Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe using 100% CPU


  • This topic is locked This topic is locked
19 replies to this topic

#1 A_Late_Fall

A_Late_Fall

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 11 December 2013 - 06:39 PM

Hi, I have a problem with my computer that I hope you can help me with.

Earlier in the year my father had a rootkit (Rootkit.Boot.Harbinger.a.) install on his computer and turn it into a

zombie machine.  You were able to help me remove it.  This problem is behaving very similarly.

I am using a Dell Dimension XPS running Windows XP and with Norton Security Suite as my antivirus.  When I

start the computer it is not very long before something is draining all the CPU power.  I looked in Windows Task

Manager and svchost.exe SYSTEM is pegged at 99.  If I restart and watch the pattern of cpu usage wuauclt.exe

seems to activate first and then the resource hogging begins in svchost.exe SYSTEM.  I don't know if this is

related or not.

If I shut down svchost.exe SYSTEM the hogging stops, but I am not sure what processes are running in that

group.  I haven't tried to trace every process like I did on my dad's computer as it was complicated parsing them

out into single processes that I could track and didn't seem to help the outcome overall.

Norton is not finding anything and Kaspersky TDSSKiller, which worked to rid my dad's computer of its secret

partition startup routine, also did not work.  What other things can I try and can you please help me walk through

it?

sincerely,
A_Late_Fall

I tried the dds scan with svchost.exe SYSTEM running but it hung so I ended the process and the scan finished

with the following results:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by Admin at 18:12:11 on 2013-12-11
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\SMSC\SetIcon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/WORLD/
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security

suite\engine\5.2.2.3\coieplg.dll
BHO: EWPBrowseObject Class: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - c:\program

files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton

security suite\engine\5.2.2.3\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program

files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program

files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security

suite\engine\5.2.2.3\coieplg.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program

files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} -

hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?134745977514

0
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} -

hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} -

hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -

hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{53BC149D-C856-4630-B430-E8CB5072BEF4} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{CC0DA0FC-E159-4FDB-BAD5-DA0FB03EC0A2} : DHCPNameServer = 75.75.75.75

75.75.76.76 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program

files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\27zgmn6y.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_152.dll
FF - ExtSQL: 2013-10-25 12:19; jid1-ZAdIEUB7XOzOJw@jetpack; c:\documents and settings\admin\application

data\mozilla\firefox\profiles\27zgmn6y.default\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
.
============= SERVICES / DRIVERS ===============
.
R? COMMONFX;COMMONFX
R? Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service
R? CTAUDFX;CTAUDFX
R? CTERFXFX.SYS;CTERFXFX.SYS
R? CTERFXFX;CTERFXFX
R? CTSBLFX;CTSBLFX
R? MatSvc;Microsoft Automated Troubleshooting Service
R? ssmirrdr;ssmirrdr
S? AdobeActiveFileMonitor;Adobe Active File Monitor
S? ATICXCAP;ATI TV Wonder Pro A/V Capture
S? ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3)
S? ATICXXBR;ATI TV Wonder Pro A/V Crossbar
S? BHDrvx86;BHDrvx86
S? COMMONFX.SYS;COMMONFX.SYS
S? CTAUDFX.SYS;CTAUDFX.SYS
S? CTSBLFX.SYS;CTSBLFX.SYS
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? IDSxpx86;IDSxpx86
S? N360;Norton Security Suite
S? NAVENG;NAVENG
S? NAVEX15;NAVEX15
S? PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect
S? SymDS;Symantec Data Store
S? SymEFA;Symantec Extended File Attributes
S? SymIRON;Symantec Iron Driver
.
=============== Created Last 30 ================
.
2013-12-11 18:33:47    --------    d-----w-    C:\N360_BACKUP
2013-12-11 15:42:00    --------    d-----w-    C:\TDSSKiller_Quarantine
.
==================== Find3M  ====================
.
2013-11-18 13:32:50    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-18 13:32:50    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-13 07:25:38    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-13 07:25:08    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-13 06:57:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-12 15:56:19    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12:48    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-08 11:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 11:29:36    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-05 01:14:01    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
.
============= FINISH: 18:22:19.32 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 AM

Posted 16 December 2013 - 06:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/517201 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 16 December 2013 - 09:19 PM

I am still having a problem.  When I boot my computer running Windows XP Professional 2002 Service Pack 3, a program takes over and runs the CPU on full, slowing every other function to a crawl.  I believe it is also accessing the internet at these times.  Using Windows Task Manager I find that an instance of wuauclt.exe runs (for maybe ten seconds) and then a svchost.exe fires up, quits, and then wuauclt.exe runs again and then the same svchost.exe runs again and pegs the CPU at 100% until I shut down.  My regular Windows patches for this month did not run and a Flash update also failed.

I can stop the svchost.exe group in Task Manager, which causes the desktop theme to fluctuate between XP and Classic (leading me to believe this is the service group containing Themes), but later wuauclt.exe will still run, starting up the svchost again and pegging it at 100% CPU.
This is a similar pattern to one I saw with my dad's computer on the same network earlier in the year exept that bootkit was able to switch processes it was running out of at will.  It was found (through your kind assistance) that he had Rootkit.Boot.Harbinger.a running from a hidden partition which we cured with Kaspersky TDSSKiller.  However, that program isn't working by itself on this virus.  It finds some suspicious files but doesn't offer to "cure" them.  Meanwhile Norton 360 (Comcast's Securiity Suite) blocks the files from being quarantined and they are there again on reboot.

If I turn off Windows Automatic Update in the Windows Services applet just after booting, wuaclt.exe doesn't run and the bootkit can't set up and the computer behaves normally.  I haven't tried updating Windows or Flash in this configuration, though.  On reboot, Windows Update is started again and the rootkit boots up.

