Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searchprotocolhost growing cpu usage


  • This topic is locked This topic is locked
4 replies to this topic

#1 S3curityPlu5

S3curityPlu5

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 12 March 2012 - 06:52 PM

MOD EDIT: MOVED to Virus,Trojan and Malware Removal Logs ~~boopme

Hey guys I have been doing pretty good battling malware for the last year. On a windows7 64bit HP laptop, I have ESET Smart Security and I'm behind a router, also use spybot and malware bytes to check out system on a regular basis. I have this problem recently where the windows search service seems to constantly increase cpu usage until my memory is low. I have 8gb of Ram installed and I have just disabled all indexing and Windows search service. However I would like to be able to enable the indexing again and I feel like there might be some malware that is evading malware bytes and eset. I noticed that when I downloaded GMER rootkit revealer and some Nirsoft utilities last week that this began to happen. I have heard that Nirsoft tools are safe so I downloaded a bunch of them to check out my registry and since then I have had this cpu process and memory problem. I have ran hijackthis but i don't see anything superdifferent about my log. I would like to post my log somewhere and have some more people check it out. I have not run combofix yet. Thanks

Heres the dds log
Since i have a 64bit OS i did not run gmer again, ask if I should include the gmer log
Thanks in advance
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.1.0
Run by James at 19:59:50 on 2012-03-12
.
============== Running Processes ===============
.
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\eEye Digital Security\SyncIt\Scheduler\eEyeUpdateSchedulerSvc.exe
C:\Program Files (x86)\Common Files\eEye Digital Security\SyncIt\eEyeUpdateSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe
C:\Program Files (x86)\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtWlan.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Users\James\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uInternet Settings,ProxyServer = 127.0.0.1:8834
mURLSearchHooks: ZoneAlarm Extreme Security Toolbar: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - C:\Program Files (x86)\ZoneAlarm_Extreme_Security\prxtbZone.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPBar.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - No File
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
Trusted Zone: google.com
Trusted Zone: hotmail.com
Trusted Zone: qualys.com
Trusted Zone: twitter.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{2AC0AE8F-200F-455A-8D45-95FBD1478722} : DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{E9C8A165-6487-43D8-AF5A-55CBA01383B6} : DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{E9C8A165-6487-43D8-AF5A-55CBA01383B6}\C483054433 : DhcpNameServer = 192.168.1.1 68.237.161.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
IFEO: taskmgr.exe - "C:\USERS\JAMES\DOWNLOADS\PROGRAMS\PROCESS EXPLORER\PROCEXP.EXE"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
BHO-X64: LastPass Browser Helper Object - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
TB-X64: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB-X64: {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - No File
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
IFEO-X64: taskmgr.exe - "C:\USERS\JAMES\DOWNLOADS\PROGRAMS\PROCESS EXPLORER\PROCEXP.EXE"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\3u6py5bu.default\
FF - plugin: C:\metasploit\java\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\James\AppData\Roaming\Mozilla\plugins\npatgpc.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? cpuz134;cpuz134
