56:34.0133 2352 IPSec - ok
16:56:34.0648 2352 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:56:34.0664 2352 IRENUM - ok
16:56:35.0133 2352 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:56:35.0164 2352 isapnp - ok
16:56:35.0617 2352 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
16:56:35.0633 2352 Iviaspi - ok
16:56:36.0117 2352 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:56:36.0133 2352 Kbdclass - ok
16:56:36.0711 2352 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:56:36.0789 2352 kmixer - ok
16:56:37.0336 2352 KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
16:56:37.0445 2352 KR10N - ok
16:56:37.0930 2352 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:56:37.0976 2352 KSecDD - ok
16:56:38.0430 2352 lbrtfdc - ok
16:56:38.0898 2352 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
16:56:38.0945 2352 meiudf - ok
16:56:39.0383 2352 MEMSWEEP2 - ok
16:56:39.0883 2352 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
16:56:39.0883 2352 MHNDRV - ok
16:56:40.0320 2352 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:56:40.0320 2352 mnmdd - ok
16:56:40.0773 2352 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:56:40.0789 2352 Modem - ok
16:56:41.0289 2352 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:56:41.0305 2352 Mouclass - ok
16:56:41.0805 2352 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:56:41.0820 2352 mouhid - ok
16:56:42.0305 2352 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:56:42.0336 2352 MountMgr - ok
16:56:42.0726 2352 mraid35x - ok
16:56:43.0226 2352 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:56:43.0305 2352 MRxDAV - ok
16:56:44.0008 2352 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:56:44.0242 2352 MRxSmb - ok
16:56:44.0758 2352 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:56:44.0773 2352 Msfs - ok
16:56:45.0211 2352 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:56:45.0226 2352 MSKSSRV - ok
16:56:45.0648 2352 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:56:45.0648 2352 MSPCLOCK - ok
16:56:46.0117 2352 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:56:46.0117 2352 MSPQM - ok
16:56:46.0555 2352 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:56:46.0570 2352 mssmbios - ok
16:56:47.0086 2352 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
16:56:47.0133 2352 Mup - ok
16:56:47.0742 2352 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:56:47.0820 2352 NDIS - ok
16:56:48.0320 2352 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:56:48.0336 2352 NdisTapi - ok
16:56:48.0805 2352 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:56:48.0805 2352 Ndisuio - ok
16:56:49.0273 2352 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:56:49.0320 2352 NdisWan - ok
16:56:49.0867 2352 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:56:49.0883 2352 NDProxy - ok
16:56:50.0430 2352 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:56:50.0445 2352 NetBIOS - ok
16:56:50.0961 2352 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:56:51.0055 2352 NetBT - ok
16:56:51.0523 2352 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
16:56:51.0539 2352 Netdevio - ok
16:56:52.0008 2352 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:56:52.0055 2352 NIC1394 - ok
16:56:52.0476 2352 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:56:52.0492 2352 Npfs - ok
16:56:53.0226 2352 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:56:53.0523 2352 Ntfs - ok
16:56:54.0055 2352 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:56:54.0070 2352 Null - ok
16:56:54.0523 2352 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:56:54.0523 2352 NwlnkFlt - ok
16:56:55.0023 2352 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:56:55.0039 2352 NwlnkFwd - ok
16:56:55.0539 2352 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:56:55.0586 2352 ohci1394 - ok
