Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Processess Running. It just doesn't feel right...


  • This topic is locked This topic is locked
36 replies to this topic

#1 Chief Bigblunts

Chief Bigblunts

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 12 November 2011 - 12:06 AM

Ok keep in mind here that I haven't touched this PC in about 4 months. I just went and grabbed it today from my old house. So I don't know WHO has been using it.

Anyhow. I noticed today when I started it up that CPU usage was up around 50-60%, and that there were strange randomly arranged numbered and letter executable files running, and three or four 'IEXPLORE.EXE's running. Just doesn't feel right. I'm running Windows XP Pro SP3.

Here's a HijackThis! logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:02:42 PM, on 11/11/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\eghmi3.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\drivers\wvchatts.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [j949u33] C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\gicu4z.exe
O4 - HKLM\..\Run: [Local Account Service] C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\lssas.exe
O4 - HKLM\..\Run: [Plug Manager] C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\manager.exe
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [engel] C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\updates\updates.exe
O4 - HKCU\..\Run: [SecurityChannel] RunDll32 \perfhost.dll,Init
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\06e93131-882b-4d04-99a3-8393da93a5ff.com
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe -update activex
O4 - HKLM\..\Policies\Explorer\Run: [60xu9] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\qtfcyyp.exe
O4 - HKLM\..\Policies\Explorer\Run: [apps] C:\WINDOWS\system32\eghmi3.exe
O4 - HKLM\..\Policies\Explorer\Run: [jzv9] C:\WINDOWS\TEMP\f1ku.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKUS\S-1-5-21-4219525249-2667286121-459499402-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [engel] C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\updates\updates.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SecurityChannel] RunDll32 C:\WINDOWS\system32\perfsrv.dll,Init (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [engel] C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\updates\updates.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe (User 'Default user')
O4 - S-1-5-21-4219525249-2667286121-459499402-1008 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'UpdatusUser')
O4 - S-1-5-21-4219525249-2667286121-459499402-1008 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'UpdatusUser')
O4 - S-1-5-21-4219525249-2667286121-459499402-1008 User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'UpdatusUser')
O4 - S-1-5-21-4219525249-2667286121-459499402-1008 User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'UpdatusUser')
O4 - S-1-5-18 Startup: Windows Search.lnk = C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\SearchIndexer.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Windows Search.lnk = C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\SearchIndexer.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\Program Files\Common Files\InstallShield\perfhost.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Local Account Authority Service - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: MouseDriver - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Plug Manager - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: wvchatts - Cronosoft - C:\WINDOWS\system32\drivers\wvchatts.exe

--
End of file - 11993 bytes



I appreciate any info or help I can get. I've ran SpyBot in safe mode and without my network card in either. I also ran rkill once.

Edited by hamluis, 12 November 2011 - 06:01 AM.
Moved from XP to MRL.


BC AdBot (Login to Remove)

 


#2 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 13 November 2011 - 02:51 PM

O4 - HKLM\..\Run: [j949u33] C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\gicu4z.exe
O4 - HKLM\..\Policies\Explorer\Run: [60xu9] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\qtfcyyp.exe
O4 - HKLM\..\Policies\Explorer\Run: [jzv9] C:\WINDOWS\TEMP\f1ku.exe

These entries worry me. Especially the last one, 'f1ku.exe', which seems to be some form of Virut. Anyhow, I'll be patient as I've been told and wait for the experts to step in. Thanks everyone.

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 PM

Posted 14 November 2011 - 02:12 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 14 November 2011 - 02:35 PM

Hello and thank you for your reply. I was able to run DeFogger, however, I was not able to run DDS or RKUnHooker due to a 'dwwin.exe' Application Error which gave me the options of 'Click OK to Terminate the Program' or 'Click Cancel to Debug.' :(

Should I run these in safe mode?

EDIT: It actually seems that I can't run ANY applications due to this error. I suppose I had better leave my browser open then. I'll wait for your reply. Thank you.

Edited by Chief Bigblunts, 14 November 2011 - 02:39 PM.