R? esihdrv;esihdrv
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service
R? netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit
R? osppsvc;Office Software Protection Platform
R? PEEK5A64;PEEK5 Protocol Driver
R? PROCEXP151;PROCEXP151
R? PSI;PSI
R? PSMounter;Macrium Reflect Image Explorer Service
R? PSSDK42;PSSDK42
R? Revoflt;Revoflt
R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader
R? Secunia PSI Agent;Secunia PSI Agent
R? SrvHsfHDA;SrvHsfHDA
R? SrvHsfV92;SrvHsfV92
R? SrvHsfWinac;SrvHsfWinac
R? TsUsbFlt;TsUsbFlt
R? VBoxUSB;VirtualBox USB
R? WatAdminSvc;Windows Activation Technologies Service
R? WMZuneComm;Zune Windows Mobile Connectivity Service
R? yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller
S? AdobeARMservice;Adobe Acrobat Update Service
S? AdvancedSystemCareService5;Advanced SystemCare Service 5
S? AERTFilters;Andrea RT Filters Service
S? AMD External Events Utility;AMD External Events Utility
S? AMD FUEL Service;AMD FUEL Service
S? amd_sata;amd_sata
S? amd_xata;amd_xata
S? amdiox64;AMD IO Driver
S? amdkmdag;amdkmdag
S? amdkmdap;amdkmdap
S? AODDriver4.01;AODDriver4.01
S? AtiHDAudioService;ATI Function Driver for HD Audio Service
S? clwvd;CyberLink WebCam Virtual Driver
S? eamonm;eamonm
S? eEyeUpdateSchedulerSvc;eEye Update Scheduler Service
S? eEyeUpdateSvc;eEye Update Service
S? ekrn;ESET Service
S? EpfwLWF;Epfw NDIS LightWeight Filter
S? epfwwfp;epfwwfp
S? HP Wireless Assistant Service;HP Wireless Assistant Service
S? HPWMISVC;HPWMISVC
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
S? nm3;Microsoft Network Monitor 3 Driver
S? Realtek87B;Realtek87B
S? ReflectService.exe;Macrium Reflect Image Mounting Service
S? RET55a64;RET55a64 NDIS Protocol Driver
S? RTL8167;Realtek 8167 NT Driver
S? RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
S? RtVOsdService;RtVOsdService Installer
S? SBSDWSCService;SBSD Security Center Service
S? SeagateDashboardService;Seagate Dashboard Service
S? Secunia Update Agent;Secunia Update Agent
S? usbfilter;AMD USB Filter Driver
S? vwififlt;Virtual WiFi Filter Driver
.
=============== Created Last 30 ================
.
2012-03-12 03:22:09 -------- d-----w- C:\Users\James\AppData\Local\{114CDF7B-8474-4E94-A735-6C0EFB2FCB8E}
2012-03-12 03:21:56 -------- d-----w- C:\Users\James\AppData\Local\{35F3F5F2-6589-4F4B-9E3F-3DDB62124B3E}
2012-03-11 05:42:11 388096 ----a-r- C:\Users\James\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-10 12:14:26 -------- d-----w- C:\Users\James\AppData\Local\{E0DA691D-8173-4299-8821-04E349ADA3F7}
2012-03-10 12:14:12 -------- d-----w- C:\Users\James\AppData\Local\{15369C0A-42E4-4A92-BC53-54A3EAA7E997}
2012-03-09 16:06:39 -------- d-----w- C:\Program Files\SearchGBY
2012-03-09 00:00:31 -------- d-----w- C:\Program Files (x86)\Blighty Design
2012-03-08 20:14:38 -------- d-----w- C:\Program Files\Josip Medved
2012-03-08 17:12:48 -------- d-----w- C:\Users\James\AppData\Local\{E1DB66BA-E7CA-4E0F-B75C-0125CF385633}
2012-03-08 17:12:30 -------- d-----w- C:\Users\James\AppData\Local\{41DD2F47-280E-41F5-8E1B-20E57FA5400A}
2012-03-08 16:40:47 -------- d-----w- C:\Program Files\Windows Imaging
2012-03-08 16:40:06 -------- d-----w- C:\Program Files\Windows AIK
2012-03-08 13:38:10 -------- d-----w- C:\Users\James\AppData\Roaming\AllDup
2012-03-08 13:37:28 450560 ----a-w- C:\Windows\SysWow64\fldrvw90.ocx
2012-03-08 13:37:28 1000992 ----a-w- C:\Windows\SysWow64\TList8.ocx
2012-03-08 13:37:28 -------- d-----w- C:\ProgramData\AllDup
2012-03-08 13:37:27 89888 ----a-w- C:\Windows\SysWow64\mtFrame.ocx
2012-03-08 13:37:27 86016 ----a-w- C:\Windows\SysWow64\mtSplitter.ocx