Very frustrating, and I haven't yet found what information is being traded to and from my computer.  Please help!

sincerely,

A_Late_Fall

 

This is DDS with a/v off, disconnected from internet, and rebooted to bootkit running:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by Admin at 21:06:18 on 2013-12-16
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1555 [GMT -5:00]
.
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\SMSC\SetIcon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/WORLD/
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\21.1.0.18\CoIEPlg.dll
BHO: EWPBrowseObject Class: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\21.1.0.18\ips\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\21.1.0.18\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1347459775140
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{53BC149D-C856-4630-B430-E8CB5072BEF4} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{CC0DA0FC-E159-4FDB-BAD5-DA0FB03EC0A2} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\27zgmn6y.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_152.dll
FF - ExtSQL: 2013-10-25 12:19; jid1-ZAdIEUB7XOzOJw@jetpack; c:\documents and settings\admin\application data\mozilla\firefox\profiles\27zgmn6y.default\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
FF - ExtSQL: 2013-12-12 10:17; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_21.1.0.18\IPSFF
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1501000.012\SymDS.sys [2013-12-11 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1501000.012\SymEFA.sys [2013-12-11 935512]
R1 BHDrvx86;BHDrvx86;c:\program files\norton security suite\nortondata\21.1.0.18\definitions\bashdefs\20131203.001\BHDrvx86.sys [2013-12-3 1098968]
R1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\n360\1501000.012\ccSetx86.sys [2013-12-11 127064]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1501000.012\Ironx86.sys [2013-12-11 206936]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\21.1.0.18\N360.exe [2013-12-11 264360]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-12-12 108120]
R3 IDSxpx86;IDSxpx86;c:\program files\norton security suite\nortondata\21.1.0.18\definitions\ipsdefs\20131213.001\IDSXpx86.sys [2013-12-13 382608]
R3 NAVENG;NAVENG;c:\program files\norton security suite\nortondata\21.1.0.18\definitions\virusdefs\20131215.005\NAVENG.SYS [2013-12-15 93272]
R3 NAVEX15;NAVEX15;c:\program files\norton security suite\nortondata\21.1.0.18\definitions\virusdefs\20131215.005\NAVEX15.SYS [2013-12-15 1612376]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-12-2 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2011-6-11 10112]
.
=============== Created Last 30 ================
.
2013-12-12 00:24:44    935512    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\SymEFA.sys
2013-12-12 00:24:44    651352    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\srtsp.sys
2013-12-12 00:24:44    446552    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\symnets.sys
2013-12-12 00:24:44    421592    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\symtdi.sys
2013-12-12 00:24:44    383576    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\symtdiv.sys
2013-12-12 00:24:44    367704    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\SymDS.sys
2013-12-12 00:24:44    32344    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\srtspx.sys
2013-12-12 00:24:44    21520    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\SymELAM.sys
2013-12-12 00:24:44    206936    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\Ironx86.sys
2013-12-12 00:24:44    127064    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\ccSetx86.sys
2013-12-12 00:24:25    14818    ----a-r-    c:\windows\system32\drivers\n360\1501000.012\SymVTcer.dat
2013-12-12 00:24:24    --------    d-----w-    c:\windows\system32\drivers\n360\1501000.012
2013-12-11 18:33:47    --------    d-----w-    C:\N360_BACKUP
2013-12-11 15:42:00    --------    d-----w-    C:\TDSSKiller_Quarantine
.
==================== Find3M  ====================
.
2013-12-12 00:25:22    142936    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-11-18 13:32:50    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-18 13:32:50    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-13 07:25:38    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-13 07:25:08    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-13 06:57:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-12 15:56:19    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12:48    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-08 11:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 11:29:36    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-05 01:14:01    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
.
============= FINISH: 21:06:54.18 ===============
 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:14 PM

Posted 17 December 2013 - 10:01 AM

Greetings A_Late_Fall and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run this program for me.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 December 2013 - 01:23 PM

Hi Gary, thanks for your kind attention!

Some interesting things happened just in the last few minutes.  I ran the FRST scan, but in workaround mode, that is, with Windows Update turned off, but then I thought it might show more if I rebooted to where svchost.exe was hogging resources.  It took maybe ten times as long to scan, but then I saw that the "additions" box was unchecked the second time.  I ran the scan a third time and have the results, but during the third scan svchost.exe stopped running and the little yellow Windows Update shield (with the exclamation point) popped up, as should have happened a week ago.  I thought I gave it plenty of time to do its work last week (overnight, etc.), but maybe this was a particularly slow or problemmatic download.  I would actually rather that be the case.  In any event it looked very suspicious before.  I forgot to mention that the full Norton Security suite upgrade rollout happened just after things started to get weird as well.  Was there a conflict?  I'll send you the scan and you can maybe tell me.

Please let me know if I should go ahead and try to install the Windows Updates as well.  As of right now svchost is quiet.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-12-2013 01
Ran by Admin (administrator) on MICROSOF-8CC649 on 17-12-2013 12:51:43
Running from C:\Documents and Settings\Admin\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CtHelper.exe
(Standard Microsystems Corp.) C:\Program Files\SMSC\SetIcon.exe
(HP) C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Messenger\msmsgs.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
() C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CTSVCCDA.EXE
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\21.1.0.18\N360.exe
() C:\Program Files\CDBurnerXP\NMSAccessU.exe
() C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\21.1.0.18\N360.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [CTxfiHlp] - C:\WINDOWS\system32\Ctxfihlp.exe [19968 2007-04-09] (Creative Technology Ltd)
HKLM\...\Run: [CTHelper] - C:\WINDOWS\system32\CtHelper.exe [19456 2010-03-18] (Creative Technology Ltd)
HKLM\...\Run: [SetIcon] - \Program Files\SMSC\SetIcon.exe [42496 2004-04-28] (Standard Microsystems Corp.)
HKLM\...\Run: [HPDJ Taskbar Utility] - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe [172032 2004-03-04] (HP)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [1187840 2005-11-23] (CANON INC.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKCU\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-13] (Microsoft Corporation)
Startup: C:\Documents and Settings\Admin\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/WORLD/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKCU - {59052B96-96D7-4C72-8644-FC5171E20E96} URL = http://www.dogpile.com/dogpile_prefer/ws/redir/_iceUrlFlag=11?_IceUrl=true&qkw={searchTerms}
SearchScopes: HKCU - {9E5352F4-E006-4971-9952-C12EB997E5C9} URL = http://www.thefreedictionary.com/_/search.aspx?pid=osearch&word={searchTerms}
SearchScopes: HKCU - {A24B6208-BC31-45D8-A676-FE4E653B297F} URL = http://www.rhymer.com/RhymingDictionary/{searchTerms}.html
SearchScopes: HKCU - {E6620C25-49D8-466C-84D0-820BE450444A} URL = http://www.rhymezone.com/r/rhyme.cgi?Word={searchTerms}&typeofrhyme=perfect&org1=syl&org2=l
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\21.1.0.18\IPS\IPSBHO.dll (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine: DuckDuckGo
FF Homepage: hxxp://www.cnn.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.6 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\dogpile.xml
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\duckduckgo.xml
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\eccellio-science.xml
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\googletranslate.xml
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\imdb.xml
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\radio-online.xml
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\safesearch.xml
FF SearchPlugin: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\searchplugins\youtube-ssl.xml
FF Extension: jid1-ZAdIEUB7XOzOJw - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn\
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn\
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF