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 PM

Posted 14 November 2011 - 04:34 PM

It is ok to run DDS in safe mode - RK will not run in safe mode so skip it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 14 November 2011 - 07:02 PM

Ok, I ran DDS in Safe Mode. Here are the logs that you requested.

DDS logfile:
.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 6.0.2900.2180
Run by HP_Administrator at 17:31:22 on 2011-11-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.805 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [{F7C3F6B2-7135-D140-BF88-05ECEEBB744A}] "c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\laqyvy\vipyde.exe"
uRun: [userini] c:\windows\system32\userini.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [i6g8xs] c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\i6g8xs.exe
mRun: [userini] c:\windows\system32\userini.exe
dRun: [System Intrusive] RunDll32 "c:\program files\common files\componentone\mslogsvc.dll",Init
dRun: [engel] c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\updates\updates.exe
dRun: [Network Host] c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\microsoft\windows\system\wchks.exe -m
dRun: [userini] c:\windows\explorer.exe:userini.exe
uExplorerRun: [userini] c:\windows\system32\userini.exe
mExplorerRun: [jzv9] c:\docume~1\hp_adm~1.you\locals~1\temp\f1ku.exe
mExplorerRun: [userini] c:\windows\system32\userini.exe
dExplorerRun: [userini] c:\windows\explorer.exe:userini.exe
StartupFolder: c:\docume~1\hp_adm~1.you\startm~1\programs\startup\window~1.lnk - c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\SearchIndexer.exe
dPolicies-system: Shell = explorer.exe,RunDll32 "c:\program files\common files\lightscribe\logetsrv.dll",Init
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{57E8E617-8238-4957-AA9C-27E34530C82F} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
AppInit_DLLs: c:\windows\$ntuninstallkb921883$\spuninst\logetlog.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 122.224.6.164 zeus.sunke.info
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\mozilla\firefox\profiles\rda08f1a.default\
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPodBridge32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2011-6-8 33792]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-12 366152]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 126976]
S2 MouseDriver;MouseDriver;c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\MouseDriver.bat [2011-11-14 133]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-10 2218600]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-7-29 24576]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-12 22216]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-7-8 606056]
S4 wvchatts;wvchatts;c:\windows\system32\drivers\wvchatts.exe [2011-11-11 221184]
.
=============== Created Last 30 ================
.
2011-11-14 19:31:12 106496 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\microsoft\windows\system\wchks.exe
2011-11-14 19:29:34 -------- d-----w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\updates
2011-11-14 19:15:43 -------- d-----w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\Laqyvy
2011-11-14 19:15:43 -------- d-----w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\Bex
2011-11-14 19:15:36 133 ---h--w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\MouseDriver.bat
2011-11-14 06:57:32 -------- d-----w- c:\windows\system32\LogFiles
2011-11-12 23:56:47 -------- d-----w- c:\documents and settings\hp_administrator.your-4dacd0ea75\local settings\application data\Identities
2011-11-12 23:56:34 -------- d-----w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\Wywy
2011-11-12 23:56:34 -------- d-----w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\Qoocigc
2011-11-12 09:04:11 -------- d-----w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\Malwarebytes
2011-11-12 09:04:02 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-12 09:04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-12 05:01:57 416256 ----a-r- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-12 05:01:56 -------- d-----w- C:\hjt
2011-11-12 02:08:50 221184 ----a-w- c:\windows\system32\drivers\wvchatts.exe
2011-11-12 02:03:02 118272 --sh--w- C:\srvupsrv.dll
2011-11-12 01:53:19 -------- d-----w- C:\Phantasy Star Online Blue Burst
2011-11-12 00:42:37 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\h5mb6hss.bat
2011-11-12 00:42:31 118272 --sh--w- c:\program files\common files\installshield\perfhost.dll
2011-11-12 00:38:19 -------- d-----w- c:\program files\Belkin
2011-11-12 00:37:59 -------- d-----w- c:\windows\{7EBEACC7-A0C9-4DA4-9A63-3DC7D244B051}
2011-11-12 00:30:38 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\z0mLcs5y.bat
2011-11-12 00:19:42 405504 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-11-12 00:09:19 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\NqF7sOkM.bat
2011-11-12 00:01:55 -------- d-----w- c:\windows\{0D59735E-1DA7-4E6D-B1CC-44A4F59FD0FD}
2011-11-11 23:47:25 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\evETwpOV.bat
2011-11-11 23:47:05 118272 --sh--w- c:\program files\common files\system\msadc\svclog.dll
2011-11-11 23:37:29 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\gJbgEETM.bat
2011-11-11 23:37:07 118272 --sh--w- c:\program files\common files\microsoft shared\vc\loglsaet.dll
2011-11-11 21:46:52 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\QcBRQ7LF.bat
2011-11-11 21:13:01 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\NmZiO39y.bat
2011-11-11 17:43:03 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\SjASTiPW.bat
.
==================== Find3M ====================
.
2011-11-14 19:42:29 1060864 ----a-w- c:\windows\explorer.exe
2011-09-06 02:24:08 224 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\BwR1hPAc.bat
2011-08-18 02:56:11 143360 --sh--r- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\SearchIndexer.exe
2011-08-18 02:41:52 50176 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\wv6z1vdx.exe
2011-08-17 07:10:05 57344 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\ulkfsq6l.exe
.
============= FINISH: 17:33:58.50 ===============


