Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hungry svchost file........


  • This topic is locked This topic is locked
33 replies to this topic

#1 Gone gray

Gone gray

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 31 May 2013 - 01:42 PM

Hi,
I have a problem with my windows xp PC.
There is a svchost.exe file that is consuming my PCs resources.
It seems to take over within a few minutes.
It just hit over 1,200,000 k of mem usage and nearly 100% of the CPU. 
I have used malware bytes , super antispyware, spy bot search, and cc cleaner and tweaking. All came up with different viruses and files that were deleted. But still I have this bogging down of my system.
Some programs sit forever to do a command. Sometimes I go into task manager and delete the svchost file that is being greedy just so the other programs have a chance to work.
Even though I delete the file...it just comes back within a few seconds and starts to use up all available resources. Safe mode helps to stop it, but safe with networking let's the svchost file take over.
I'm tempted to format the whole drive and start again, but I have a lot of old programs that I don't have the key codes for anymore, or they were downloaded so I would rather not do the formatting. Even if I did format I don't know if it will clear this nasty problem.
Thanks for the help

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 01 June 2013 - 12:49 AM



Hello Gone gray

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.



-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 01 June 2013 - 05:04 PM

Thanks Gringo,
I found the follow this box but not the "Receive notification" box .

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 01 June 2013 - 05:13 PM

when you click on the "follow this " the "Receive notification" will open up


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2013 - 10:05 AM

Hi Gringo,

here is what you asked for.... I have resorted to using a program called process explorer. it allows me to set the priority level of the svchost file that has been using up processor power. when its set to te lowest level, my other programs get a chance to do some work.