2012-03-08 13:37:27 77504 ----a-w- C:\Windows\SysWow64\mtScrollContainer.ocx
2012-03-08 13:37:27 44736 ----a-w- C:\Windows\SysWow64\mtSubclass.dll
2012-03-08 13:37:27 2369456 ----a-w- C:\Windows\SysWow64\Codejock.CommandBars.v13.4.2.ocx
2012-03-08 13:37:27 171752 ----a-w- C:\Windows\SysWow64\mtRTF2.ocx
2012-03-08 13:37:10 -------- d-----w- C:\Program Files (x86)\AllDup
2012-03-06 18:44:10 -------- d-----w- C:\Program Files\MiMedia LLC
2012-03-06 17:51:11 -------- d-----w- C:\ProgramData\Macrium
2012-03-06 17:50:29 -------- d-----w- C:\Program Files\Macrium
2012-03-06 12:15:26 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-06 10:13:50 -------- d-----w- C:\HP_TOOLS_mountHPSF
2012-03-06 01:18:08 -------- d-----w- C:\ProgramData\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-03-05 09:59:28 -------- d-----w- C:\Users\James\AppData\Local\IsolatedStorage
2012-03-05 09:59:07 -------- d-----w- C:\Users\James\AppData\Roaming\Quest Software
2012-03-05 09:59:04 -------- d-----w- C:\Users\James\AppData\Local\Quest Software
2012-03-05 09:45:38 -------- d-----w- C:\Program Files (x86)\PowerGUI
2012-03-04 19:32:19 -------- d-----w- C:\Users\James\AppData\Local\{6283E706-D6D0-40AF-A6F5-206D4B89122F}
2012-03-04 19:31:58 -------- d-----w- C:\Users\James\AppData\Local\{9F9AA3CA-50BE-42D5-91FF-211E50AE3504}
2012-03-04 02:31:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-03 19:51:56 -------- d-----w- C:\Users\James\AppData\Local\{751D6541-A63D-40BB-B638-891278A438FB}
2012-03-03 19:51:34 -------- d-----w- C:\Users\James\AppData\Local\{E4440085-7B6D-4F0A-8C3A-CD1A5613784C}
2012-03-03 02:46:03 -------- d-----w- C:\Users\James\AppData\Local\{67173AEA-AF96-4BDE-A6C3-0FF72023B331}
2012-03-03 02:45:41 -------- d-----w- C:\Users\James\AppData\Local\{5AAD2CE9-3C29-4B9A-B033-4E5549688836}
2012-03-01 15:24:45 -------- d-----w- C:\Virtual
2012-03-01 11:23:58 -------- d-----w- C:\Users\James\AppData\Local\{A30674D8-117A-4D2A-8BA0-1CDA1699B7D9}
2012-03-01 11:23:37 -------- d-----w- C:\Users\James\AppData\Local\{59B0B625-1DE0-4963-8CE2-307981302E44}
2012-02-29 19:04:08 -------- d-----w- C:\Users\James\AppData\Local\{3B37EA8E-1E1F-4515-915F-A85A4ECEE69D}
2012-02-29 19:03:46 -------- d-----w- C:\Users\James\AppData\Local\{58AE58C1-2626-40DD-9CBA-9E4FE59C0737}
2012-02-29 01:11:39 -------- d-----w- C:\Users\James\AppData\Local\{431C0C10-97DB-4EC9-BE46-5565BCFA18D4}
2012-02-29 01:11:17 -------- d-----w- C:\Users\James\AppData\Local\{50F05FA6-CF47-42E9-B884-A776CF07163A}
2012-02-27 04:10:29 -------- d-----w- C:\Users\James\AppData\Local\{B66FFDE8-B687-4171-8C3A-38F19DD7CBC0}
2012-02-27 04:10:08 -------- d-----w- C:\Users\James\AppData\Local\{8E6BF52F-D455-4EDB-9A46-18250068485C}
2012-02-26 16:09:44 -------- d-----w- C:\Users\James\AppData\Local\{BCDBCFD8-A686-46D4-8D03-03A6DF2B00BF}
2012-02-26 16:09:22 -------- d-----w- C:\Users\James\AppData\Local\{F05A344B-35DE-45C4-A5CC-E3D3F5395C19}
2012-02-26 04:09:09 -------- d-----w- C:\Users\James\AppData\Local\{BF2E3512-BE45-4BBF-8327-4204D1422AC2}
2012-02-26 04:08:48 -------- d-----w- C:\Users\James\AppData\Local\{4568FA18-E8D6-4C56-B55C-D94D50758138}
2012-02-25 23:52:21 -------- d-----w- C:\Users\James\AppData\Local\{B0062274-EC5D-4EFB-847A-2E6A5BF72DBD}
2012-02-25 06:14:39 -------- d-----w- C:\Users\James\AppData\Local\{A36A3C4D-32F0-4A9F-BA55-2C92D874E635}
2012-02-24 18:13:55 -------- d-----w- C:\Users\James\AppData\Local\{9D527AE2-ABD1-4FC6-B8A4-EAEC52B25D73}
2012-02-24 18:13:33 -------- d-----w- C:\Users\James\AppData\Local\{70DF1954-871A-42FE-A27E-69B403659936}
2012-02-24 17:42:33 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-02-24 17:42:33 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-23 20:02:13 -------- d-----w- C:\Users\James\AppData\Local\{203D9B2F-6257-4CD3-8665-7CF49B680E8D}