Attach logfile:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 5/10/2011 6:26:43 PM
System Uptime: 11/14/2011 5:29:24 PM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | NODUSM3
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2204/199mhz
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2204/199mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 224 GiB total, 119.639 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 0.565 GiB free.
E: is FIXED (NTFS) - 56 GiB total, 28.038 GiB free.
F: is FIXED (NTFS) - 50 GiB total, 14.738 GiB free.
G: is FIXED (FAT32) - 6 GiB total, 5.847 GiB free.
I: is Removable
J: is Removable
K: is Removable
L: is Removable
M: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP144: 8/17/2011 9:29:14 AM - System Checkpoint
RP145: 8/18/2011 9:47:33 AM - System Checkpoint
RP146: 8/19/2011 10:29:33 AM - System Checkpoint
RP147: 8/20/2011 11:04:14 AM - System Checkpoint
RP148: 8/21/2011 11:09:40 AM - System Checkpoint
RP149: 8/22/2011 12:09:40 PM - System Checkpoint
RP150: 9/5/2011 10:10:04 PM - System Checkpoint
RP151: 9/6/2011 10:27:56 PM - System Checkpoint
RP152: 11/11/2011 1:07:05 PM - System Checkpoint
RP153: 11/11/2011 6:02:11 PM - Installed Belkin F6D4050 Enhanced Wireless USB Adapter
RP154: 11/11/2011 6:18:23 PM - Removed Belkin F6D4050 Enhanced Wireless USB Adapter
RP155: 11/11/2011 6:18:55 PM - Installed Belkin F6D4050 Enhanced Wireless USB Adapter
RP156: 11/11/2011 6:36:47 PM - Removed Belkin F6D4050 Enhanced Wireless USB Adapter
RP157: 11/11/2011 6:38:16 PM - Installed Belkin USB Wireless Adaptor
RP158: 11/11/2011 11:01:51 PM - Installed HiJackThis
RP159: 11/12/2011 11:12:28 PM - System Checkpoint
RP160: 11/13/2011 11:40:02 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
Belkin USB Wireless Adaptor
BufferChm
CDisplay 1.8
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Destinations
DeviceManagementQFolder
DivX Setup
DivX Web Player
Enhanced Multimedia Keyboard Solution
FullDPAppQFolder
GemMaster Mystic
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Software Update
HPPhotoSmartExpress
HpSdpAppCoreApp
HTC Driver Installer
InstantShareDevices
J2SE Runtime Environment 5.0 Update 6
LibUSB-Win32-0.1.10.1
LightScribe 1.4.105.1
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Away Mode
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Money 2006
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Works
Mozilla Firefox 5.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
My HP Games
NVIDIA Control Panel 270.61
NVIDIA Drivers
NVIDIA Graphics Driver 270.61
NVIDIA Install Application
NVIDIA nView 135.70
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
NVIDIA Update 1.1.34
NVIDIA Update Components
OptionalContentQFolder
PhotoGallery
Project64 1.6
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quake III Arena
Quicken 2006
RandMap
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SkinsHP1
SlideShow
SlideShowMusic
Sonic Express Labeler
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Spybot - Search & Destroy
Ultima PsOBB
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB973768
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
11/13/2011 9:55:06 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
11/13/2011 5:26:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips iaStor IntelIde IPSec MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip ViaIde
11/13/2011 12:42:29 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
11/13/2011 12:42:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
11/13/2011 12:42:29 PM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/13/2011 12:41:24 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
11/13/2011 1:43:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
11/13/2011 1:43:27 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/13/2011 1:43:27 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/13/2011 1:43:27 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/13/2011 1:43:27 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/13/2011 1:43:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/13/2011 1:42:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/13/2011 1:42:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/12/2011 3:20:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
11/12/2011 3:20:52 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/12/2011 3:04:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor IntelIde ViaIde
11/12/2011 3:04:49 PM, error: Service Control Manager [7023] - The SAP Agent service terminated with the following error: The specified module could not be found.
11/12/2011 3:04:49 PM, error: Service Control Manager [7023] - The Client Service for NetWare service terminated with the following error: The specified module could not be found.
11/12/2011 2:38:56 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
11/12/2011 2:38:40 PM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/12/2011 2:38:37 PM, error: Service Control Manager [7034] - The ARSVC service terminated unexpectedly. It has done this 1 time(s).
11/11/2011 7:46:20 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
11/11/2011 6:43:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Plug Manager service to connect.
11/11/2011 6:43:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the MouseDriver service to connect.
11/11/2011 6:43:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Local Account Authority Service service to connect.
11/11/2011 6:31:52 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the libusbd service.
11/11/2011 6:12:01 PM, error: Service Control Manager [7034] - The NVIDIA Update Service Daemon service terminated unexpectedly. It has done this 1 time(s).
11/11/2011 3:53:36 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
11/11/2011 3:46:46 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf803dd6, parameter3 f6389c90, parameter4 00000000.
11/11/2011 12:27:36 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/11/2011 12:27:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
11/11/2011 11:43:06 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf803dd6, parameter3 f3deec90, parameter4 00000000.
.
==== End Of File ===========================


