Solved Av knocked out

[curleww]

Farbar Service Scanner Version: 26-07-2015
Ran by m (administrator) on 29-09-2015 at 16:53:50
Running from "C:\Documents and Settings\m\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(11) aswTdi(15) Gpc(3) IPSec(5) kl2(14) NetBT(6) PSched(7) Tcpip(4)
0x110000000E00000005000000010000000200000003000000040000000F00000012000000110000000D0000000C0000000600000007000000090000000A0000000B00000008000000


**** End of log ****

 

[curleww]

Sophos has come back clean

 

[Broni]

Update Firefox to the current version.

Update your Java version here: https://www.techspot.com/downloads/6463-java-se.html
Alternate download: http://www.java.com/en/download/manual.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Note 2: If you're running 64-bit system make sure you install BOTH, 32-bit and 64-bit Java.

==================================

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download

DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
• Remove disinfection tools
• Create registry backup
• Purge System Restore
• Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now")

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

12. Please, let me know, how your computer is doing.

 

[curleww]

Got as far as browser check its saying adobe acrobat and silverlight need updating
I have done this several times even rom ireox plugin page and it keeps returning it needs updating and that I already have the versions of S/L and reader im trying to update to
showing in add remove
adobe reader XI 11.0.08.
silverlight V 5.1.30514.0

have stopped here awaiting further instruction from you

 

[Broni]

Those versions are good. Go on...

 

[Broni]

The issue seems to be resolved.

 

[curleww]

Indeed it does,
for some reason active sync 4.5 wants to try installing several times when I open certain programs and firefox is again using massive cpu

 

[Broni]

How much CPU Firtefox is using?

 

[curleww]

F/fox is using anywhere between 50 to 99% sometimes it will drop lower but not for long
cpu is running at 100% at lot of the time and jumps from fox , avast, malwarebytes using around 80- 90%.

I had this issue a couple of years or so ago and found something on net that sorted it but I cant locate it now

 

[Broni]

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
NOTE. Windows Vista, 7 and 8 users right click on procexp.exe, click "Run As Administrator".
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Paste the content into your next reply.

 

[curleww]