Thanks

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/11/2011 3:01:22 PM
System Uptime: 6/2/2013 10:39:36 AM (0 hours ago)
.
Motherboard: Dell Inc.           |  | 0U7077
Processor:               Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 324.495 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 149 GiB total, 148.889 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 5/29/2013 8:24:24 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-zip v9.20
Adobe Connect Add-in
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.7)
Anti-phishing Domain Advisor
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applet
Audacity 2.0
Avery Wizard 4.0
Bing Bar
Bonjour
Broadcom Gigabit Integrated Controller
Canon iC D800
Card Data Recovery
CCleaner
Citrix online plug-in - web
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Download Navigator
EasyGSM for SGH-A800
Epson Connect
Epson Customer Participation
Epson Event Manager
EPSON Scan
EPSON XP-400 Series Printer Uninstall
EpsonNet Print
File Scavenger 4.0 (en)
File Type Assistant
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
iExplorer 3.2.1.5
ImageMixer 3 SE Ver.6 Transfer Utility
ImageMixer 3 SE Ver.6 Video Tools
InterVideo WinDVD
iPhone Backup Extractor
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 22
Java Auto Updater
Java™ 6 Update 29
Juniper Networks Host Checker
Juniper Networks Network Connect 6.5.0
Juniper Networks Network Connect 7.1.8
Juniper Networks, Inc. Setup Client
Junk Mail filter update
LAME v3.99.3 (for Windows)
Magical Jelly Bean KeyFinder
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office File Validation Add-In
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Works 6-9 Converter
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Control Panel 301.42
NVIDIA Graphics Driver 301.42
NVIDIA HD Audio Driver 1.3.16.0
NVIDIA Install Application
NVIDIA nView 136.27
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0213
NVIDIA Update 1.8.15
NVIDIA Update Components
PL-2303 USB-to-Serial
QuickTime
Reimage Repair
Samsung New PC Studio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2586448)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Segoe UI
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware
Tweaking.com - Windows Repair (All in One)
Unlocker 1.9.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
VirtualLab Client 6.0.14
WD SmartWare
WebFldrs XP
Windows DVD Maker 3.5
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Wondershare DemoCreator (Build 3.5.1)
Wondershare Dr.Fone (iPhone 3GS)(Build 1.0.1.5)
.
==== Event Viewer Messages From Past Week ========
.
6/2/2013 10:45:50 AM, error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error:  An instance of the service is already running.
6/1/2013 7:44:57 AM, error: DCOM [10005]  - DCOM got error "%1062" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
6/1/2013 7:44:56 AM, error: DCOM [10005]  - DCOM got error "%231" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
6/1/2013 7:39:54 AM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
6/1/2013 7:38:54 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
6/1/2013 7:38:47 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service COMSysApp with arguments "" in order to run the server: {182C40F0-32E4-11D0-818B-00A0C9231C29}
6/1/2013 7:37:32 AM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/1/2013 6:45:22 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
5/31/2013 6:55:12 AM, error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
5/31/2013 6:29:40 AM, error: atapi [9]  - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
5/31/2013 5:07:13 PM, error: Service Control Manager [7023]  - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:  Access is denied.
5/31/2013 3:24:28 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
5/31/2013 3:14:49 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/30/2013 8:04:12 PM, error: Service Control Manager [7034]  - The Network Location Awareness (NLA) service terminated unexpectedly.  It has done this 2 time(s).
5/30/2013 8:04:12 PM, error: Service Control Manager [7034]  - The Network Connections service terminated unexpectedly.  It has done this 2 time(s).
5/30/2013 8:04:12 PM, error: Service Control Manager [7034]  - The COM+ Event System service terminated unexpectedly.  It has done this 2 time(s).