Thank you for all your help so far. I am greatful. :)

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 PM

Posted 14 November 2011 - 07:51 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 14 November 2011 - 10:34 PM

Hello, Gringo

I am unable to run ComboFix due to an error saying 'this installation has been compromised...' I've tried running it in Safe Mode as well. Same Error. :(

Here is a picture of the error message.

Posted Image

Also, keep in mind that I have done as the message says and downloaded and tried several 'fresh' copies, but to no avail.

Edited by Chief Bigblunts, 14 November 2011 - 10:35 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 PM

Posted 14 November 2011 - 10:53 PM

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 14 November 2011 - 11:17 PM

I am unable to access the page from both Internet Explorer and Firefox.

"The page cannot be displayed"

Edited by Chief Bigblunts, 14 November 2011 - 11:22 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 PM

Posted 14 November 2011 - 11:31 PM

Please download Kaspersky Virus Removal Tool and SAVE it to your desktop

  • Right click and run as admin (xp please double click to run)
  • select lang
  • click on next
  • accept the license aggreement
  • select location and click on next
  • in autoscan make sure the first three boxes are checked and the box next to the C:/ drive
  • click on start scan
  • when complete click on report
  • in the three drop down boxes choose autoscan - do not group and important events
  • click on save and save to desktop
  • copy and paste this report in your next post

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 15 November 2011 - 03:40 PM

Well, after several tries I was unable to run Kaspersky all the way through, either it would hang or it would give some ridiculous completion time. As in "Will complete in: 6 days". So I got fed up and ran my HP recovery console, completely re-formatted and re-installed back to factory settings. Everything was fine until I got my wireless modem drivers installed and the internet was back up and running. All of a sudden I started seeing some of the same old processes in my Task Manager. Several instances of 'f1ku.exe' and my CPU usage was back up to around 60-70%. So I got to thinking, I had some of my drivers loaded onto a flash drive and had transferred them to the newly restored hard drive. Could that have been the problem? That some of the files on my flash drive were infected? I'm on my roommates laptop right now scanning it for threats with Trend Micro Titanium.