16:56:56.0101 2352 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
16:56:56.0133 2352 Parport - ok
16:56:56.0648 2352 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:56:56.0648 2352 PartMgr - ok
16:56:57.0117 2352 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:56:57.0133 2352 ParVdm - ok
16:56:57.0586 2352 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:56:57.0617 2352 PCI - ok
16:56:58.0039 2352 PCIDump - ok
16:56:58.0445 2352 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:56:58.0461 2352 PCIIde - ok
16:56:58.0992 2352 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
16:56:59.0039 2352 Pcmcia - ok
16:56:59.0476 2352 PDCOMP - ok
16:56:59.0930 2352 PDFRAME - ok
16:57:00.0430 2352 PDRELI - ok
16:57:00.0867 2352 PDRFRAME - ok
16:57:01.0305 2352 perc2 - ok
16:57:01.0695 2352 perc2hib - ok
16:57:02.0180 2352 Pfc (ed2e7f396b4098608c95bc3806bdf6fc) C:\WINDOWS\system32\drivers\pfc.sys
16:57:02.0195 2352 Pfc - ok
16:57:02.0695 2352 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:57:02.0726 2352 PptpMiniport - ok
16:57:03.0273 2352 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:57:03.0320 2352 PSched - ok
16:57:03.0742 2352 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:57:03.0758 2352 Ptilink - ok
16:57:04.0180 2352 PxHelp20 - ok
16:57:04.0601 2352 ql1080 - ok
16:57:05.0023 2352 Ql10wnt - ok
16:57:05.0476 2352 ql12160 - ok
16:57:05.0867 2352 ql1240 - ok
16:57:06.0289 2352 ql1280 - ok
16:57:06.0836 2352 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:57:06.0851 2352 RasAcd - ok
16:57:07.0351 2352 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:57:07.0383 2352 Rasl2tp - ok
16:57:07.0836 2352 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:57:07.0851 2352 RasPppoe - ok
16:57:08.0289 2352 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:57:08.0305 2352 Raspti - ok
16:57:08.0836 2352 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:57:08.0930 2352 Rdbss - ok
16:57:09.0492 2352 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:57:09.0508 2352 RDPCDD - ok
16:57:10.0055 2352 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:57:10.0180 2352 rdpdr - ok
16:57:10.0945 2352 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
16:57:11.0008 2352 RDPWD - ok
16:57:11.0695 2352 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:57:11.0726 2352 redbook - ok
16:57:12.0523 2352 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
16:57:12.0523 2352 s24trans - ok
16:57:12.0601 2352 SASKUTIL - ok
16:57:13.0148 2352 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
16:57:13.0195 2352 sdbus - ok
16:57:13.0851 2352 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:57:13.0867 2352 Secdrv - ok
16:57:14.0664 2352 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
16:57:14.0695 2352 Serial - ok
16:57:15.0195 2352 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
16:57:15.0226 2352 sffdisk - ok
16:57:15.0883 2352 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
16:57:15.0898 2352 sffp_sd - ok
16:57:16.0539 2352 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
16:57:16.0539 2352 Sfloppy - ok
16:57:17.0070 2352 Simbad - ok
16:57:17.0695 2352 Sparrow - ok
16:57:18.0195 2352 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:57:18.0195 2352 splitter - ok
16:57:18.0867 2352 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:57:18.0914 2352 sr - ok
16:57:19.0586 2352 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
16:57:19.0773 2352 Srv - ok
16:57:19.0945 2352 SVRPEDRV (18c4e959d091e42a92721b6b8987b936) C:\DOCUME~1\Linda\LOCALS~1\Temp\RarSFX0\S10VWF\PEDrv.sys
16:57:19.0961 2352 SVRPEDRV - ok
16:57:20.0539 2352 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:57:20.0539 2352 swenum - ok
16:57:21.0039 2352 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:57:21.0070 2352 swmidi - ok
16:57:21.0508 2352 symc810 - ok
16:57:21.0898 2352 symc8xx - ok
16:57:22.0351 2352 sym_hi - ok
