TechSpot

IE not responding, cpu usage 100%

By kmck
Sep 17, 2010
  1. Hi All,

    I presume I have contracted something whilst using Vuze, but I don't know what or how to deal with it.
    My computer takes ages to do anything, there are 60-70 processes running at any one time, Internet Exploreris Not Responding, then it IS responding, then Not etc. CPU usage usually very high, often 100%.
    I am operating McAfee which finds nothing. Downloaded Ad-Aware and Spybot but both found nothing either.

    I was directed here by pjamme and I have now followed your malware removal steps. I will post my log files seperately. Hope someone can help.

    Yours hopefully
    K
     
  2. kmck

    kmck TS Rookie Topic Starter Posts: 20

    Malwarebytes Anti Malware log.

    When this loaded it gave the following error message when looking for updates:

    MBAM_ERROR_UPDATING (12029,0,WinHttp SendRequest)

    I ran the program regardless, and the log is as follows:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    16/09/2010 17:30:50
    mbam-log-2010-09-16 (17-30-50).txt

    Scan type: Quick scan
    Objects scanned: 137984
    Time elapsed: 22 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d318119e-cb62-4039-ae9b-cf9575bcaa7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{d318119e-cb62-4039-ae9b-cf9575bcaa7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\BM5b9f579a.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
     
  3. kmck

    kmck TS Rookie Topic Starter Posts: 20

    DDS Attach.txt Log

    Attach.txt:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 17/06/2002 13:26:19
    System Uptime: 16/09/2010 21:29:40 (12 hours ago)

    Motherboard: Intel Corporation | | D845PT
    Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | J1E1 | 1993/100mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 15.745 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    J: is FIXED (FAT32) - 298 GiB total, 51.662 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP626: 22/08/2010 13:03:37 - System Checkpoint
    RP627: 23/08/2010 14:03:31 - System Checkpoint
    RP628: 24/08/2010 14:41:35 - System Checkpoint
    RP629: 25/08/2010 15:41:22 - System Checkpoint
    RP630: 26/08/2010 16:13:54 - System Checkpoint
    RP631: 27/08/2010 17:14:03 - System Checkpoint
    RP632: 28/08/2010 17:57:49 - System Checkpoint
    RP633: 30/08/2010 10:34:30 - System Checkpoint
    RP634: 31/08/2010 11:58:47 - System Checkpoint
    RP635: 01/09/2010 14:05:09 - System Checkpoint
    RP636: 22/05/2010 10:33:06 - System Checkpoint
    RP637: 23/05/2010 10:34:40 - System Checkpoint
    RP638: 03/09/2010 13:38:33 - System Checkpoint
    RP639: 04/09/2010 13:57:37 - System Checkpoint
    RP640: 05/09/2010 16:15:22 - System Checkpoint
    RP641: 06/09/2010 20:31:38 - System Checkpoint
    RP642: 08/09/2010 12:01:26 - System Checkpoint
    RP643: 09/09/2010 15:12:43 - System Checkpoint
    RP644: 10/09/2010 15:30:30 - System Checkpoint
    RP645: 11/09/2010 20:12:22 - System Checkpoint
    RP646: 12/09/2010 20:28:54 - System Checkpoint
    RP647: 13/09/2010 21:04:34 - System Checkpoint
    RP648: 14/09/2010 21:18:11 - System Checkpoint
    RP649: 15/09/2010 21:56:57 - System Checkpoint
    RP650: 16/09/2010 03:01:03 - Software Distribution Service 3.0
    RP651: 16/09/2010 10:32:19 - Installed %1 %2.
    RP652: 16/09/2010 21:57:48 - System Checkpoint