5/30/2013 8:04:12 PM, error: Service Control Manager [7031]  - The Help and Support service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
5/30/2013 8:04:12 PM, error: Service Control Manager [7031]  - The Background Intelligent Transfer Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/30/2013 7:43:40 AM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service SwPrv with arguments "" in order to run the server: {65EE1DBA-8FF4-4A58-AC1C-3470EE2F376A}
5/30/2013 4:46:00 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
5/30/2013 2:38:06 PM, error: DCOM [10005]  - DCOM got error "%2" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/30/2013 2:31:04 PM, error: DCOM [10005]  - DCOM got error "%2" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
5/30/2013 2:21:43 PM, information: Windows File Protection [64004]  - The protected system file svchost.exe could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x00000426 [The service has not been started. ].
5/29/2013 9:03:15 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the WD Backup service to connect.
5/29/2013 9:03:15 PM, error: Service Control Manager [7000]  - The WD Backup service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
5/29/2013 9:02:35 PM, error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
5/29/2013 9:02:35 PM, error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
5/29/2013 8:37:16 PM, error: System Error [1003]  - Error code 1000007e, parameter1 c0000005, parameter2 f7898770, parameter3 f78dab9c, parameter4 f78da898.
5/29/2013 8:03:11 PM, error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
5/29/2013 7:09:54 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/29/2013 6:14:47 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  ctxusbm Fips IntelIde intelppm ohci1394 SASDIFSV SASKUTIL
5/29/2013 2:57:32 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/29/2013 2:56:58 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service WDRulesService with arguments "" in order to run the server: {C004E60F-2D62-4BE1-98C4-C39A8046B6BB}
5/29/2013 2:56:58 PM, error: DCOM [10005]  - DCOM got error "%1068" attempting to start the service WDBackup with arguments "" in order to run the server: {81213AB4-5937-4340-88CD-66B4BC80DF73}
5/29/2013 2:56:11 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD ctxusbm Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
5/29/2013 2:56:11 PM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
5/29/2013 2:56:11 PM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
5/29/2013 2:56:11 PM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
5/29/2013 2:56:11 PM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
5/29/2013 2:56:11 PM, error: Service Control Manager [7001]  - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
5/29/2013 2:56:11 PM, error: Service Control Manager [7001]  - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
5/29/2013 2:56:01 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/29/2013 2:53:31 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  ctxusbm Fips intelppm SASDIFSV SASKUTIL
5/29/2013 2:52:26 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
5/28/2013 7:57:04 PM, error: Service Control Manager [7031]  - The Windows Management Instrumentation service terminated unexpectedly.  It has done this 4 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/28/2013 6:17:47 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
5/28/2013 6:13:28 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the WD Rules service to connect.
5/28/2013 6:13:28 PM, error: Service Control Manager [7001]  - The WD Backup service depends on the WD Rules service which failed to start because of the following error:  The service did not respond to the start or control request in a timely fashion.
5/28/2013 6:13:28 PM, error: Service Control Manager [7000]  - The WD Rules service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
5/28/2013 3:34:11 PM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/28/2013 3:32:30 PM, error: Service Control Manager [7001]  - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
5/28/2013 3:21:28 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the WD SmartWare Background Service service to connect.
5/28/2013 2:50:56 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
.
==== End Of File ===========================
 