16:57:22.0789 2352 sym_u3 - ok
16:57:23.0445 2352 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
16:57:23.0539 2352 SynTP - ok
16:57:24.0055 2352 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:57:24.0086 2352 sysaudio - ok
16:57:24.0555 2352 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
16:57:24.0555 2352 tbiosdrv - ok
16:57:25.0195 2352 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:57:25.0383 2352 Tcpip - ok
16:57:25.0992 2352 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
16:57:26.0008 2352 TcUsb - ok
16:57:26.0508 2352 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:57:26.0523 2352 TDPIPE - ok
16:57:26.0961 2352 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:57:26.0976 2352 TDTCP - ok
16:57:27.0430 2352 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:57:27.0445 2352 TermDD - ok
16:57:27.0976 2352 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
16:57:28.0055 2352 tifm21 - ok
16:57:28.0586 2352 TosIde - ok
16:57:29.0023 2352 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
16:57:29.0039 2352 tosrfec - ok
16:57:29.0461 2352 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
16:57:29.0461 2352 TVALD - ok
16:57:29.0945 2352 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
16:57:29.0976 2352 Tvs - ok
16:57:30.0476 2352 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:57:30.0508 2352 Udfs - ok
16:57:31.0070 2352 ultra - ok
16:57:31.0742 2352 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:57:31.0945 2352 Update - ok
16:57:32.0398 2352 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:57:32.0414 2352 usbccgp - ok
16:57:32.0883 2352 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:57:32.0898 2352 usbehci - ok
16:57:33.0508 2352 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:57:33.0555 2352 usbhub - ok
16:57:34.0039 2352 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:57:34.0055 2352 usbprint - ok
16:57:34.0476 2352 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:57:34.0492 2352 usbscan - ok
16:57:34.0914 2352 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:57:34.0914 2352 USBSTOR - ok
16:57:35.0367 2352 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:57:35.0367 2352 usbuhci - ok
16:57:35.0820 2352 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:57:35.0836 2352 VgaSave - ok
16:57:36.0367 2352 ViaIde - ok
16:57:36.0867 2352 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:57:36.0898 2352 VolSnap - ok
16:57:38.0101 2352 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
16:57:38.0836 2352 w39n51 - ok
16:57:39.0305 2352 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:57:39.0320 2352 Wanarp - ok
16:57:39.0898 2352 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
16:57:39.0914 2352 wanatw - ok
16:57:40.0336 2352 WDICA - ok
16:57:40.0898 2352 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:57:40.0930 2352 wdmaud - ok
16:57:41.0445 2352 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
16:57:41.0476 2352 WpdUsb - ok
16:57:42.0039 2352 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:57:42.0039 2352 WS2IFSL - ok
16:57:42.0617 2352 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:57:42.0664 2352 WudfPf - ok
16:57:43.0133 2352 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:57:43.0180 2352 WudfRd - ok
16:57:43.0648 2352 牉⁰듘虜에虜 - ok
16:57:43.0680 2352 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:57:43.0961 2352 \Device\Harddisk0\DR0 - ok
16:57:43.0961 2352 Boot (0x1200) (972e992c2dcab39b155e153ad65ea7de) \Device\Harddisk0\DR0\Partition0
16:57:43.0961 2352 \Device\Harddisk0\DR0\Partition0 - ok
16:57:43.0961 2352 ============================================================
16:57:43.0961 2352 Scan finished
16:57:43.0961 2352 ============================================================
16:57:43.0976 2660 Detected object count: 0
16:57:43.0976 2660 Actual detected object count: 0