Process PID CPU Private Bytes Working Set Description Company Name Command Line
System Idle Process 0 15.62 0 K 16 K
System 4 5.31 0 K 296 K
Interrupts n/a 2.81 0 K 0 K Hardware Interrupts and DPCs
smss.exe 604 172 K 412 K Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
csrss.exe 748 0.94 1,820 K 5,184 K Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe 780 7,576 K 3,132 K Windows NT Logon Application Microsoft Corporation winlogon.exe
services.exe 832 15.31 4,496 K 6,848 K Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
svchost.exe 1052 0.31 3,240 K 5,428 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch
ehmsas.exe 800 684 K 2,748 K Media Center Media Status Aggregator Service Microsoft Corporation C:\WINDOWS\eHome\ehmsas.exe -Embedding
wmiprvse.exe 4264 1,740 K 4,928 K WMI Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
svchost.exe 1164 0.94 2,004 K 4,936 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe 1256 33,604 K 46,948 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe 1364 2,364 K 3,368 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe 1488 1,596 K 3,900 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe 1588 2,568 K 4,756 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
AvastSvc.exe 1640 0.63 100,200 K 44,484 K avast! Service AVAST Software "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
spoolsv.exe 1708 4,360 K 7,804 K Spooler SubSystem App Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe
svchost.exe 1848 1,368 K 3,912 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
BelkinService.exe 1912 1,324 K 4,980 K BelkinService Affinegy, Inc. "C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe"
alg.exe 1972 1,168 K 3,604 K Application Layer Gateway Service Microsoft Corporation C:\WINDOWS\System32\alg.exe
BkBackupScheduler.exe 2000 816 K 2,724 K "C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe" /service
Bkapcs.exe 2020 632 K 2,264 K "C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe" /service
CTSVCCDA.EXE 176 428 K 1,404 K Creative Service for CDROM Access Creative Technology Ltd C:\WINDOWS\system32\CTsvcCDA.exe
OPHALDCS.EXE 352 424 K 1,544 K OPHALDCS Oki Data Corporation C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
ehrecvr.exe 372 2,504 K 4,804 K Media Center Receiver Service Microsoft Corporation C:\WINDOWS\eHome\ehRecvr.exe
ehSched.exe 488 1,488 K 4,832 K Media Center Scheduler Service Microsoft Corporation C:\WINDOWS\eHome\ehSched.exe
IPROSetMonitor.exe 692 500 K 2,088 K Intel® PROSet Monitoring Service Intel Corporation C:\WINDOWS\system32\IProsetMonitor.exe
mbamscheduler.exe 760 2,852 K 7,316 K Malwarebytes Anti-Malware Malwarebytes "C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe"
mbamservice.exe 1636 13.44 279,392 K 274,588 K Malwarebytes Anti-Malware Malwarebytes "C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe"
mbam.exe 2360 0.31 38,492 K 45,784 K Malwarebytes Anti-Malware Malwarebytes "C:\Program Files\Malwarebytes Anti-Malware\mbam.exe" /starttray
MSCamS32.exe 1924 3,624 K 6,808 K MsCamSvc.exe Microsoft Corporation "C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
SCWatch4.exe 436 884 K 2,676 K SecureClean Service WhiteCanyon Inc. "C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe"
ServiioService.exe 572 608 K 1,628 K "C:\Program Files\Serviio\bin\ServiioService.exe"
ServiioService.exe 204 53,800 K 50,076 K "C:\Program Files\Serviio\bin\ServiioService.exe" Serviio __i4j_restart
vpnclient.exe 1780 2.50 25,892 K 29,676 K SoftEther VPN SoftEther VPN Project at University of Tsukuba, Japan. "C:\Program Files\SoftEther VPN Client\vpnclient.exe" /service
SlimServiceFactory.exe 2176 900 K 2,940 K SlimServiceFactory SlimWare Utilities, Inc. "C:\Program Files\SlimService\SlimServiceFactory.exe"
svchost.exe 2224 1,448 K 3,864 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
svchost.exe 2236 2.50 2,584 K 4,416 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k imgsvc
MsPMSPSv.exe 2268 428 K 1,612 K WMDM PMSP Service Microsoft Corporation C:\WINDOWS\system32\MsPMSPSv.exe
mcrdsvc.exe 2348 856 K 3,124 K MCRD Device Service Microsoft Corporation C:\WINDOWS\ehome\mcrdsvc.exe
searchindexer.exe 2428 19,144 K 13,672 K Microsoft Windows Search Indexer Microsoft Corporation C:\WINDOWS\system32\SearchIndexer.exe /Embedding
dllhost.exe 3544 2,264 K 6,344 K COM Surrogate Microsoft Corporation C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{02D4B3F1-FD88-11D1-960D-00805FC79235}
sua.exe 2368 580 K 2,300 K Secunia Update Agent Secunia "C:\Program Files\Secunia\PSI\sua.exe" --start-service
svchost.exe 3268 10,752 K 12,300 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k netsvcs
OSPPSVC.EXE 1112 6,304 K 11,632 K Microsoft Office Software Protection Platform Service Microsoft Corporation "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
msiexec.exe 5740 7.81 3,692 K 7,064 K Windows® installer Microsoft Corporation C:\WINDOWS\system32\msiexec.exe /V
lsass.exe 844 0.63 5,140 K 1,536 K LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe
taskmgr.exe 3692 1,472 K 2,064 K Windows TaskManager Microsoft Corporation taskmgr.exe
explorer.exe 640 0.31 30,420 K 16,064 K Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
CTSysVol.exe 2308 2,936 K 5,184 K CTSysVol.exe Creative Technology Ltd "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
CTHELPER.EXE 3996 3,384 K 5,476 K CtHelper MFC Application Creative Technology Ltd "C:\WINDOWS\system32\CTHELPER.EXE"
vVX3000.exe 3964 872 K 3,064 K Microsoft LifeCam Device Application Microsoft Corporation "C:\WINDOWS\vVX3000.exe"
vpnclient.exe 3624 16,148 K 20,248 K SoftEther VPN SoftEther VPN Project at University of Tsukuba, Japan. "C:\Program Files\SoftEther VPN Client\vpnclient.exe" /uihelp
ehtray.exe 3824 1,196 K 1,136 K Media Center Tray Applet Microsoft Corporation "C:\WINDOWS\ehome\ehtray.exe"
RIMBBLaunchAgent.exe 1612 2,200 K 4,652 K Launch Agent Service Research In Motion Limited "C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe"
AvastUI.exe 2160 28,324 K 24,996 K avast! Antivirus AVAST Software "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
jusched.exe 3992 7,120 K 12,424 K Java Update Scheduler Oracle Corporation "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
SOUNDMAN.EXE 3848 1,812 K 2,924 K Realtek Sound Manager Realtek Semiconductor Corp. "C:\WINDOWS\SOUNDMAN.EXE"
TeaTimer.exe 2640 1.25 54,864 K 56,608 K System settings protector Safer-Networking Ltd. "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
CTCMSGo.exe 1120 2,188 K 5,648 K Creative MediaSource Go! Creative Technology Ltd "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
FileHippo.AppManager.exe 2768 41,504 K 51,200 K FileHippo.AppManager "C:\Program Files\FileHippo.com\FileHippo.AppManager.exe" /background
psi_tray.exe 5144 652 K 2,708 K Secunia PSI Tray Secunia "C:\Program Files\Secunia\PSI\psi_tray.exe"
vpncmgr.exe 5520 16,508 K 21,756 K SoftEther VPN SoftEther VPN Project at University of Tsukuba, Japan. "C:\Program Files\SoftEther VPN Client\vpncmgr.exe" /startup
firefox.exe 5616 25.94 1,485,944 K 1,491,560 K Firefox Mozilla Corporation "C:\Program Files\Mozilla Firefox\firefox.exe"
WinRAR.exe 5888 16,996 K 2,340 K WinRAR archiver Alexander Roshal "C:\Program Files\WinRAR\WinRAR.exe" "C:\Documents and Settings\m\Desktop\ProcessExplorer.zip"
procexp.exe 5952 3.44 18,324 K 26,072 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\DOCUME~1\m\LOCALS~1\Temp\Rar$EXa0.962\procexp.exe"
Ymsgr_tray.exe 3132 18,640 K 5,572 K Yahoo! Messenger Tray Yahoo! Inc. "C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe" "C:\PROGRA~1\Yahoo!\MESSEN~1\resources\en-SG\