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Lou at 10:43:51.73 on Sun 06/02/2013
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2256 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\BBSvc.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
C:\WINDOWS\system32\EscSvc.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\CAPM5RSK.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD Drive Manager\WDDriveService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Western Digital\WD SmartWare\WDBackupEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1318970588\ee\AOLSoftware.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AOL Desktop 9.6\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\Documents and Settings\Lou\Desktop\dds.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\AOL\1318970588\ee\aolupdates.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
uStart Page = hxxp://msn.com/
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - c:\program files\blekkotb_031\blekkotb_019X.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - c:\program files\blekkotb_031\blekkotb_019X.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [bznyo] "c:\documents and settings\lou\application data\microsoft\acwmlwy\acwmlwy.exe"
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [AOL Fast Start] "c:\program files\aol desktop 9.6\AOL.EXE" -b
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [rkdec] "c:\windows\system32\rundll32.exe" "c:\documents and settings\lou\application data\rkdec.dll",GetGlobals
mRun: [ceupn] "c:\windows\system32\rundll32.exe" "c:\documents and settings\lou\application data\ceupn.dll",get_pHYs
mRun: [WD Quick View] c:\program files\western digital\wd quick view\WDDMStatus.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ROC_ROC_NT] "c:\program files\avg secure search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NPSStartup]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HostManager] c:\program files\common files\aol\1318970588\ee\AOLSoftware.exe
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [AOL Fast Start] "c:\progra~1\aoldes~1.6\AOL.EXE" -b
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: arise.com
Trusted Zone: att.com
Trusted Zone: att.net
Trusted Zone: cingular.net
Trusted Zone: sbc.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1361529270359
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1368702470250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341350304328
DPF: {7206EAAC-5CFA-43A3-9F61-E27E8E51E42F} - hxxp://adus1.liveblockauctions.com/container_repository/laiexec.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ns.arise.com/dana-cached/sc/JuniperSetupClient.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-4-25 64800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2012-5-10 539744]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [2013-5-19 122000]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-10-13 238952]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-18 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-18 701512]
R2 RapidPortM5;RapidPortM5;c:\windows\system32\drivers\CAPM5LP.SYS [2011-10-30 23232]
R2 WDBackup;WD Backup;c:\program files\western digital\wd smartware\WDBackupEngine.exe [2012-6-14 1151424]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
R2 WDDriveService;WD Drive Manager;c:\program files\western digital\wd drive manager\WDDriveService.exe [2012-6-14 248248]
R2 WDRulesService;WD Rules;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2012-6-14 1177536]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\drivers\cbfs3.sys [2013-2-6 299024]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-10-13 36608]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-18 22856]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2013-1-30 123840]
S0 dhaavep;dhaavep;c:\windows\system32\drivers\quhlechv.sys --> c:\windows\system32\drivers\quhlechv.sys [?]
S1 gajsigcb;gajsigcb;\??\c:\windows\system32\drivers\gajsigcb.sys --> c:\windows\system32\drivers\gajsigcb.sys [?]
S1 jkdsztsk;jkdsztsk;\??\c:\windows\system32\drivers\jkdsztsk.sys --> c:\windows\system32\drivers\jkdsztsk.sys [?]
S1 kalbmdxq;kalbmdxq;\??\c:\windows\system32\drivers\kalbmdxq.sys --> c:\windows\system32\drivers\kalbmdxq.sys [?]
S1 krlwazxe;krlwazxe;\??\c:\windows\system32\drivers\krlwazxe.sys --> c:\windows\system32\drivers\krlwazxe.sys [?]
S1 lvtrzsou;lvtrzsou;\??\c:\windows\system32\drivers\lvtrzsou.sys --> c:\windows\system32\drivers\lvtrzsou.sys [?]
S1 MpKsl0f7ade96;MpKsl0f7ade96;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bc147e67-19c9-4afb-8628-c7261f1a1c9b}\mpksl0f7ade96.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bc147e67-19c9-4afb-8628-c7261f1a1c9b}\MpKsl0f7ade96.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-22 136176]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2013-1-30 1262400]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-10-28 256904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-22 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2012-8-31 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-06-01 21:25:32 54016 ----a-w- c:\windows\system32\drivers\ioutqtdf.sys