========================== Services (Whitelisted) =================

R2 AdobeActiveFileMonitor; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [98304 2004-10-04] ()
R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd)
R2 N360; C:\Program Files\Norton Security Suite\Engine\21.1.0.18\diMaster.dll [567600 2013-10-08] (Symantec Corporation)
R2 NMSAccess; C:\Program Files\CDBurnerXP\NMSAccessU.exe [71096 2009-01-12] ()
R2 PhotoshopElementsDeviceConnect; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [118784 2004-10-04] ()
S3 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"

==================== Drivers (Whitelisted) ====================

R3 ATICXCAP; C:\Windows\System32\drivers\aticxcap.sys [173824 2005-03-30] (ATI Technologies, Inc.)
R3 ATICXTUN; C:\Windows\System32\drivers\aticxtun.sys [29184 2005-03-30] (ATI Technologies, Inc.)
R3 ATICXXBR; C:\Windows\System32\drivers\aticxxbr.sys [9088 2005-03-30] (ATI Technologies, Inc.)
R1 BHDrvx86; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20131203.001\BHDrvx86.sys [1098968 2013-12-03] (Symantec Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360\1501000.012\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
S3 COMMONFX; C:\Windows\System32\drivers\COMMONFX.SYS [99416 2010-03-18] (Creative Technology Ltd)
R3 COMMONFX.SYS; C:\Windows\System32\drivers\COMMONFX.SYS [99416 2010-03-18] (Creative Technology Ltd)
S3 CT20XUT.DLL; C:\Windows\System32\CT20XUT.DLL [164608 2007-04-12] (Creative Technology Ltd.)
S3 CTAUDFX; C:\Windows\System32\drivers\CTAUDFX.SYS [555096 2010-03-18] (Creative Technology Ltd)
R3 CTAUDFX.SYS; C:\Windows\System32\drivers\CTAUDFX.SYS [555096 2010-03-18] (Creative Technology Ltd)
S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [347144 2010-03-18] (Creative Technology Ltd)
S3 CTEAPSFX.DLL; C:\Windows\System32\CTEAPSFX.DLL [168192 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPFX.DLL; C:\Windows\System32\CTEDSPFX.DLL [280320 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPIO.DLL; C:\Windows\System32\CTEDSPIO.DLL [128768 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPSY.DLL; C:\Windows\System32\CTEDSPSY.DLL [323328 2007-04-12] (Creative Technology Ltd)
S3 CTERFXFX; C:\Windows\System32\drivers\CTERFXFX.SYS [100952 2010-03-18] (Creative Technology Ltd)
S3 CTERFXFX.SYS; C:\Windows\System32\drivers\CTERFXFX.SYS [100952 2010-03-18] (Creative Technology Ltd)
S3 CTEXFIFX.DLL; C:\Windows\System32\CTEXFIFX.DLL [1317632 2007-04-12] (Creative Technology Ltd.)
S3 CTHWIUT.DLL; C:\Windows\System32\CTHWIUT.DLL [66816 2007-04-12] (Creative Technology Ltd.)
S3 CTSBLFX; C:\Windows\System32\drivers\CTSBLFX.SYS [566360 2010-03-18] (Creative Technology Ltd)
R3 CTSBLFX.SYS; C:\Windows\System32\drivers\CTSBLFX.SYS [566360 2010-03-18] (Creative Technology Ltd)
R3 E1000; C:\Windows\System32\DRIVERS\e1000325.sys [171152 2008-08-20] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-12-11] (Symantec Corporation)
R3 ha10kx2k; C:\Windows\System32\drivers\ha10kx2k.sys [798808 2010-03-18] (Creative Technology Ltd)
R3 hap16v2k; C:\Windows\System32\drivers\hap16v2k.sys [162904 2010-03-18] (Creative Technology Ltd)
S3 hap17v2k; C:\Windows\System32\drivers\hap17v2k.sys [189528 2010-03-18] (Creative Technology Ltd)
R3 IDSxpx86; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20131216.001\IDSxpx86.sys [382608 2013-12-13] (Symantec Corporation)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [31072 2007-02-13] (Intel Corporation )
R3 NAVENG; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20131216.038\NAVENG.SYS [93272 2013-12-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20131216.038\NAVEX15.SYS [1612376 2013-12-11] (Symantec Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\N360\1501000.012\SRTSP.SYS [651352 2013-09-26] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360\1501000.012\SRTSPX.SYS [32344 2013-09-09] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360\1501000.012\SYMDS.SYS [367704 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360\1501000.012\SYMEFA.SYS [935512 2013-09-26] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-12-11] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360\1501000.012\Ironx86.SYS [206936 2013-09-26] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\N360\1501000.012\SYMTDI.SYS [421592 2013-09-25] (Symantec Corporation)
S3 COMMONFX.DLL; system32\COMMONFX.DLL [x]
S3 CTAUDFX.DLL; system32\CTAUDFX.DLL [x]
S3 CTERFXFX.DLL; system32\CTERFXFX.DLL [x]
S3 CTSBLFX.DLL; system32\CTSBLFX.DLL [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-12-17 12:38 - 2013-12-17 13:02 - 00015358 _____ C:\Documents and Settings\Admin\Desktop\FRST.txt
2013-12-17 12:35 - 2013-12-17 12:38 - 00012813 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-17 12:35 - 2013-12-17 12:35 - 04931577 _____ C:\WINDOWS\{00000002-00000000-00000003-00001102-00000004-10031102}.BAK
2013-12-17 12:28 - 2013-12-17 12:28 - 00000000 ____D C:\FRST
2013-12-17 12:23 - 2013-12-17 12:23 - 01061167 _____ (Farbar) C:\Documents and Settings\Admin\Desktop\FRST.exe
2013-12-16 21:07 - 2013-12-16 21:07 - 00018752 _____ C:\Documents and Settings\Admin\Desktop\attach2.txt
2013-12-16 21:07 - 2013-12-16 21:07 - 00012183 _____ C:\Documents and Settings\Admin\Desktop\dds2.txt
2013-12-16 21:02 - 2013-12-16 21:02 - 00001942 _____ C:\Documents and Settings\Admin\Desktop\Bleeping 2.txt
2013-12-12 10:08 - 2013-12-12 10:08 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite
2013-12-11 19:25 - 2013-12-12 10:08 - 00001940 _____ C:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
2013-12-11 18:22 - 2013-12-16 21:07 - 00018752 _____ C:\Documents and Settings\Admin\Desktop\attach.txt
2013-12-11 18:22 - 2013-12-16 21:06 - 00012183 _____ C:\Documents and Settings\Admin\Desktop\dds.txt
2013-12-11 18:01 - 2013-12-11 18:01 - 00688992 ____R (Swearware) C:\Documents and Settings\Admin\Desktop\dds.com
2013-12-11 17:29 - 2013-12-11 18:46 - 00009619 _____ C:\Documents and Settings\Admin\Desktop\Bleeping.txt
2013-12-11 13:33 - 2013-12-11 13:33 - 00000000 ____D C:\N360_BACKUP
2013-12-11 11:51 - 2013-12-11 11:51 - 00000359 _____ C:\Documents and Settings\Admin\Desktop\TDSS quarantine.txt
2013-12-11 11:30 - 2013-12-11 11:30 - 00000844 _____ C:\Documents and Settings\Admin\Desktop\checkup.txt
2013-12-11 10:42 - 2013-12-11 11:45 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-11-26 02:50 - 2013-11-26 02:50 - 00023066 _____ C:\Documents and Settings\Admin\My Documents\cc_20131126_025038.reg