2012-02-23 20:02:01 -------- d-----w- C:\Users\James\AppData\Local\{CE5B5F77-D7CA-4F95-B962-CF1BEF406144}
2012-02-23 01:19:35 -------- d-----w- C:\Users\James\AppData\Local\{C8716FDC-5A45-46B0-BC36-C34E4E60E212}
2012-02-23 01:19:15 -------- d-----w- C:\Users\James\AppData\Local\{32BC8240-7BA5-4E4B-AB3A-023773021D6C}
2012-02-22 13:18:42 -------- d-----w- C:\Users\James\AppData\Local\{E64E6B9B-C46F-4C3E-8E59-1346EB621E99}
2012-02-22 13:18:28 -------- d-----w- C:\Users\James\AppData\Local\{7A64B66A-01D8-4743-9595-427D2B10723D}
2012-02-21 19:35:48 -------- d-----w- C:\Users\James\AppData\Local\{78DE0661-D743-43E1-B4F2-1946FF8D7051}
2012-02-21 19:35:23 -------- d-----w- C:\Users\James\AppData\Local\{FC1A134D-7BA3-4B2A-835D-353D7B9FE8C9}
2012-02-21 06:14:35 -------- d-----w- C:\Users\James\AppData\Local\{45249ABB-C2D2-4EB6-A3B8-82C2D3959D44}
2012-02-21 06:14:12 -------- d-----w- C:\Users\James\AppData\Local\{5D754001-4229-4198-AD92-251731A10174}
2012-02-21 05:58:01 -------- d-----w- C:\Users\James\AppData\Local\{D499F982-BB1E-457D-A140-F1895D774207}
2012-02-21 05:38:36 -------- d-----w- C:\Users\James\AppData\Local\{4EDB7C3A-9B41-41EE-8A3B-4F9E29931A87}
2012-02-21 05:38:10 -------- d-----w- C:\Users\James\AppData\Local\{C5175E77-F842-40BF-BFD5-1A240B6B4CBB}
2012-02-21 05:24:54 -------- d-----w- C:\Users\James\AppData\Roaming\DMCache
2012-02-20 23:19:26 13464 ----a-w- C:\Windows\System32\drivers\PSVolAcc.sys
2012-02-20 23:19:18 43672 ----a-w- C:\Windows\System32\drivers\psmounter.sys
2012-02-20 16:25:41 0 ----a-w- C:\Windows\SysWow64\REN2199.tmp
2012-02-20 16:25:41 0 ----a-w- C:\Windows\SysWow64\REN2198.tmp
2012-02-20 16:25:41 0 ----a-w- C:\Windows\SysWow64\REN2197.tmp
2012-02-20 16:25:16 0 ----a-w- C:\Windows\SysWow64\RENC064.tmp
2012-02-20 16:25:16 0 ----a-w- C:\Windows\SysWow64\RENC063.tmp
2012-02-20 16:25:16 0 ----a-w- C:\Windows\SysWow64\RENC062.tmp
2012-02-20 16:01:38 -------- d-----w- C:\Users\James\AppData\Local\{BD491834-7394-4441-95FE-4AAB2B7E7411}
2012-02-20 16:01:22 -------- d-----w- C:\Users\James\AppData\Local\{CCAD5158-E43A-4BEC-835D-3C5EBB4BF856}
2012-02-19 13:58:20 -------- d-----w- C:\Users\James\AppData\Local\{0829CCD5-CBD4-486A-B726-974B906989AB}
2012-02-19 13:57:57 -------- d-----w- C:\Users\James\AppData\Local\{13DC9669-A228-45F4-9D70-A8DEB6238BC8}
2012-02-19 13:50:35 -------- d-----w- C:\Users\James\AppData\Local\MetaGeek,_LLC
2012-02-19 13:12:53 -------- d-----w- C:\Users\James\AppData\Roaming\WildPackets
2012-02-18 18:00:20 -------- d-----w- C:\Users\James\AppData\Local\{F4460B6E-0C58-4EFA-91E6-6A71132A87D1}
2012-02-18 17:59:36 -------- d-----w- C:\Users\James\AppData\Local\{0C5DD3A0-5B87-4109-9E85-E6F0F18B4E57}
2012-02-18 17:26:23 -------- d-----w- C:\Users\James\AppData\Local\{BE007588-82C2-462F-8240-AE6F1C99B808}
2012-02-18 17:17:46 614400 ----a-w- C:\Windows\SysWow64\Rtlihvs.dll
2012-02-18 17:17:46 380928 ----a-w- C:\Windows\RtlUI2.exe
2012-02-18 17:17:46 188416 ----a-w- C:\Windows\SysWow64\RTLExtUI.dll
2012-02-18 17:14:26 -------- d-----w- C:\Users\James\AppData\Local\{B966A1E3-A8A1-4C27-9E17-AEF224B89412}
2012-02-18 16:16:18 451072 ----a-w- C:\Windows\SysWow64\ISSRemoveSP.exe
2012-02-18 16:15:29 -------- d-----w- C:\Windows\System32\RtlGina
2012-02-17 15:40:02 -------- d-----w- C:\Users\James\AppData\Local\{E4AF902D-69F6-4CB8-940E-04FFE0FBE454}
2012-02-17 15:39:39 -------- d-----w- C:\Users\James\AppData\Local\{62B60E25-6259-4C6A-A32B-1B3828E552F3}
2012-02-16 05:34:42 -------- d-----w- C:\Users\James\AppData\Local\{034039F0-E750-4823-96E2-8573BD12CD32}