Anyhow, I've formatted again and set up Windows. Only this time I have NOT connected my flash drive, installed my modem drivers and even plugged in my USB modem. So far no problems. I will let you know if the 'Virut' problem persists after all is said and done. :)

EDIT: The problem persists. It seems that every time I install my modem drivers (from the factory disc), and my PC connects to the internet then 'f1ku.exe's and other patching virus processes start almost immediately. I still am not able to run ComboFix. I just formatted my Flash Drive and am going to download Kaspersky to it and run it on the infected PC in Safe Mode.

Edited by Chief Bigblunts, 15 November 2011 - 05:34 PM.


#13 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 15 November 2011 - 10:14 PM

I was able to get Kaspersky to run, but the log file is something like 14.5 MB, so I'm having trouble posting it for some reason. Should I compress and attach it?

EDIT: Also, although my computer seems to be working much better, but still seems to have some problems. Another one has sprung up. Everything I search for on Google gets re-directed to a website called 'www.funssearch.net'. :/

EDIT2: One more thing to add, my internet connection is still horrendously slow

Edited by Chief Bigblunts, 15 November 2011 - 11:08 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 PM

Posted 16 November 2011 - 09:21 AM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Chief Bigblunts

Chief Bigblunts
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 16 November 2011 - 12:34 PM

I must say that my computer seems to be doing MUCH better now that I've run Kaspersky and ComboFix. :)