==================== One Month Modified Files and Folders =======

2013-12-17 13:02 - 2013-12-17 12:38 - 00015358 _____ C:\Documents and Settings\Admin\Desktop\FRST.txt
2013-12-17 12:38 - 2013-12-17 12:35 - 00012813 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-17 12:36 - 2010-11-27 12:39 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-12-17 12:36 - 2010-11-27 07:28 - 00000159 _____ C:\WINDOWS\wiadebug.log
2013-12-17 12:36 - 2010-11-27 07:28 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-12-17 12:36 - 2001-08-23 07:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2013-12-17 12:35 - 2013-12-17 12:35 - 04931577 _____ C:\WINDOWS\{00000002-00000000-00000003-00001102-00000004-10031102}.BAK
2013-12-17 12:35 - 2013-10-14 12:42 - 00239384 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2013-12-17 12:35 - 2010-12-02 02:01 - 04931577 _____ C:\WINDOWS\{00000002-00000000-00000003-00001102-00000004-10031102}.CDF
2013-12-17 12:35 - 2010-11-27 12:40 - 00000278 ___SH C:\Documents and Settings\Admin\ntuser.ini
2013-12-17 12:35 - 2010-11-27 12:39 - 00002184 _____ C:\WINDOWS\SchedLgU.Txt
2013-12-17 12:28 - 2013-12-17 12:28 - 00000000 ____D C:\FRST
2013-12-17 12:23 - 2013-12-17 12:23 - 01061167 _____ (Farbar) C:\Documents and Settings\Admin\Desktop\FRST.exe
2013-12-17 12:10 - 2010-11-27 12:40 - 00000000 ____D C:\Documents and Settings\Admin
2013-12-17 12:10 - 2010-11-27 07:28 - 00000000 _____ C:\WINDOWS\Sti_Trace.log
2013-12-16 21:07 - 2013-12-16 21:07 - 00018752 _____ C:\Documents and Settings\Admin\Desktop\attach2.txt
2013-12-16 21:07 - 2013-12-16 21:07 - 00012183 _____ C:\Documents and Settings\Admin\Desktop\dds2.txt
2013-12-16 21:07 - 2013-12-11 18:22 - 00018752 _____ C:\Documents and Settings\Admin\Desktop\attach.txt
2013-12-16 21:06 - 2013-12-11 18:22 - 00012183 _____ C:\Documents and Settings\Admin\Desktop\dds.txt
2013-12-16 21:02 - 2013-12-16 21:02 - 00001942 _____ C:\Documents and Settings\Admin\Desktop\Bleeping 2.txt
2013-12-16 19:11 - 2001-08-23 07:00 - 00000664 _____ C:\WINDOWS\win.ini
2013-12-14 21:45 - 2013-01-04 20:28 - 00000000 ____D C:\Documents and Settings\Admin\My Documents\My Notebook 4
2013-12-12 10:17 - 2011-07-02 21:26 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-12-12 10:11 - 2010-11-28 22:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2013-12-12 10:08 - 2013-12-12 10:08 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite
2013-12-12 10:08 - 2013-12-11 19:25 - 00001940 _____ C:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
2013-12-12 10:08 - 2011-07-02 21:25 - 00000000 ____D C:\WINDOWS\system32\Drivers\N360
2013-12-11 19:25 - 2011-07-02 21:26 - 00142936 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2013-12-11 19:25 - 2011-07-02 21:26 - 00008194 _____ C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2013-12-11 19:24 - 2011-07-02 21:25 - 00000000 ____D C:\Program Files\Norton Security Suite
2013-12-11 18:46 - 2013-12-11 17:29 - 00009619 _____ C:\Documents and Settings\Admin\Desktop\Bleeping.txt
2013-12-11 18:01 - 2013-12-11 18:01 - 00688992 ____R (Swearware) C:\Documents and Settings\Admin\Desktop\dds.com
2013-12-11 16:00 - 2010-12-04 23:30 - 00000000 ____D C:\Documents and Settings\Admin\My Documents\Pdf files
2013-12-11 13:33 - 2013-12-11 13:33 - 00000000 ____D C:\N360_BACKUP
2013-12-11 11:51 - 2013-12-11 11:51 - 00000359 _____ C:\Documents and Settings\Admin\Desktop\TDSS quarantine.txt
2013-12-11 11:45 - 2013-12-11 10:42 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-12-11 11:30 - 2013-12-11 11:30 - 00000844 _____ C:\Documents and Settings\Admin\Desktop\checkup.txt
2013-12-09 06:54 - 2010-12-15 16:53 - 00058880 _____ C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-11-27 10:27 - 2010-11-28 22:51 - 00000000 ____D C:\Documents and Settings\All Users\Documents\Norton
2013-11-26 02:50 - 2013-11-26 02:50 - 00023066 _____ C:\Documents and Settings\Admin\My Documents\cc_20131126_025038.reg
2013-11-18 08:32 - 2012-04-05 20:04 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-11-18 08:32 - 2011-05-17 22:57 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-11-18 08:28 - 2010-11-29 01:05 - 00000000 ____D C:\Documents and Settings\Admin\Local Settings\Application Data\Adobe
2013-11-18 08:26 - 2012-04-26 20:42 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 17-12-2013 01
Ran by Admin at 2013-12-17 13:06:57
Running from C:\Documents and Settings\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Norton Security Suite (Disabled - Up to date) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite (Disabled) {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