2012-02-16 05:34:20 -------- d-----w- C:\Users\James\AppData\Local\{F58C31F7-4E89-4A88-835C-7BBE9A12E6EB}
2012-02-14 18:54:11 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2012-02-14 18:54:10 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2012-02-14 18:54:10 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-02-14 18:54:09 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-02-14 18:54:09 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-02-14 18:54:08 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-02-14 18:53:55 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-02-14 18:53:55 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-02-14 15:11:06 -------- d-----w- C:\Users\James\AppData\Local\{D01FDBF5-DA66-44C4-B3C1-95C6C0C3A47F}
2012-02-14 15:10:42 -------- d-----w- C:\Users\James\AppData\Local\{4AF85BCF-86C6-4F2A-A3CD-882514C38018}
2012-02-13 18:30:33 -------- d-----w- C:\Users\James\AppData\Local\{F00A702A-EC40-44A0-A894-E7BC70AA46E6}
2012-02-13 18:30:11 -------- d-----w- C:\Users\James\AppData\Local\{B62418C0-1FCB-4934-B394-A7985017BB5B}
2012-02-12 16:59:51 -------- d-----w- C:\Users\James\AppData\Local\{E57B4769-5947-4EE7-94A8-7D9B58C7DC81}
2012-02-12 16:59:41 -------- d-----w- C:\Users\James\AppData\Local\{C9C0FE11-67D8-4F26-A114-C7EF015ADD18}
.
==================== Find3M ====================
.
2012-03-09 20:51:52 53312 ----a-w- C:\Windows\System32\drivers\pssdk42.sys
2012-02-20 16:23:19 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-02-10 04:18:24 129976 ----a-w- C:\Windows\SysWow64\DeploySupport.dll
2012-02-09 06:08:36 544656 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-08 19:55:14 95672 ----a-w- C:\Windows\SysWow64\FileStore.dll
2012-02-08 19:55:14 41912 ----a-w- C:\Windows\SysWow64\seccommutil.dll
2012-02-08 19:55:14 143288 ----a-w- C:\Windows\SysWow64\seccomm.dll
2012-02-08 19:55:12 80312 ----a-w- C:\Windows\SysWow64\eevtc.dll
2012-02-08 19:55:12 183224 ----a-w- C:\Windows\SysWow64\eEyePKI.dll
2012-02-08 19:55:12 120248 ----a-w- C:\Windows\SysWow64\EMSAgent.dll
2012-02-08 00:37:26 252344 ----a-w- C:\Windows\SysWow64\LocalStorage.dll
2012-02-08 00:37:24 325560 ----a-w- C:\Windows\SysWow64\DebugRpt.dll
2012-02-03 17:37:03 0 ----a-w- C:\Users\James\g2mdlhlpx.exe
2012-01-20 04:22:27 88576 ---ha-w- C:\Users\James\AppData\Roaming\rbap550.dll
2012-01-20 04:22:27 29184 ---ha-w- C:\Users\James\AppData\Roaming\RBInternetEncodings550.dll
2012-01-13 12:03:40 724992 ----a-w- C:\Windows\iun6002.exe
2012-01-06 15:25:06 1170 ----a-w- C:\FixitRegBackup.reg
2011-12-19 19:17:21 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2011-12-19 19:17:20 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-12-19 19:17:20 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-12-19 18:45:22 224048 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2011-12-19 18:45:22 146736 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2011-12-19 18:45:22 130864 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2011-12-19 18:45:22 117040 ----a-w- C:\Windows\System32\drivers\VBoxUSB.sys
2011-12-19 18:43:54 320816 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
2011-12-19 18:43:54 165680 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2011-12-16 03:46:26 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-12-16 03:46:24 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-12-14 11:30:49 0 ----a-w- C:\Windows\ativpsrm.bin
2011-12-14 07:11:03 2308096 ----a-w- C:\Windows\System32\jscript9.dll
2011-12-14 07:04:30 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-12-14 07:03:38 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-14 03:04:54 1798656 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 20:02:19.11 ===============