2013-05-31 19:07:55 -------- d-----w- c:\docume~1\lou\applic~1\wabEventSupport16
2013-05-29 00:14:31 -------- d-----w- C:\hotunzip
2013-05-29 00:13:47 943336 ----a-w- C:\WindowsXP-KB838884-v2-x86-enu.exe
2013-05-29 00:13:47 653544 ----a-w- C:\WindowsXP-KB838884-v2-x86-Symbols-enu.exe
2013-05-29 00:12:43 1684856 ----a-w- C:\173989_ENU_i386_zip.exe
2013-05-28 22:06:05 0 ----a-w- c:\documents and settings\lou\googleupdate.exe
2013-05-28 22:06:01 0 ----a-w- c:\documents and settings\lou\chrome.exe
2013-05-28 22:05:52 0 ----a-w- c:\documents and settings\lou\flashplayer.exe
2013-05-28 22:03:53 491520 ----a-w- c:\docume~1\lou\applic~1\ceupn.dll
2013-05-28 22:03:48 892928 ----a-w- c:\docume~1\lou\applic~1\rkdec.dll
2013-05-28 22:00:17 0 ----a-w- c:\documents and settings\lou\teamviewer.exe
2013-05-28 21:59:53 0 ----a-w- c:\documents and settings\lou\jqs.exe
2013-05-28 21:59:35 0 ----a-w- c:\documents and settings\lou\java.exe
2013-05-28 19:02:01 3038 ----a-w- C:\fix_svchost.bat
2013-05-28 18:57:40 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2013-05-28 18:53:53 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2013-05-20 13:36:13 -------- d-----w- c:\program files\CCleaner
2013-05-20 13:31:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2013-05-20 13:31:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2013-05-20 13:12:43 -------- d-----w- c:\docume~1\lou\applic~1\SUPERAntiSpyware.com
2013-05-20 13:12:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-05-20 13:12:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2013-05-19 12:21:20 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2013-05-19 12:21:20 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2013-05-19 12:21:20 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2013-05-19 12:21:19 77824 ----a-w- c:\windows\system32\EBAPI.dll
2013-05-19 12:21:19 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2013-05-19 12:13:52 457780 ----a-w- c:\windows\system32\ensppui.dll
2013-05-19 12:13:51 475496 ----a-w- c:\windows\system32\ensppmon.dll
2013-05-19 12:13:51 475496 ----a-w- c:\windows\system32\enppmon.dll
2013-05-19 12:13:51 457780 ----a-w- c:\windows\system32\enppui.dll
2013-05-19 12:13:51 249344 ----a-w- c:\windows\system32\enspres.dll
2013-05-19 12:13:51 249344 ----a-w- c:\windows\system32\enpres.dll
2013-05-19 12:13:49 -------- d-----w- c:\program files\EpsonNet
2013-05-19 12:13:00 -------- d-----w- c:\program files\common files\EPSON
2013-05-19 12:11:24 -------- d-----w- c:\program files\Epson America Inc
2013-05-19 12:06:15 -------- d-----w- c:\program files\Epson Software
2013-05-19 11:56:55 95232 ----a-w- c:\windows\system32\E_FLBIBA.DLL
2013-05-19 11:56:55 81408 ----a-w- c:\windows\system32\E_FD4BIBA.DLL
2013-05-19 11:53:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\EPSON
2013-05-19 11:52:27 122000 ----a-w- c:\windows\system32\escsvc.exe
2013-05-19 11:52:26 342016 ----a-w- c:\windows\system32\eswiaud.dll
2013-05-18 23:41:41 -------- d-----w- c:\windows\system32\CatRoot2
2013-05-18 13:23:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-18 13:23:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-17 12:09:32 -------- d-----w- c:\docume~1\lou\locals~1\applic~1\PCHealth
2013-05-16 19:22:58 -------- d-----w- c:\program files\common files\McAfee
2013-05-16 19:22:51 -------- d-----w- c:\program files\McAfee.com
2013-05-16 19:22:35 -------- d-----w- c:\program files\McAfee
2013-05-16 04:18:40 -------- d-----w- c:\docume~1\lou\applic~1\Acyhpy
2013-05-16 04:18:39 -------- d-----w- c:\docume~1\lou\applic~1\Xyta
2013-05-16 04:18:39 -------- d-----w- c:\docume~1\lou\applic~1\Usxiwi
2013-05-15 20:25:44 -------- d-----w- c:\docume~1\lou\applic~1\Tyof
2013-05-15 20:25:40 -------- d-----w- c:\docume~1\lou\applic~1\Siuvy
2013-05-15 20:25:40 -------- d-----w- c:\docume~1\lou\applic~1\Ermu
2013-05-15 12:15:07 -------- d-----w- c:\docume~1\lou\applic~1\Syyd
2013-05-15 12:15:07 -------- d-----w- c:\docume~1\lou\applic~1\Elgepe
2013-05-15 12:15:07 -------- d-----w- c:\docume~1\lou\applic~1\Anis
2013-05-12 12:36:41 -------- d-----w- C:\rei
2013-05-12 12:36:34 -------- d-----w- c:\program files\Reimage
2013-05-11 20:45:52 -------- d-----w- c:\program files\iolo
2013-05-11 20:45:41 -------- d-----w- c:\program files\3DHome
2013-05-11 11:10:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\iolo
2013-05-10 07:57:26 187456 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2013-05-03 20:34:14 -------- d-----w- c:\docume~1\lou\applic~1\SumatraPDF
.
==================== Find3M  ====================
.
2013-05-15 13:09:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-15 13:09:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 20:22:28 90112 ----a-w- c:\windows\DUMP8a9c.tmp
2013-05-02 15:28:50 238872 ----a-w- c:\windows\system32\MpSigStub.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 10:50:23.01 ===============
 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 02 June 2013 - 12:10 PM