==================== Installed Programs ======================

Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.265)
Adobe Flash Player 11 Plugin (Version: 11.9.900.152)
Adobe Photoshop Elements 3.0 (Version: 003.000.0000)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
ArcSoft PhotoImpression
ArtRage (Version: 3)
B57Inst (Version: 3.40)
Broadcom Driver Installer (Version: 3.40)
Canon Camera WIA Driver (Version: 5.1)
Canon EOS 10D WIA Driver (Version: 5.1)
Canon My Printer
Canon Pro9000
Canon Pro9000 Printer Driver
Canon Setup Utility 2.1
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Pro
Canon Utilities PhotoStitch 3.1 (Version: 3.1.13)
CCleaner (Version: 3.20)
CDBurnerXP (Version: 4.4.1.3099)
Cisco Connect (Version: 1.4.11160.2)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Creative Audio Console (Version: 1.33)
Creative MediaSource 5 (Version: 5.26)
Creative Software AutoUpdate (Version: 1.40)
Creative WaveStudio 7 (Version: 7.12)
Defender of the Crown: Heroes Live Forever (Version: 32.0.0.0)
Easy-WebPrint
EPSON Copy Utility
EPSON Photo Print
EPSON Scanner Reference Guide
EPSON Smart Panel
EPSON TWAIN 5
Free RAR Extract Frog (Version: 2.30)
HP Deskjet 6500 (Version: 1.00.0000)
HP Update (Version: 5.003.001.001)
Intel® PRO Network Connections 12.0.36.0 (Version: )
Internet Explorer (Enable DEP)
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Automated Troubleshooting Services Shim
Microsoft Fix it Center (Version: 1.0.0100)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Mozilla Firefox 25.0.1 (x86 en-US) (Version: 25.0.1)
Mozilla Maintenance Service (Version: 25.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB925673) (Version: 6.00.3888.0)
Norton Security Suite (Version: 21.1.0.18)
Nostalgic (Version: 1.11)
Octoshape add-in for Adobe Flash Player
overland (Version: 2.1.5)
PhotoStitch (Version: 3.1.13)
Rome - Total War™ Demo (Version: 1.0)
Rome: Total War Gold Edition (Version: 1.0)
Rundata 2.5 (Version: 2.5)
ScanToWeb
SoundFont Bank Manager
Symantec Technical Support Web Controls (Version: 3.5.3)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
USB2.0 Card Reader (Version: 0.2.1.1)
VLC media player 2.0.6 (Version: 2.0.6)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0 (Version: 2)
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows XP Service Pack 3 (Version: 20080414.031525)
XML Paper Specification Shared Components Pack 1.0

==================== Restore Points  =========================

02-10-2013 16:18:46 System Checkpoint
03-10-2013 19:07:30 System Checkpoint
04-10-2013 20:20:52 System Checkpoint
06-10-2013 03:08:11 System Checkpoint
07-10-2013 21:43:12 System Checkpoint
08-10-2013 22:51:02 System Checkpoint
09-10-2013 06:24:28 Software Distribution Service 3.0
10-10-2013 07:58:29 System Checkpoint
11-10-2013 09:25:04 System Checkpoint
12-10-2013 22:03:26 System Checkpoint
13-10-2013 07:00:16 Software Distribution Service 3.0
14-10-2013 07:15:11 System Checkpoint
15-10-2013 23:30:19 System Checkpoint
17-10-2013 06:48:47 System Checkpoint
18-10-2013 09:01:27 System Checkpoint
19-10-2013 10:04:43 System Checkpoint
20-10-2013 12:30:38 System Checkpoint
21-10-2013 12:35:11 System Checkpoint
22-10-2013 06:59:27 Installed Java 7 Update 45
23-10-2013 07:05:30 System Checkpoint
24-10-2013 16:17:16 System Checkpoint
25-10-2013 21:03:52 System Checkpoint
26-10-2013 22:09:25 System Checkpoint
28-10-2013 04:46:27 System Checkpoint
29-10-2013 05:11:25 System Checkpoint
30-10-2013 11:07:52 System Checkpoint
31-10-2013 11:22:30 System Checkpoint
02-11-2013 01:05:44 System Checkpoint
03-11-2013 10:58:49 System Checkpoint
05-11-2013 07:12:28 System Checkpoint
06-11-2013 08:09:33 System Checkpoint
07-11-2013 11:52:00 System Checkpoint
08-11-2013 12:30:24 System Checkpoint
10-11-2013 05:06:17 System Checkpoint
11-11-2013 05:11:08 System Checkpoint
12-11-2013 15:54:40 System Checkpoint
13-11-2013 19:05:38 System Checkpoint
14-11-2013 01:18:00 Software Distribution Service 3.0
15-11-2013 15:18:14 System Checkpoint
16-11-2013 16:03:36 System Checkpoint
17-11-2013 19:09:43 System Checkpoint
18-11-2013 19:24:51 System Checkpoint
19-11-2013 21:09:22 System Checkpoint
21-11-2013 12:18:41 System Checkpoint
22-11-2013 12:54:03 System Checkpoint
23-11-2013 21:17:01 System Checkpoint
24-11-2013 23:44:35 System Checkpoint
26-11-2013 00:16:18 System Checkpoint
27-11-2013 06:44:22 System Checkpoint
28-11-2013 08:21:39 System Checkpoint
29-11-2013 13:22:06 System Checkpoint
01-12-2013 06:08:49 System Checkpoint
02-12-2013 14:50:02 System Checkpoint
03-12-2013 15:42:54 System Checkpoint
04-12-2013 21:02:28 System Checkpoint
05-12-2013 21:33:03 System Checkpoint
07-12-2013 15:22:57 System Checkpoint
09-12-2013 02:27:24 System Checkpoint
10-12-2013 03:19:03 System Checkpoint
11-12-2013 04:13:03 System Checkpoint
14-12-2013 23:43:33 System Checkpoint
16-12-2013 00:29:46 System Checkpoint

==================== Hosts content: ==========================

2001-08-23 07:00 - 2001-08-23 07:00 - 00000734 ____N C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============


==================== Loaded Modules (whitelisted) =============

2004-10-04 04:46 - 2004-10-04 04:46 - 00147456 _____ () C:\Program Files\Adobe\Photoshop Elements 3.0\platform.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\11225451.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\55599929.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\11225451.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\55599929.sys => ""="Driver"