Edited by boopme, 12 March 2012 - 07:14 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 15 March 2012 - 08:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#3 S3curityPlu5

S3curityPlu5
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 15 March 2012 - 10:44 PM

I ran both and there were no problems found. I do not see a problem any more, I have now ran 3 programs checking for rootkits and they all found nothing, I found an issue when I ran a sfc /scannow so perhaps that was my issue. I do not want to post any more logs because I do not feel it is secure to post all my computer insides on here any more, unless I am sure there is a problem, and since I have no more issues at this time, please forgive me. If there is a way to securely send my logs in I would but I dont like the idea of putting every program running on my system on the internet unless it would be erased right away.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:04 PM

Posted 16 March 2012 - 09:19 AM

Your log cannot be secured.

Personal information such as your name can be changed before you post your log.

Example
C:\Users\John Doe\AppData\Local\{114CDF7B-8474-4E94-A735-6C0EFB2FCB8E}
can be changed to
C:\Users\John XXX\AppData\Local\{114CDF7B-8474-4E94-A735-6C0EFB2FCB8E}
prior to submitting your log.

As for the programs you used unless it's something created from a company you work for and only used within the organization you can remove the entry but I doubt very much that any other programs are not already listed on the Internet.

===

I'm leaving it to you if you want to ensure that your computer is clean.
Feel free to post or not the results of these scans for my review and possibly your protection.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html




Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#5 S3curityPlu5

S3curityPlu5
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 16 March 2012 - 06:12 PM

Thanks, I hope you understand, I may have already solved the problem anyway, I appreciate your help I really do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users