Hello Gone gray

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2013 - 02:41 PM

Here are the two reports...there was some kind of error on the jrt run..sorry i missed it.

but here are the files. Also, task manager still showing high usage on one of the svchost file.800/1000 k.

# AdwCleaner v2.301 - Logfile created 06/02/2013 at 14:25:03
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Lou - DELL8400-PC
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Lou\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Lou\Application Data\OpenCandy
Folder Deleted : C:\Documents and Settings\Lou\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Lou\Application Data\Toolbar4
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Iminent
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{58124A0B-DC32-4180-9BFF-E0E21AE34026}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{58124A0B-DC32-4180-9BFF-E0E21AE34026}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\TBSB01620
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3201318
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [13936 octets] - [02/06/2013 14:20:40]
AdwCleaner[S1].txt - [13872 octets] - [02/06/2013 14:25:03]

########## EOF - C:\AdwCleaner[S1].txt - [13933 octets] ##########

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Lou on Sun 06/02/2013 at 14:58:05.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Suspicious HKLM\..\Run entries found. Trojan:JS/Medfos.B?

   Val Name      Type   Value Data
   ========      ====   ==========
    rkdec REG_SZ "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Lou\Application Data\rkdec.dll",GetGlobals
    ceupn REG_SZ "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Lou\Application Data\ceupn.dll",get_pHYs

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\speedypc software"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\wondershare"
Successfully deleted: [Folder] "C:\Documents and Settings\Lou\Application Data\drivercure"
Successfully deleted: [Folder] "C:\Documents and Settings\Lou\Application Data\speedypc software"
Successfully deleted: [Folder] "C:\Documents and Settings\Lou\Local Settings\Application Data\blekkotb_031"
Successfully deleted: [Folder] "C:\Documents and Settings\Lou\Local Settings\Application Data\wondershare"
Successfully deleted: [Folder] "C:\Program Files\wondershare"
Successfully deleted: [Folder] "C:\Program Files\Common Files\Wondershare"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/02/2013 at 15:12:31.32
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 02 June 2013 - 03:59 PM


Hello Gone gray

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 03 June 2013 - 09:06 AM

Hey Gringo,
Combo requested to download some software....some kind of windows recovery program because it could not find it.
I then ran combofix, when I returned to the computer, it was blue screen that said Bad-Pool-Header, I'll attach a photo I took of the screen. Restarted the machine and restarted combo fix but blue screened again with same message. I did notice that combo fix got somewhere past step #46 before blue screening. The svchost .exe file still eats up a lot of k. Please advise.Lou

Sorry I can't seem to see how to attach the photo....but the tech info is as follows
***STOP: 0x00000019 (0x00000020,0x893A9B68, 0x893A9F80, 0x1A830019)

#10 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 03 June 2013 - 11:13 AM

Hey Gringo.......
I ran combofix a third time and walked away.
When I returned, I found a new blue screen.
This one didn't say anything about the bad pool header.
The tech info is as follows:
***STOP: 0x0000008E (0xC0000005, 0x00200073, 0xA2384ADC,0x00000000)

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 03 June 2013 - 09:19 PM

Hello Gone gray

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================
    Scan finished
    ==================
and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo

Edited by gringo_pr, 03 June 2013 - 09:19 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 04 June 2013 - 07:51 AM

Hi Gringo,

Here are the reports you asked for.

I did notice the svchost stopped eatting all my free space after running the first tool "TDSS".

Things seem to be back to normal......there is a little lag in the system as i write this to you......maybe the long attach file below this as I write.......I will play with it for the day and let you know.

The system also put up the yellow sheild prompting me that there are updates ready to install, this came on sometime after the reboots, I will wait for you to tell me its Okay to download them....

Also like you said, it didnt fit, so i sent the very top and bottom, of the report

 