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/12/2013 10:08:25 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/12/2013 10:08:25 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/12/2013 10:08:25 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/11/2013 11:29:18 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/11/2013 11:29:18 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/11/2013 11:29:18 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/02/2013 09:00:48 AM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 25.0.1.5064, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/02/2013 09:00:25 AM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 25.0.1.5064, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/12/2013 03:39:51 PM) (Source: Application Error) (User: )
Description: Fault bucket -370863270.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (11/12/2013 03:39:30 PM) (Source: Application Error) (User: )
Description: Faulting application plugin-container.exe, version 25.0.0.5046, faulting module mozalloc.dll, version 25.0.0.5046, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]


System errors:
=============
Error: (12/16/2013 00:11:54 AM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/16/2013 00:06:44 AM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/16/2013 00:01:34 AM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/15/2013 11:56:24 PM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/15/2013 11:51:14 PM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/15/2013 11:46:04 PM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/15/2013 11:40:54 PM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/15/2013 11:35:44 PM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/15/2013 11:30:34 PM) (Source: 0) (User: )
Description: WORKGROUP      :1d192.168.1.101192.168.1.1

Error: (12/15/2013 11:25:24 PM) (Source: BROWSER) (User: )
Description: The browser was unable to promote itself to master browser.  The computer that currently
believes it is the master browser is SCHENDOM.


Microsoft Office Sessions:
=========================
Error: (12/12/2013 10:08:25 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/12/2013 10:08:25 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/12/2013 10:08:25 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/11/2013 11:29:18 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/11/2013 11:29:18 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/11/2013 11:29:18 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (12/02/2013 09:00:48 AM) (Source: Application Hang)(User: )
Description: firefox.exe25.0.1.5064hungapp0.0.0.000000000

Error: (12/02/2013 09:00:25 AM) (Source: Application Hang)(User: )
Description: firefox.exe25.0.1.5064hungapp0.0.0.000000000

Error: (11/12/2013 03:39:51 PM) (Source: Application Error)(User: )
Description: -370863270

Error: (11/12/2013 03:39:30 PM) (Source: Application Error)(User: )
Description: plugin-container.exe25.0.0.5046mozalloc.dll25.0.0.50460000119c


==================== Memory info ===========================

Percentage of memory in use: 37%
Total physical RAM: 2047 MB
Available physical RAM: 1279.84 MB
Total Pagefile: 3942.27 MB
Available Pagefile: 3378.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1941.34 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.88 GB) (Free:60.06 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: 92A492A4)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:14 PM

Posted 17 December 2013 - 03:12 PM

Greetings,

Thank you for posting the information. Please do this for me.

===================================================

ComboFix Windows XP

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.
  • Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer

ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Query_RC.gif

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware
----------

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

----------

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

aswMBR

--------------------
  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

aswMBR1.png

  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

aswMBR2.png

  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • aswMBR log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 December 2013 - 04:41 PM

My name is John, btw. :)

 

Ok, here are the ComboFix log and the aswMBR log:

 

 

ComboFix 13-12-17.02 - Admin 12/17/2013  15:55:04.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1237 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-17 to 2013-12-17  )))))))))))))))))))))))))))))))
.
.
2013-12-17 18:07 . 2013-12-17 18:07    --------    d-----w-    c:\windows\LastGood
2013-12-17 17:28 . 2013-12-17 17:28    --------    d-----w-    C:\FRST
2013-12-12 00:24 . 2013-12-12 15:17    --------    d-----w-    c:\windows\system32\drivers\N360\1501000.012
2013-12-11 18:33 . 2013-12-11 18:33    --------    d-----w-    C:\N360_BACKUP
2013-12-11 15:42 . 2013-12-11 16:45    --------    d-----w-    C:\TDSSKiller_Quarantine
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-12 00:25 . 2011-07-03 02:26    142936    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-11-18 13:32 . 2012-04-06 01:04    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-11-18 13:32 . 2011-05-18 03:57    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2004-08-04 05:56    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2004-08-04 05:56    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2004-08-04 05:56    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2004-08-04 05:56    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2004-08-03 22:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-12 15:56 . 2004-08-04 05:56    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2004-08-04 05:56    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-08 11:50 . 2013-10-22 07:00    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 11:29 . 2013-10-22 07:00    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-10-07 10:59 . 2004-08-04 05:56    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2010-11-27 17:53    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]
"SetIcon"="\Program Files\SMSC\SetIcon.exe" [2004-04-28 42496]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2005-11-24 1187840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2011-1-18 256000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1501000.012\SymDS.sys [12/11/2013 7:24 PM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1501000.012\SymEFA.sys [12/11/2013 7:24 PM 935512]
R1 BHDrvx86;BHDrvx86;c:\program files\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20131203.001\BHDrvx86.sys [12/3/2013 1:27 PM 1098968]
R1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\N360\1501000.012\ccSetx86.sys [12/11/2013 7:24 PM 127064]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1501000.012\Ironx86.sys [12/11/2013 7:24 PM 206936]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\21.1.0.18\N360.exe [12/11/2013 7:24 PM 264360]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [3/30/2005 11:22 AM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [3/30/2005 11:22 AM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [3/30/2005 11:22 AM 9088]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/12/2013 10:15 AM 108120]
R3 IDSxpx86;IDSxpx86;c:\program files\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20131216.001\IDSXpx86.sys [12/16/2013 11:37 PM 382608]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/2/2010 2:00 AM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 9:09 PM 267568]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [6/11/2011 1:52 AM 10112]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/WORLD/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-10-25 12:19; jid1-ZAdIEUB7XOzOJw@jetpack; c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\27zgmn6y.default\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
FF - ExtSQL: 2013-12-12 10:17; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-11225451.sys
SafeBoot-55599929.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-17 16:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  CTxfiHlp = CTXFIHLP.EXE?
  CTHelper = CTHELPER.EXE?
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\21.1.0.18\N360.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\21.1.0.18\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\N360\1501000.012\SYMTDI.SYS"
"TrustedImagePaths"="c:\program files\Norton Security Suite\Engine\21.1.0.18"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-12-17  16:02:05
ComboFix-quarantined-files.txt  2013-12-17 21:02
.
Pre-Run: 64,317,050,880 bytes free
Post-Run: 64,502,251,520 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A4DD06E56AFA5BA8E77E515B343C40ED
8F558EB6672622401DA993E1E865C861
 

 