MBR.zip attached -
thanks

Attached Files

  • Attached File  MBR.zip   499bytes   0 downloads


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 08 October 2011 - 06:12 AM

Your are clear to run this program.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if the problem persists.

#5 newton77

newton77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 08 October 2011 - 09:39 PM

Combofix text log:

ComboFix 11-10-08.03 - Marc 10/08/2011 15:12:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.381 [GMT -4:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Linda\WINDOWS
c:\documents and settings\Marc\Favorites\ehthumbs.db
c:\documents and settings\Marc\g2mdlhlpx.exe
c:\documents and settings\Marc\WINDOWS
c:\documents and settings\Marc\WINDOWS\ehthumbs.db
c:\documents and settings\Marc\WINDOWS\system\ehthumbs.db
c:\documents and settings\zGuest\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\d3d9caps.dat
c:\windows\system32\marcinit.exe
c:\windows\system32\tmp.reg
c:\windows\system32\userinit.exe.exe
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-08 19:11 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\userinit.exe
2011-10-02 16:22 . 2011-10-02 16:22 -------- d-----w- C:\PsTools
2011-10-02 14:30 . 2011-10-02 14:30 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-10-01 17:46 . 2011-10-01 17:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-10-01 17:20 . 2011-10-01 17:20 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-01 17:20 . 2011-10-01 17:20 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-10-01 17:19 . 2011-10-01 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-09-29 20:42 . 2011-09-29 20:42 65536 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-09-29 20:42 . 2011-09-29 20:42 65536 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-09-29 20:42 . 2011-09-29 20:42 65536 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2011-09-24 16:32 . 2011-09-24 17:56 -------- d-----w- c:\windows\system32\NtmsData
2011-09-24 16:12 . 2011-09-24 16:12 388096 ------r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-19 21:56 . 2011-09-29 20:41 -------- d-----w- c:\program files\Sophos
2011-09-15 02:21 . 2006-03-18 00:39 147456 ----a-w- c:\program files\Mozilla Firefox\NTBR_CD\BurnCDCC.exe
2011-09-13 01:25 . 2011-09-13 01:25 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-09-11 23:47 . 2011-09-11 23:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-09-10 15:45 . 2011-09-10 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 16:18 . 2011-10-02 16:18 1683473 ----a-w- C:\PsTools.zip
2011-09-10 15:45 . 2011-05-18 02:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2006-02-15 14:02 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 20:45 . 2010-07-04 15:35 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-02-03 03:12 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-05-14 14:22 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2010-02-03 03:13 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-02-03 03:13 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-02-03 03:13 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2010-02-03 03:13 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2010-02-03 03:13 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2010-02-03 03:13 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2010-02-03 03:13 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-31 21:00 . 2010-01-24 21:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29 . 2006-02-15 14:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-10-02 14:31 . 2011-10-02 14:31 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 16206848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-23 231888]
.
c:\documents and settings\Linda\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\?°????]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 14:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-10-06 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-24 17:21 135664 -----tw- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]
2010-03-25 22:42 388096 ----a-w- c:\program files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 00:12 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2009-12-13 23:05 79872 ------w- c:\documents and settings\Marc\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-12-29 21:34 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 14:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IntuitUpdateService"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"EPSON_PM_RPCV4_01"=2 (0x2)
"CFSvcs"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/14/2011 10:22 AM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/2/2010 11:13 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/2/2010 11:13 PM 20568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/19/2008 05:44 PM 24652]
S1 284bB7;284bB7;\??\c:\windows\system32\drivers\284bB7.sys --> c:\windows\system32\drivers\284bB7.sys [?]
S1 Control;Control;\??\c:\windows\system32\drivers\SYSTEM\ControlSet003\Control.sys --> c:\windows\system32\drivers\SYSTEM\ControlSet003\Control.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 12:58 PM 11336]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\docume~1\Linda\LOCALS~1\Temp\RarSFX0\S10VWF\PEDrv.sys --> c:\docume~1\Linda\LOCALS~1\Temp\RarSFX0\S10VWF\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190162279-3972189771-1940070945-1005Core1cc2447232c3c22.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-24 17:21]
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190162279-3972189771-1940070945-1005UA.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-24 17:21]
.
2011-10-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-10-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-190162279-3972189771-1940070945-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-10-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-10-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-190162279-3972189771-1940070945-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.myway.com/
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Marc\Application Data\Mozilla\Firefox\Profiles\m8j2vx2k.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-DW6 - (no file)
SafeBoot-284bB7
SafeBoot-Control
SafeBoot-?°????
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsGui.exe
MSConfigStartUp-PCTools FGuard - c:\program files\Spyware Doctor\BDT\FGuard.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 15:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Adobe\Reader 9.0\Reader\viewerps.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\windows\RTHDCPL.EXE
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-10-08 21:17:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-09 01:17
ComboFix2.txt 2010-01-11 21:29
.
Pre-Run: 116,304,453,632 bytes free
Post-Run: 116,476,424,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 577D6D11964F5450F0C79F5FD9DC2F3C


Checkup log:

Results of screen317's Security Check version 0.99.22
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.3.183.7
Mozilla Thunderbird (6.0.2) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
``````````End of Log````````````

Windows Task Manager still showing occasional spikes in CPU Usage, when there aren't any processes listed with CPU usage corresponding to the spikes. These spikes are less frequent and of much shorter duration, but they're still appearing.
Also, note: When Combofix was displaying "Preparing Log Report Do not run any programs until ComboFix has finished" I got a popup: "Registry Editor Cannot export A?0????: Error opening the file. There may be a disk or system error." I clicked OK, then got a second popup - same as the first, except referring to B?0????: Error opening the file ...

Again, thanks for your help.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 09 October 2011 - 07:34 AM

Open notepad and copy/paste the text in the quote box below into it:

Driver::
284bB7
Control
MEMSWEEP2
Viewpoint Manager Service

FixCSet::



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===


avast! Free Antivirus
Antivirus out of date!

You should take care of this immediately.

```````````

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 21
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7

===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10 ... Flash Player for Android update to Adobe Flash Player for Android 10.3.186.7

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please post the logs and let me know what problem persists.