07:50:18.0031 3800  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
07:50:18.0546 3800  ============================================================
07:50:18.0546 3800  Current date / time: 2013/06/04 07:50:18.0546
07:50:18.0546 3800  SystemInfo:
07:50:18.0546 3800 
07:50:18.0546 3800  OS Version: 5.1.2600 ServicePack: 3.0
07:50:18.0546 3800  Product type: Workstation
07:50:18.0546 3800  ComputerName: DELL8400-PC
07:50:18.0546 3800  UserName: Lou
07:50:18.0546 3800  Windows directory: C:\WINDOWS
07:50:18.0546 3800  System windows directory: C:\WINDOWS
07:50:18.0546 3800  Processor architecture: Intel x86
07:50:18.0546 3800  Number of processors: 1
07:50:18.0546 3800  Page size: 0x1000
07:50:18.0546 3800  Boot type: Normal boot
07:50:18.0546 3800  ============================================================
07:54:30.0734 4768  ============================================================
07:54:30.0734 4768  Scan finished
07:54:30.0734 4768  ============================================================
07:54:30.0859 4760  Detected object count: 7
07:54:30.0859 4760  Actual detected object count: 7
07:56:15.0218 4760  !SASCORE ( UnsignedFile.Multi.Generic ) - skipped by user
07:56:15.0218 4760  !SASCORE ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:56:15.0218 4760  EpsonBidirectionalService ( UnsignedFile.Multi.Generic ) - skipped by user
07:56:15.0218 4760  EpsonBidirectionalService ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:56:15.0218 4760  FsUsbExDisk ( UnsignedFile.Multi.Generic ) - skipped by user
07:56:15.0218 4760  FsUsbExDisk ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:56:15.0218 4760  UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - skipped by user
07:56:15.0218 4760  UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:56:15.0218 4760  WDDMService ( UnsignedFile.Multi.Generic ) - skipped by user
07:56:15.0218 4760  WDDMService ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:56:15.0218 4760  WDSmartWareBackgroundService ( UnsignedFile.Multi.Generic ) - skipped by user
07:56:15.0218 4760  WDSmartWareBackgroundService ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:56:17.0375 4760  \Device\Harddisk0\DR0\# - copied to quarantine
07:56:17.0390 4760  \Device\Harddisk0\DR0 - copied to quarantine
07:56:17.0500 4760  \Device\Harddisk0\DR0 ( Rootkit.Boot.Harbinger.a ) - will be cured on reboot
07:56:17.0562 4760  \Device\Harddisk0\DR0 - ok
07:56:18.0687 4760  \Device\Harddisk0\DR0 ( Rootkit.Boot.Harbinger.a ) - User select action: Cure
07:56:45.0859 3700  Deinitialize success

 

 

----------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Lou [Admin rights]
Mode : Remove -- Date : 06/04/2013 08:18:02
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : C:\Documents and Settings\Lou\Application Data\rkdec.dll [x] -> KILLED [TermProc]
[DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : C:\Documents and Settings\Lou\Application Data\ceupn.dll [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : bznyo ("C:\Documents and Settings\Lou\Application Data\Microsoft\Acwmlwy\acwmlwy.exe") [x] -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : rkdec ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Lou\Application Data\rkdec.dll",GetGlobals) [7] -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : ceupn ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Lou\Application Data\ceupn.dll",get_pHYs) [7] -> DELETED
[TASK][SUSP PATH] mxsacwmlwyupd.job : C:\WINDOWS\system32\cscript.exe //E:javascript C:\WINDOWS\TEMP\acwmlwy.mkt [x] -> DELETED
[STARTUP][SUSP PATH] sfrya.lnk @UpdatusUser : C:\Documents and Settings\UpdatusUser\Application Data\Microsoft\Sfrya\sfrya.exe -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-60WWPA0 +++++
--- User ---
[MBR] 541b705d90b9c51b11d9d4942cf34cd0
[BSP] a10df492ce26618fdab8be98275e6335 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3160023AS +++++
--- User ---
[MBR] 36fd6bcdc5ef0656e531e893a3177ac2
[BSP] 61089aa54da192ccacc263ab131da6b3 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 152531 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06042013_02d0818.txt >>
RKreport[1]_S_06042013_02d0816.txt ; RKreport[2]_D_06042013_02d0818.txt

 

 

 

 



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:33 AM

Posted 04 June 2013 - 09:53 AM

Hello


Now I want you to try and run combofix for me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 04 June 2013 - 07:01 PM

I think I messed up....
I just started your combo fix after a restart
I forgot to turn anything off.
What should I do

#15 Gone gray

Gone gray
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 04 June 2013 - 07:18 PM

Ran it thru... I got the blue screen again with the " bad header"error
I'm restarting and going to mak sure everything is off
Then run combo fix again
I will report back




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users