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-12-17 16:03:30
-----------------------------
16:03:30.312    OS Version: Windows 5.1.2600 Service Pack 3
16:03:30.312    Number of processors: 1 586 0x209
16:03:30.312    ComputerName: MICROSOF-8CC649  UserName: Admin
16:03:31.578    Initialize success
16:06:40.937    AVAST engine defs: 13121700
16:06:49.531    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:06:49.531    Disk 0 Vendor: WDC_WD2500AAJB-00J3A0 01.03E01 Size: 238475MB BusType: 3
16:06:49.765    Disk 0 MBR read successfully
16:06:49.765    Disk 0 MBR scan
16:06:49.812    Disk 0 Windows XP default MBR code
16:06:49.812    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       238464 MB offset 63
16:06:49.812    Disk 0 scanning sectors +488376000
16:06:49.875    Disk 0 scanning C:\WINDOWS\system32\drivers
16:07:01.906    Service scanning
16:07:03.984    Service BHDrvx86 C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20131203.001\BHDrvx86.sys **LOCKED** 5
16:07:04.312    Service ccSet_N360 C:\WINDOWS\system32\drivers\N360\1501000.012\ccSetx86.sys **LOCKED** 5
16:07:07.406    Service eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys **LOCKED** 5
16:07:08.031    Service EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5
16:07:10.718    Service IDSxpx86 C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20131216.001\IDSxpx86.sys **LOCKED** 5
16:07:13.187    Service NAVENG C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20131216.038\NAVENG.SYS **LOCKED** 5
16:07:13.421    Service NAVEX15 C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20131216.038\NAVEX15.SYS **LOCKED** 5
16:07:17.640    Service SRTSPX C:\WINDOWS\system32\drivers\N360\1501000.012\SRTSPX.SYS **LOCKED** 5
16:07:18.406    Service SymDS C:\WINDOWS\system32\drivers\N360\1501000.012\SYMDS.SYS **LOCKED** 5
16:07:18.625    Service SymEvent C:\WINDOWS\system32\Drivers\SYMEVENT.SYS **LOCKED** 5
16:07:18.734    Service SymIRON C:\WINDOWS\system32\drivers\N360\1501000.012\Ironx86.SYS **LOCKED** 5
16:07:18.843    Service SYMTDI C:\WINDOWS\System32\Drivers\N360\1501000.012\SYMTDI.SYS **LOCKED** 5
16:07:21.734    Modules scanning
16:07:27.718    Disk 0 trace - called modules:
16:07:27.750    ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
16:07:27.750    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa15ab8]
16:07:27.750    3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8aa01b00]
16:07:28.968    AVAST engine scan C:\WINDOWS
16:07:35.390    AVAST engine scan C:\WINDOWS\system32
16:10:11.125    AVAST engine scan C:\WINDOWS\system32\drivers
16:10:40.484    AVAST engine scan C:\Documents and Settings\Admin
16:32:18.093    AVAST engine scan C:\Documents and Settings\All Users
16:33:44.531    Scan finished successfully
16:35:20.640    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
16:35:20.640    The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR.txt"

 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:14 PM

Posted 17 December 2013 - 06:18 PM

Hi John :)

Please do this for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
StartupFolder: c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe
c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

svchost.exe Processes From Tasklist

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type cmd and press Enter
  • Copy the following, right click in the Command Window, then select Paste

tasklist /m /fi "IMAGENAME eq svchost.exe"

  • Hit Enter
  • Right click inside the command window and select Select All
  • Hit the Ctrl + C keys at the same time to copy the information
  • Paste the information in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • svchost information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 December 2013 - 07:01 PM

Ok, here are the Fixlog and the servicehost information:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 17-12-2013 02
Ran by Admin at 2013-12-17 18:49:38 Run:1
Running from C:\Documents and Settings\Admin\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
StartupFolder: c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe
c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe

*****************


========================= StartupFolder: c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe ========================

Directory Not Found

====== End of Folder: ======

c:\documents and settings\admin\start menu\programs\startup\PowerReg SchedulerV2.exe => Moved successfully.

==== End of Fixlog ====

 

 

 

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Admin>tasklist /m /fi "IMAGENAME eq svchost.exe"