#7 newton77

newton77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 09 October 2011 - 04:11 PM

Here is the Combofix log:

ComboFix 11-10-08.03 - Marc 10/09/2011 9:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.401 [GMT -4:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marc\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_284BB7
-------\Legacy_MEMSWEEP2
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_284bB7
-------\Service_Control
-------\Service_MEMSWEEP2
-------\Service_Viewpoint Manager Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-08 19:11 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\userinit.exe
2011-10-02 16:22 . 2011-10-02 16:22 -------- d-----w- C:\PsTools
2011-10-02 14:30 . 2011-10-02 14:30 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-10-01 17:46 . 2011-10-01 17:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-10-01 17:20 . 2011-10-01 17:20 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-01 17:20 . 2011-10-01 17:20 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-10-01 17:19 . 2011-10-01 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-09-29 20:42 . 2011-09-29 20:42 65536 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-09-29 20:42 . 2011-09-29 20:42 65536 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-09-29 20:42 . 2011-09-29 20:42 65536 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2011-09-24 16:32 . 2011-09-24 17:56 -------- d-----w- c:\windows\system32\NtmsData
2011-09-24 16:12 . 2011-09-24 16:12 388096 ------r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-19 21:56 . 2011-09-29 20:41 -------- d-----w- c:\program files\Sophos
2011-09-15 02:21 . 2006-03-18 00:39 147456 ----a-w- c:\program files\Mozilla Firefox\NTBR_CD\BurnCDCC.exe
2011-09-13 01:25 . 2011-09-13 01:25 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-09-11 23:47 . 2011-09-11 23:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-09-10 15:45 . 2011-09-10 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 16:18 . 2011-10-02 16:18 1683473 ----a-w- C:\PsTools.zip
2011-09-10 15:45 . 2011-05-18 02:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2006-02-15 14:02 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 20:45 . 2010-07-04 15:35 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-02-03 03:12 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-05-14 14:22 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2010-02-03 03:13 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-02-03 03:13 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-02-03 03:13 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2010-02-03 03:13 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2010-02-03 03:13 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2010-02-03 03:13 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2010-02-03 03:13 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-31 21:00 . 2010-01-24 21:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29 . 2006-02-15 14:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-10-02 14:31 . 2011-10-02 14:31 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 16206848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-23 231888]
.
c:\documents and settings\Linda\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\284bB7]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\?°????]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Control]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 14:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-10-06 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-24 17:21 135664 -----tw- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]
2010-03-25 22:42 388096 ----a-w- c:\program files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 00:12 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2009-12-13 23:05 79872 ------w- c:\documents and settings\Marc\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-12-29 21:34 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 14:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IntuitUpdateService"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"EPSON_PM_RPCV4_01"=2 (0x2)
"CFSvcs"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/14/2011 10:22 AM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/2/2010 11:13 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/2/2010 11:13 PM 20568]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 12:58 PM 11336]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\docume~1\Linda\LOCALS~1\Temp\RarSFX0\S10VWF\PEDrv.sys --> c:\docume~1\Linda\LOCALS~1\Temp\RarSFX0\S10VWF\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190162279-3972189771-1940070945-1005Core1cc2447232c3c22.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-24 17:21]
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-190162279-3972189771-1940070945-1005UA.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-24 17:21]
.
2011-10-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-10-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-190162279-3972189771-1940070945-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-10-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-10-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-190162279-3972189771-1940070945-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.myway.com/
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\documents and settings\Marc\Application Data\Mozilla\Firefox\Profiles\m8j2vx2k.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-?°????
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-09 09:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-10-09 09:54:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-09 13:54
ComboFix2.txt 2011-10-09 01:17
ComboFix3.txt 2010-01-11 21:29
.
Pre-Run: 116,320,022,528 bytes free
Post-Run: 116,303,650,816 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 5D1457F6D48BEBCD0792242277E875AE

I did the software updates as listed in your last reply.

Here is the eSet log - I unchecked the Fix problems button before running eSet, so these problems were not fixed by eSet:

C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000038 a variant of Win32/InstallCore.C application
C:\Documents and Settings\Marc\My Documents\Downloads\cnet_HitmanPro35_exe.exe a variant of Win32/InstallCore.C application
C:\Documents and Settings\Marc\My Documents\Downloads\Spydig_Setup.exe multiple threats

CPU Usage spikes still occurring.