Here's my ComboFix logL

ComboFix 11-11-15.06 - HP_Administrator 11/15/2011 22:26:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.627 [GMT -6:00]
Running from: L:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\common.data
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\auditpol.dll
c:\documents and settings\HP_Administrator\Application Data\auditpol.exe
c:\documents and settings\HP_Administrator\Application Data\Axzaki\occuud.exe
c:\documents and settings\HP_Administrator\Application Data\MouseDriver.bat
c:\documents and settings\HP_Administrator\Application Data\oemfpc.dat
c:\documents and settings\HP_Administrator\Application Data\updates
c:\documents and settings\HP_Administrator\Application Data\Uwgeeh
c:\documents and settings\HP_Administrator\Application Data\Uwgeeh\acqu.exe
c:\documents and settings\HP_Administrator\Application Data\Uwgeeh\o.d
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\WINDOWS
c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
c:\program files\HP\HP Software Update\HPwuSchd2.exe
c:\program files\Messenger\msmsgs.exe
c:\windows\cftnom.bat
c:\windows\cftnom.exe
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\SMINST\RECGUARD.EXE
c:\windows\system32\cftmon.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\scvhost.exe
c:\windows\system32\User.ini
G:\Autorun.inf
.
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\a4a9ccd1806461c53ce89bdd6f4591bf\backup\sp2qfe\spoolsv.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MOUSEDRIVER
-------\Legacy_SYSTEM_UPDATER
-------\Legacy_WMOPTIMIZER
-------\Service_MouseDriver
-------\Service_System Updater
-------\Service_WMOptimizer
.
.
((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))
.
.
2011-11-16 03:49 . 2011-11-16 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-16 03:49 . 2011-11-16 03:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-16 03:49 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 22:18 . 2011-11-15 22:18 0 ----a-w- c:\windows\system32\drivers\jcklwhxs.sys
2011-11-15 22:18 . 2011-11-15 22:18 -------- d-----w- c:\program files\Belkin
2011-11-15 22:18 . 2011-11-15 22:18 -------- d-----w- c:\windows\{7EBEACC7-A0C9-4DA4-9A63-3DC7D244B051}
2011-11-15 21:27 . 2011-11-16 04:57 -------- d-----w- c:\documents and settings\HP_Administrator
2011-11-15 21:23 . 2004-08-04 06:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-11-15 21:23 . 2004-08-04 08:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-11-15 21:23 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-11-15 21:23 . 2001-08-17 22:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-11-15 21:23 . 2004-08-04 07:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-11-15 20:42 . 2011-11-15 20:53 -------- d-----r- c:\documents and settings\All Users\Documents
2011-11-15 20:37 . 2011-11-15 20:52 -------- d-sh--r- c:\windows\system32\dllcache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-15 23:22 . 2004-08-10 04:00 284160 ----a-w- c:\windows\winhlp32.exe
2011-11-15 23:22 . 2004-08-10 04:00 30720 ----a-w- c:\windows\system32\xcopy.exe
2011-11-15 23:22 . 2004-08-10 04:00 32256 ----a-w- c:\windows\system32\wupdmgr.exe
2011-11-15 23:22 . 2004-08-10 04:00 165888 ----a-w- c:\windows\system32\wuauclt1.exe
2011-11-15 23:22 . 2004-08-10 04:00 118784 ----a-w- c:\windows\system32\wscript.exe
2011-11-15 23:22 . 2004-08-10 04:00 218112 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
2011-11-15 23:22 . 2004-08-10 04:00 119808 ----a-w- c:\windows\system32\winmine.exe
2011-11-15 23:22 . 2004-08-10 04:00 196608 ----a-w- c:\windows\system32\wbem\wmiadap.exe
2011-11-15 23:22 . 2006-08-11 14:15 28672 ----a-w- c:\windows\system32\verclsid.exe
2011-11-15 23:22 . 2004-08-10 04:00 51200 ----a-w- c:\windows\system32\utilman.exe
2011-11-15 23:22 . 2004-08-10 11:00 347136 ----a-w- c:\windows\system32\tourstart.exe
2011-11-15 23:22 . 2004-08-10 04:00 24576 ----a-w- c:\windows\system32\userinit.exe
2011-11-15 23:22 . 2004-08-10 04:00 135680 ----a-w- c:\windows\system32\taskmgr.exe
2011-11-15 23:22 . 2004-08-10 04:00 57856 ----a-w- c:\windows\system32\sol.exe
2011-11-15 23:22 . 2004-08-10 04:00 538624 ----a-w- c:\windows\system32\spider.exe
2011-11-15 23:22 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\shmgrate.exe
2011-11-15 23:22 . 2004-08-10 04:00 139776 ----a-w- c:\windows\system32\sndvol32.exe
2011-11-15 23:22 . 2004-08-10 04:00 132608 ----a-w- c:\windows\system32\sndrec32.exe
2011-11-15 23:22 . 2004-08-10 04:00 141824 ----a-w- c:\windows\system32\sessmgr.exe
2011-11-15 23:22 . 2004-08-10 04:00 31744 ----a-w- c:\windows\system32\sc.exe
2011-11-15 23:22 . 2004-08-10 04:00 14848 ----a-w- c:\windows\system32\runonce.exe
2011-11-15 23:22 . 2004-08-10 04:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2011-11-15 23:22 . 2004-08-10 04:00 50688 ----a-w- c:\windows\system32\reg.exe
2011-11-15 23:22 . 2004-08-10 04:00 35840 ----a-w- c:\windows\system32\rcimlby.exe
2011-11-15 23:22 . 2004-08-10 04:00 11776 ----a-w- c:\windows\system32\regsvr32.exe
2011-11-15 23:22 . 2004-08-10 04:00 37888 ----a-w- c:\windows\system32\powercfg.exe
2011-11-15 23:22 . 2004-08-10 04:00 216064 ----a-w- c:\windows\system32\osk.exe
2011-11-15 23:22 . 2006-08-11 14:21 1519616 ----a-w- c:\windows\system32\nwiz.exe
2011-11-15 23:22 . 2004-08-10 04:00 32768 ----a-w- c:\windows\system32\odbcad32.exe
2011-11-15 23:22 . 2006-08-11 14:21 131072 ----a-w- c:\windows\system32\nvsvc32.exe
2011-11-15 23:22 . 2004-08-10 04:00 419840 ----a-w- c:\windows\system32\ntvdm.exe
2011-11-15 23:22 . 2004-08-10 04:00 69120 ----a-w- c:\windows\system32\notepad.exe
2011-11-15 23:22 . 2004-08-10 04:00 1200128 ----a-w- c:\windows\system32\ntbackup.exe
2011-11-15 23:22 . 2004-08-10 04:00 86528 ----a-w- c:\windows\system32\netsh.exe
2011-11-15 23:22 . 2004-08-10 04:00 42496 ----a-w- c:\windows\system32\net.exe
2011-11-15 23:22 . 2004-08-10 04:00 125440 ----a-w- c:\windows\system32\net1.exe
2011-11-15 23:22 . 2004-08-10 04:00 54272 ----a-w- c:\windows\system32\narrator.exe
2011-11-15 23:22 . 2004-08-10 04:00 407552 ----a-w- c:\windows\system32\mstsc.exe
2011-11-15 23:22 . 2004-08-10 04:00 78848 ----a-w- c:\windows\system32\msiexec.exe
2011-11-15 23:22 . 2004-08-10 04:00 344064 ----a-w- c:\windows\system32\mspaint.exe
2011-11-15 23:22 . 2004-08-10 04:00 6656 ----a-w- c:\windows\system32\msdtc.exe
2011-11-15 23:22 . 2004-08-10 04:00 29184 ----a-w- c:\windows\system32\mshta.exe
2011-11-15 23:22 . 2004-08-10 04:00 126976 ----a-w- c:\windows\system32\mshearts.exe
2011-11-15 23:22 . 2004-08-10 04:00 143872 ----a-w- c:\windows\system32\mobsync.exe
2011-11-15 23:22 . 2004-08-10 04:00 72704 ----a-w- c:\windows\system32\magnify.exe
2011-11-15 23:22 . 2004-08-10 04:00 514560 ----a-w- c:\windows\system32\logonui.exe
2011-11-15 23:22 . 2004-08-10 04:00 220672 ----a-w- c:\windows\system32\logon.scr
2011-11-15 23:22 . 2006-08-11 14:24 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-11-15 23:22 . 2004-08-10 04:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-11-15 23:22 . 2006-08-11 14:24 229376 ----a-w- c:\windows\system32\fxscover.exe
2011-11-15 23:22 . 2004-08-10 04:00 9728 ----a-w- c:\windows\system32\find.exe
2011-11-15 23:22 . 2004-08-10 04:00 55808 ----a-w- c:\windows\system32\freecell.exe
2011-11-15 23:22 . 2004-08-10 04:00 180224 ----a-w- c:\windows\system32\dwwin.exe
2011-11-15 23:22 . 2004-08-10 04:00 46080 ----a-w- c:\windows\system32\drwtsn32.exe
2011-11-15 23:21 . 2004-08-10 04:00 25088 ----a-w- c:\windows\system32\defrag.exe
2011-11-15 23:21 . 2004-08-10 04:00 102400 ----a-w- c:\windows\system32\cscript.exe
2011-11-15 23:21 . 2004-08-10 04:00 80896 ----a-w- c:\windows\system32\charmap.exe
2011-11-15 23:21 . 2004-08-10 04:00 64512 ----a-w- c:\windows\system32\cleanmgr.exe
2011-11-15 23:21 . 2004-08-10 04:00 388608 ----a-w- c:\windows\system32\cmd.exe
2011-11-15 23:21 . 2004-08-10 04:00 115712 ----a-w- c:\windows\system32\calc.exe
2011-11-15 23:21 . 2004-08-10 04:00 11264 ----a-w- c:\windows\system32\attrib.exe
2011-11-15 23:21 . 2004-08-10 04:00 44544 ----a-w- c:\windows\system32\alg.exe
2011-11-15 23:21 . 2004-08-10 04:00 183808 ----a-w- c:\windows\system32\accwiz.exe