Image Name                   PID Modules
========================= ====== =============================================
svchost.exe                 1132 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                 WLDAP32.dll, rpcss.dll, WS2_32.dll,
                                 WS2HELP.dll, xpsp2res.dll, CLBCATQ.DLL,
                                 COMRes.dll, termsrv.dll, ICAAPI.dll,
                                 SETUPAPI.dll, WINTRUST.dll, CRYPT32.dll,
                                 MSASN1.dll, IMAGEHLP.dll, AUTHZ.dll,
                                 mstlsapi.dll, ACTIVEDS.dll, adsldpc.dll,
                                 NETAPI32.dll, ATL.DLL, REGAPI.dll,
                                 rsaenh.dll, Apphelp.dll, WTSAPI32.dll,
                                 WINSTA.dll, msv1_0.dll, cryptdll.dll,
                                 iphlpapi.dll
svchost.exe                 1208 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, rpcss.dll, WS2_32.dll,
                                 WS2HELP.dll, xpsp2res.dll, rsaenh.dll,
                                 mswsock.dll, hnetcfg.dll, wshtcpip.dll,
                                 DNSAPI.dll, iphlpapi.dll, winrnr.dll,
                                 WLDAP32.dll, rasadhlp.dll, CLBCATQ.DLL,
                                 COMRes.dll
svchost.exe                 1352 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                 WLDAP32.dll, xpsp2res.dll, shsvcs.dll,
                                 WINSTA.dll, NETAPI32.dll, dhcpcsvc.dll,
                                 DNSAPI.dll, WS2_32.dll, WS2HELP.dll,
                                 iphlpapi.dll, rsaenh.dll, mswsock.dll,
                                 hnetcfg.dll, wshtcpip.dll, wzcsvc.dll,
                                 rtutils.dll, WMI.dll, CRYPT32.dll,
                                 MSASN1.dll, EapolQec.dll, ATL.DLL,
                                 QUtil.dll, MSVCP60.dll, dot3api.dll,
                                 WTSAPI32.dll, ESENT.dll, CLBCATQ.DLL,
                                 COMRes.dll, rastls.dll, CRYPTUI.dll,
                                 WININET.dll, Normaliz.dll, urlmon.dll,
                                 iertutil.dll, WINTRUST.dll, IMAGEHLP.dll,
                                 MPRAPI.dll, ACTIVEDS.dll, adsldpc.dll,
                                 SETUPAPI.dll, RASAPI32.dll, rasman.dll,
                                 TAPI32.dll, SCHANNEL.dll, WinSCard.dll,
                                 PSAPI.DLL, raschap.dll, msv1_0.dll,
                                 cryptdll.dll, schedsvc.dll, NTDSAPI.dll,
                                 MSIDLE.DLL, audiosrv.dll, wkssvc.dll,
                                 cryptsvc.dll, certcli.dll, es.dll,
                                 ersvc.dll, dmserver.dll, pchsvc.dll,
                                 hidserv.dll, HID.DLL, srvsvc.dll,
                                 netman.dll, netshell.dll, credui.dll,
                                 dot3dlg.dll, OneX.DLL, eappcfg.dll,
                                 eappprxy.dll, WZCSAPI.DLL, seclogon.dll,
                                 browser.dll, wuauserv.dll, wmisvc.dll,
                                 VSSAPI.DLL, wuaueng.dll, WINSPOOL.DRV,
                                 WINHTTP.dll, Cabinet.dll, mspatcha.dll,
                                 w32time.dll, trkwks.dll, srsvc.dll,
                                 POWRPROF.dll, sens.dll, sfc.dll, sfc_os.dll,
                                 wscsvc.dll, msi.dll, wbemcomn.dll,
                                 ipnathlp.dll, AUTHZ.dll, SXS.DLL,
                                 wbemcore.dll, esscli.dll, FastProx.dll,
                                 comsvcs.dll, colbact.DLL, MTXCLU.DLL,
                                 WSOCK32.dll, CLUSAPI.DLL, RESUTILS.DLL,
                                 wmiutils.dll, repdrvfs.dll, Apphelp.dll,
                                 wmiprvsd.dll, NCObjAPI.DLL, wbemess.dll,
                                 ncprov.dll, wups2.dll, upnp.dll,
                                 SSDPAPI.dll, rasadhlp.dll, netcfgx.dll,
                                 rasmans.dll, WINIPSEC.DLL, tapisrv.dll,
                                 rastapi.dll, unimdm.tsp, uniplat.dll,
                                 kmddsp.tsp, ndptsp.tsp, ipconf.tsp,
                                 h323.tsp, hidphone.tsp, rasppp.dll,
                                 ntlsapi.dll, kerberos.dll, RASQEC.DLL,
                                 RASDLG.dll, msxml3.dll, winrnr.dll,
                                 advpack.dll, dssenh.dll, cryptnet.dll,
                                 SensApi.dll, qmgr.dll, MPR.dll,
                                 SHFOLDER.dll, catsrvut.dll, catsrv.dll,
                                 MfcSubs.dll, wbemsvc.dll
svchost.exe                 1412 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, dnsrslvr.dll, DNSAPI.dll,
                                 WS2_32.dll, WS2HELP.dll, iphlpapi.dll,
                                 rsaenh.dll, mswsock.dll, hnetcfg.dll,
                                 wshtcpip.dll
svchost.exe                 1492 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                 WLDAP32.dll, xpsp2res.dll, lmhsvc.dll,
                                 iphlpapi.dll, WS2_32.dll, WS2HELP.dll,
                                 regsvc.dll, ssdpsrv.dll, hnetcfg.dll,
                                 CLBCATQ.DLL, COMRes.dll, mswsock.dll,
                                 wshtcpip.dll, rsaenh.dll, httpapi.dll,
                                 WINHTTP.dll, DNSAPI.dll, rasadhlp.dll
svchost.exe                 1464 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                 WLDAP32.dll, xpsp2res.dll, webclnt.dll,
                                 WININET.dll, Normaliz.dll, urlmon.dll,
                                 iertutil.dll, WS2_32.dll, WS2HELP.dll
svchost.exe                 1964 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, wiaservc.dll, CFGMGR32.dll,
                                 setupapi.DLL, mscms.dll, WINSPOOL.DRV,
                                 WINSTA.dll, NETAPI32.dll, xpsp2res.dll,
                                 CLBCATQ.DLL, COMRes.dll, WINTRUST.dll,
                                 CRYPT32.dll, MSASN1.dll, IMAGEHLP.dll,
                                 actxprxy.dll, sti.dll
svchost.exe                 2896 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                 AcGenral.DLL, USER32.dll, GDI32.dll,
                                 WINMM.dll, ole32.dll, msvcrt.dll,
                                 OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                 SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                 UxTheme.dll, IMM32.DLL, comctl32.dll,
                                 comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                 WLDAP32.dll, xpsp2res.dll, w3ssl.dll,
                                 strmfilt.dll, CRYPT32.dll, MSASN1.dll,
                                 HTTPAPI.dll, WS2_32.dll, WS2HELP.dll

C:\Documents and Settings\Admin>
C:\Documents and Settings\Admin>
C:\Documents and Settings\Admin>
C:\Documents and Settings\Admin>
C:\Documents and Settings\Admin>



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:14 PM

Posted 17 December 2013 - 07:19 PM

Thanks, but it will help if we can narrow it down a bit. When an svchost.exe shows high CPU usage could you look to see what the PID number is? In order to see that under the Processes tab you will need to click View, Select Columns..., then place a checkmark next to PID (Process Identifier).


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 December 2013 - 07:40 PM

Hi Gary,  I would do that, but svchost is no longer pegging the CPU.  Once the Windows Update (apparently) downloaded earlier, the problem went away.  Sorry if I didn't make that clear.  I was wondering if you would tell me to install the updates, but since then, the yellow shield has gone away as well.  I want to think this was just a Windows download problem now, but I'm willing to do any more scans until you feel like we checked for sure.

 

Should I reboot and see if Windows updates (I will check the PID for any svchost at that time).  If so, should I then apply the updates?

 

--John



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:14 PM

Posted 17 December 2013 - 08:14 PM

Hi John,

Yes, continue to install the updates until there are no more. Sometimes it takes several rounds.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 December 2013 - 08:55 PM

Gary,  I downloaded the updates until there were no more.  Still no suspicious activity in svchost at this time.  The one that was active during the update was 1352, but there's no way to tell if it was the same one as before.

 

I really don't know what happened.  Perhaps I was overly suspicious based on the rootkit that I dealt with earlier in the summer, which was similar in behavior, and the fact that a website (deviantArt) told me my name was associated with the recent hack of emails and I was already waiting for something to happen, then when there was some issue I misread it, but I guess I am ok for now, unless you think we should try any other checks.

 

sincerely, John



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:14 PM

Posted 17 December 2013 - 09:10 PM

Hi John,

It sounds like you are doing OK but I would like to give it 24 hours or so to allow you to put your computer to the test to make sure things remain as they should. Touch base in a day or so, or sooner if the need arises.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 December 2013 - 09:15 PM

Sounds good, Gary,  I will do that and be in touch tomorrow evening or the following morning.

 

Thanks again for your help!

 

--John






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users