#8 newton77

newton77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 09 October 2011 - 04:15 PM

forgot to mention: when I tried to update Avast, I received a message that Avast is already up to date (Engine and Definitions: current version 111009-0, Program: current version 6.0.1289) I noticed that this most recent Combofix log says that Avast needed to be updated. Not what I would expect ... could the infections be messing with Avast?

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 09 October 2011 - 05:15 PM

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives.
  • Then please choose Security level: Recommended and perform the following actions.
    Posted Image
  • Click the Start scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
===

Please keep me posted on the issues.

#10 newton77

newton77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 October 2011 - 02:13 AM

Nothing detected for which Delete or Disinfect was an option. Memory spikes continue.

Here is the report of what was detected:

Automatic Scan: completed 40 minutes ago (events: 17, objects: 397453, time: 07:04:54)
10/10/2011 12:38:05 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0004 Information
10/10/2011 12:38:05 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0002 Information
10/10/2011 12:38:05 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0001 Information
10/10/2011 12:38:04 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0000 Information
10/10/2011 12:13:59 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\documents and settings\marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0004 Information
10/10/2011 12:13:59 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\documents and settings\marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0002 Information
10/10/2011 12:13:59 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\documents and settings\marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0001 Information
10/10/2011 12:13:58 AM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\documents and settings\marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0000 Information
10/9/2011 8:27:46 PM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0004 Information
10/9/2011 8:27:46 PM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0002 Information
10/9/2011 8:27:46 PM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0001 Information
10/9/2011 8:27:46 PM Detected not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\Documents and Settings\Marc\My Documents\Downloads\install_files\vnc-4_1_2-x86_win32.exe/data0000 Information
10/10/2011 1:04:06 AM Detected Vulnerability http://www.securelist.com/en/advisories/40775 Low Exact C:\Program Files\OpenOffice.org 3\program\soffice.bin
10/10/2011 12:11:29 AM Detected Vulnerability http://www.securelist.com/en/advisories/40775 Low Exact C:\Program Files\OpenOffice.org 3\program\soffice.exe
10/10/2011 12:09:07 AM Detected Vulnerability http://www.securelist.com/en/advisories/20001 Low Exact C:\Program Files\intel\wireless\bin\iFrmewrk.exe
10/9/2011 9:22:33 PM Detected Vulnerability http://www.securelist.com/en/advisories/40775 Low Exact C:\Program Files\OpenOffice.org 3\program\soffice.bin
10/9/2011 9:05:39 PM Detected Vulnerability http://www.securelist.com/en/advisories/20001 Low Exact C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 10 October 2011 - 07:22 AM

This is reported by ComboFix.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

Make sure that only McAfee is running if real time. you cannot have two AV running simultaneously.
===

Download ATF Cleaner by Atribune from here hereand save it to your Desktop.
Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only. <- make sure you select this option.
Java Cache


The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

* The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.

Keep me posted.

#12 newton77

newton77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 October 2011 - 10:59 AM

Couldn't find any evidence of McAfee software, except for: 1) the Combofix report, 2) Control Panel -> Security Center -> Virus Protection. No listing in Add/Remove Programs, no folder with a name referencing McAfee or anything like it. I found mcpr.exe on Kaspersky.com, ran that, rebooted, and no longer saw reference to McAfee in Security Center -> Virus Protection. However, I also noticed that AVG had not automatically loaded at startup (it had been loading before). I went into Add/Remove Programs and did Repair on AVG - when I rebooted, AVG started up as it had been doing before.
After all of the above, I downloaded and ran ATF Cleaner.

Sorry to report that the CPU spikes are still occurring - maybe less frequently than before, but they haven't stopped. Is it possible that the residual McAfee components had been interfering with some of the other steps that we've taken, and I should repeat some of them? Appreciate your opinion and your guidance.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 10 October 2011 - 12:51 PM

Run McAfee's program removal tool.

http://service.mcafee.com/FAQDocument.aspx?id=TS100507

#14 newton77

newton77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 October 2011 - 08:44 PM

Done.
CPU usage spikes persist.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 PM

Posted 11 October 2011 - 07:10 AM

Check for bad operating system files.

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users