2011-11-15 23:21 . 2006-08-11 14:08 52736 ----a-w- c:\windows\system\hpsysdrv.exe
2011-11-15 23:21 . 2006-08-11 14:18 16241152 ----a-w- c:\windows\RTHDCPL.EXE
2011-11-15 23:21 . 2004-08-10 11:00 146944 ------w- c:\windows\regedit.exe
2011-11-15 23:21 . 2004-08-10 04:00 768512 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpCtr.exe
2011-11-15 23:21 . 2006-08-11 14:20 307712 ----a-w- c:\windows\IsUninst.exe
2011-11-15 23:20 . 2004-08-10 04:00 11264 ----a-w- c:\windows\hh.exe
2011-11-15 23:20 . 2006-08-11 14:20 1081344 ----a-w- c:\windows\help\SBSI\Training\orun32.exe
2011-11-15 23:20 . 2005-08-03 06:19 77312 ----a-w- c:\windows\arpwrmsg.exe
2011-11-15 23:20 . 2005-08-03 06:19 59392 ----a-w- c:\windows\arservice.exe
2011-11-15 23:20 . 2006-08-11 14:18 69632 ----a-w- c:\windows\ALCMTR.EXE
2011-11-15 23:17 . 2004-08-10 04:00 1032704 ----a-w- c:\windows\explorer.exe
2011-11-05 06:53 . 2011-11-15 23:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-11-15 . 5894A3E7213B4D60050BCB38DBE0B1C4 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[7] 2004-08-10 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe
.
[-] 2011-11-15 . 10595371D23DE54A34BA93FBBC8AB92F . 1032704 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe
[-] 2011-11-15 . D22C62930B78938C625ACEFB1F118BE9 . 1032704 . . [6.00.2900.2180] . . c:\windows\explorer.exe
.
[-] 2011-11-15 . FB43ABC373D8B53A453A2F70E7FEB1D5 . 146944 . . [5.1.2600.2180] . . c:\windows\regedit.exe
[7] 2004-08-10 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\regedit.exe
[7] 2004-08-09 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows\I386\REGEDIT.EXE
.
[7] 2004-08-10 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2011-11-15 68096]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2011-11-15 16241152]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2011-11-15 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2011-11-15 1519616]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2011-11-15 57344]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-11 40960]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-11 27648]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-11 27648]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"Shell"= explorer.exe,rundll32 ,init
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/15/2011 9:49 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/15/2011 9:49 PM 22216]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [7/8/2010 3:09 PM 606056]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-15 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\3kfk4z9s.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{5EADCF0D-249C-D141-5D6E-A4C30898D565} - c:\documents and settings\HP_Administrator\Application Data\Axzaki\occuud.exe
HKCU-Run-{6FE4BD7E-8DE8-34FF-91CE-ED9019D773B4} - c:\documents and settings\HP_Administrator\Application Data\Uwgeeh\acqu.exe
HKCU-Run-auditpol - c:\documents and settings\HP_Administrator\Application Data\auditpol.exe
HKCU-Run-System Intrusive - c:\program files\Common Files\Symantec Shared\Options\msuplog.dll
HKCU-Run-System Cleanup - c:\windows\system32\winsett.exe
HKCU-Run-Windows Defragment - c:\windows\winsett.exe
HKLM-Run-DMAScheduler - c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
HKLM-Run-Recguard - c:\windows\SMINST\RECGUARD.EXE
HKLM-Run-HPBootOp - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPwuSchd2.exe
HKLM-Run-auditpol - c:\documents and settings\HP_Administrator\Application Data\auditpol.exe
HKLM-Run-Windows Defragment - c:\windows\winsett.exe
HKLM-Run-System Cleanup - c:\windows\system32\winsett.exe
HKU-Default-Run-System Intrusive - c:\windows\system32\1031\etperfms.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-15 23:03
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-11-15 23:07:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-16 05:07
.
Pre-Run: 230,376,574,976 bytes free
Post-Run: 230,324,322,304 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 909C418897ADCFCC6C1EDE359A0C6893




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users