 

[Broni]

Yeah, that looks bad.

Please give me same log from safe mode.
How to start Windows in Safe Mode

 

[curleww]

Safe mode log
please note I will not be around for the next couple of weeks

Process PID CPU Private Bytes Working Set Description Company Name Command Line
System Idle Process 0 73.44 0 K 16 K
System 4 0 K 212 K
Interrupts n/a < 0.01 0 K 0 K Hardware Interrupts and DPCs
smss.exe 364 172 K 412 K Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
csrss.exe 480 1,532 K 5,596 K Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe 504 3,236 K 2,604 K Windows NT Logon Application Microsoft Corporation winlogon.exe
services.exe 548 4,248 K 7,540 K Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
svchost.exe 716 3,008 K 4,908 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch
wmiprvse.exe 772 1,696 K 4,720 K WMI Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
svchost.exe 804 1,688 K 4,208 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe 892 9,820 K 17,096 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe 988 1,744 K 4,044 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe 1108 1,104 K 3,004 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
lsass.exe 560 2,264 K 1,256 K LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe
taskmgr.exe 1144 1,288 K 1,116 K Windows TaskManager Microsoft Corporation taskmgr.exe
explorer.exe 1640 21,440 K 29,996 K Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
firefox.exe 1968 26.56 968,468 K 961,580 K Firefox Mozilla Corporation "C:\Program Files\Mozilla Firefox\firefox.exe"
plugin-container.exe 184 29,040 K 32,260 K Plugin Container for Firefox Mozilla Corporation "C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel="1968.0.968435778\1388808453" "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll" -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1968 "\\.\pipe\gecko-crash-server-pipe.1968" plugin
procexp.exe 1408 15,532 K 20,564 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\DOCUME~1\m\LOCALS~1\Temp\Rar$EXa0.037\procexp.exe"

 

[Broni]

At this point...

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck