Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan fighting back...


  • This topic is locked This topic is locked
2 replies to this topic

#1 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:27 AM

Posted 31 May 2013 - 04:43 PM

Cleaned out sweetpacks conduit and a couple of other toolbars and junk from this win 7 laptop, a week later the user complains the thing is taking 20 minutes to boot. It's happening again.

 

not sure where to start, don't want to make the machine unbootable....

 

please help.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16576
Run by Admin at 11:31:18 on 2013-05-31
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2005.842 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\HPSIsvc.exe
C:\Windows\system32\lxedcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\PCPitstop\SuperShield\PCPitstopRTService.exe
C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\PCPitstop\Info Center\InfoCenter.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Lexmark S600 Series\lxedmon.exe
C:\Program Files\Lexmark S600 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PCPitstop\SuperShield\PCMaticRT.exe
C:\Program Files\HP Button Manager\BM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn3\ytbb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie10
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie10
mStart Page = hxxp://www.google.com
uProxyOverride = <local>
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - c:\program files\common files\simple adblock\SimpleAdblock.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [Info Center] c:\program files\pcpitstop\info center\InfoCenter.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [lxedmon.exe] "c:\program files\lexmark s600 series\lxedmon.exe"
mRun: [EzPrint] "c:\program files\lexmark s600 series\ezprint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PC MaticRT] c:\program files\pcpitstop\supershield\PCMaticRT.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp button manager\BM.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smartprint\smartprintsetup.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{123271AE-66DF-47AE-81B0-CAC8832CAF74} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.94\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin.jose-pc\appdata\roaming\mozilla\firefox\profiles\leyn70kh.default\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKslddd1b017;MpKslddd1b017;c:\programdata\microsoft\microsoft antimalware\definition updates\{92ba42bf-781d-4d93-8b6c-6ff0940766a2}\MpKslddd1b017.sys [2013-5-30 29904]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2013-1-9 99896]
R2 lxed_device;lxed_device;c:\windows\system32\lxedcoms.exe -service --> c:\windows\system32\lxedcoms.exe -service [?]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-18 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-18 701512]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\pcpitstop\supershield\PCPitstopRTService.exe [2013-5-18 3835656]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2013-1-8 86216]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2013-5-18 66344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-18 22856]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
R3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2012-11-7 16896]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-5-18 41584]
S3 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
S3 lxedCATSCustConnectService;lxedCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxedserv.exe [2010-4-14 193192]
S3 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-4-15 3289208]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2011-9-27 2519040]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-1-11 1343400]
.
=============== Created Last 30 ================
.
2013-05-31 02:51:02 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{92ba42bf-781d-4d93-8b6c-6ff0940766a2}\MpKslddd1b017.sys
2013-05-31 02:45:17 -------- d---a-w- c:\program files\InboxAce_1gEI
2013-05-30 23:37:07 7016152 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{92ba42bf-781d-4d93-8b6c-6ff0940766a2}\mpengine.dll
2013-05-30 00:41:42 -------- d-----w- c:\windows\pss
2013-05-29 20:51:46 -------- d-----w- c:\users\admin.jose-pc\appdata\local\visi_coupon
2013-05-29 20:42:31 -------- d--h--w- c:\windows\msdownld.tmp
2013-05-29 17:25:53 193824 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2013-05-29 02:30:34 -------- d-----w- C:\Reports
2013-05-29 02:16:30 -------- d-sh--w- C:\$RECYCLE.BIN
2013-05-29 02:16:28 -------- d-----w- c:\users\admin.jose-pc\appdata\local\temp
2013-05-29 02:12:44 98816 ----a-w- c:\windows\sed.exe
2013-05-29 02:12:44 256000 ----a-w- c:\windows\PEV.exe
2013-05-29 02:12:44 208896 ----a-w- c:\windows\MBR.exe
2013-05-29 00:14:18 -------- d-----w- c:\users\admin.jose-pc\appdata\local\ElevatedDiagnostics
2013-05-28 20:38:16 -------- d-----w- c:\users\admin.jose-pc\appdata\local\Mozilla
2013-05-28 20:36:17 -------- d-----w- c:\users\admin.jose-pc\appdata\local\Google
2013-05-28 20:18:22 -------- d-----w- c:\users\admin.jose-pc\appdata\local\Apple
2013-05-28 20:10:17 -------- d-----w- c:\users\admin.jose-pc\appdata\local\Adobe
2013-05-28 20:09:00 -------- d-----w- c:\users\admin.jose-pc\appdata\local\VirtualStore
2013-05-26 21:04:24 -------- d-----w- c:\program files\Temp File Cleaner
2013-05-26 18:00:53 -------- d-----w- c:\program files\GUMAD30.tmp
2013-05-26 17:42:08 -------- d-----w- c:\programdata\PC Optimizer Pro
2013-05-26 17:28:19 -------- d-----w- c:\programdata\CheckPoint
2013-05-21 23:36:03 -------- d-----w- c:\programdata\HitmanPro
2013-05-18 19:25:27 -------- d-----w- c:\programdata\Malwarebytes
2013-05-18 19:25:24 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-18 19:25:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-18 18:23:10 41584 ----a-w- c:\windows\system32\drivers\gfiark.sys
2013-05-18 18:18:49 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2013-05-16 15:07:04 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-16 15:07:04 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-16 15:07:04 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-16 15:06:58 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 15:06:58 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 15:06:50 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-16 15:06:50 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-16 15:06:50 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-13 19:03:43 -------- d-----w- C:\e
2013-05-13 16:24:48 -------- d-----w- c:\programdata\VS Revo Group
.
==================== Find3M  ====================
.
2013-05-14 21:59:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-14 21:59:03 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-08 06:10:12 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-05-08 06:10:12 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-05 05:28:24 1767424 ----a-w- c:\windows\system32\wininet.dll
2013-04-05 05:26:26 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-04-05 05:26:21 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-04-05 05:26:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-04-05 04:29:45 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-04-05 03:38:25 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-04-02 14:09:52 4550656 ----a-w- c:\windows\system32\GPhotos.scr
2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe
.
============= FINISH: 11:32:17.37 ===============

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:27 AM

Posted 04 June 2013 - 10:28 PM

Couldn't wait any longer for help on this.... :deadhorse:

reformatted the offending machine.



#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:27 PM

Posted 04 June 2013 - 11:22 PM

Hello,

Thank you for posting back. I'm sorry we couldn't get to you sooner.  Sometimes a reformat and reinstall is the quickest solution.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :cherry:

 


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users