    ==== Installed Programs ======================


    2009-10 S50Pay - RTR
    3Com NIC Diagnostics
    Accounts
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Photoshop 7.0
    Adobe Reader 8.2.3
    Adobe Shockwave Player 11
    AnyDVD
    AoA MP4 Converter
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Display Driver
    Avanquest update
    AVG Anti-Spyware 7.5
    Azureus
    B's CLiP
    BayGenie eBay Auction Sniper Pro Edition 3.3.5.0
    BHA B's Recorder GOLD 5.20
    BlackBerry Desktop Software 4.7
    BlackBerry Device Software v4.7.0 for the BlackBerry 9500 smartphone
    Bonjour
    Brother 1440
    Brother HL-7050
    Brownie
    CCleaner
    CD Stomper 32 bit
    CloneCD
    CloneDVD2
    CloneDVDmobile
    Compatibility Pack for the 2007 Office system
    ConvertXtoDVD 2.1.14.223
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    Creative MediaSource
    Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
    dBpowerAMP Music Converter
    dBpoweramp Windows Media Audio 10 Codec
    Dell Solution Center
    DellTouch
    Disc2Phone
    dMC Power Pack
    DotNet20withMsi30
    DVD-CLONER V2.40
    DVD-CLONER V5.60 Build 973
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    EasyStudio PIM & File Manager
    EasyStudio Sample
    Free Video to iPod Converter version 2.2
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToMeeting 4.1.0.366
    Help and Support Customization
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB976002-v5)
    Image Transfer
    ImageMixer for Sony
    InFlac 1.1.1
    Intel Application Accelerator
    Intel(R) AnyPoint(R) Modem
    IS Update for Sage Payroll
    iSofter DVD Ripper Platinum 3.0.2007.228
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    Java 2 Runtime Environment, SE v1.4.2_01
    Java Auto Updater
    Java(TM) 6 Update 21
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1
    LightScribe Applications
    LightScribe Diagnostic Utility
    LightScribe System Software 1.10.27.1
    LightScribe Template Designs - Fantasy Pack 1
    LightScribe Template Designs - Tattoo Pack 1
    LightScribeTemplateLabeler
    Line 50 V8 Service Pack 1
    LiveReg (Symantec Corporation)
    LiveUpdate 1.6 (Symantec Corporation)
    Logitech QuickCam
    Logitech® Camera Driver
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    Media Go
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft AutoRoute 2005
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft IntelliPoint 5.2
    Microsoft IntelliType Pro 5.2
    Microsoft Interactive Training
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Money
    Microsoft National Language Support Downlevel APIs
    Microsoft NetShow Tools 2.0
    Microsoft Office XP Media Content
    Microsoft Office XP Professional
    Microsoft Publisher 2002
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Works
    Microsoft Works 2005 Setup Launcher
    Microsoft WSE 2.0 SP3 Runtime
    MicroStaff WINASPI
    MobileMe Control Panel
    Monkey's Audio
    MSN Music Assistant
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MVision
    Nero 7 Ultra Edition
    NOMAD MuVo
    NVIDIA Windows 2000/XP Display Drivers
    OGA Notifier 2.0.0048.0
    Payroll for Windows
    PlayStation(R)Network Downloader
    PlayStation(R)Store
    PowerDVD
    PowerISO
    ProCite 5
    QuickTime
    RealPlayer
    Review Manager 4.2.10
    Review Manager 5.0.21
    Roxio Media Manager
    S50PayPro 2009-10 LAI
    Safari
    SafeGuard
    Sage 50 Accounts 2008
    Sage 50 Payroll
    Sage 50 Payroll 08-09 LAI
    Sage 50 Payroll 08-09 RTR
    Sage 50 Payroll 08-09 STE
    Sage 50 Payroll 09-10 STE
    Sage 50 Payroll 2008-09
    Sage 50 Payroll v11 08-09 RTR
    Sage 50 Payroll v11 2007-08
    Sage Accounts
    Sage Accounts V10.00
    Sage Accounts V11.00
    Sage Accounts V12.00
    Sage Instant Payroll 07-08
    Sage Instant Payroll v10.00
    Sage Instant Payroll v11.00
    Sage Line 50 7.01
    Sage Line 50 8.00
    Sage MIS 3.01
    Sage Payroll
    Sage Payroll 07-08
    Sage Payroll 2006-07
    Sage Payroll for Windows
    Sage Payroll v11 2005-06
    Sage Payroll v12 05-06
    Sage Payroll v12 2007-08a
    Sage PayrollPro 2006-07
    Sage PayrollPro2007-08
    SageAcc
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB982802)
    Sky Broadband
    Sky Broadband Browser Branding
    Skype™ 3.6
    Sony Ericsson PC Companion 1.50.52
    Sony Ericsson PC Suite
    Sony Ericsson PC Suite 6.009.00
    SPSS 11.5.1 for Windows
    SPSS Data Access Pack 2.5
    SPSS Viewer 11.5.1
    Spybot - Search & Destroy
    Time Force
    TuneSleeve
    UltraISO 8.0 Premium Edition
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update Service
    uTorrent
    VideoLAN VLC media player 0.8.6f
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Vuze
    Vuze Toolbar
    WAC DMM
    WebFldrs XP
    Winamp
    Winamp Detector Plug-in
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows PowerShell(TM) 1.0
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip
    Wireless Audio Device Manager
    Works Upgrade
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    17/09/2010 09:01:55, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
    16/09/2010 21:33:29, error: System Error [1003] - Error code c000021a, parameter1 e1f4c828, parameter2 c0000005, parameter3 001b000a, parameter4 0112e064.
    16/09/2010 21:12:33, error: DCOM [10000] - Unable to start a DCOM Server: {FFF2D28F-E4EE-44D9-8104-8E71556757F6}. The error: "%1450" Happened while starting this command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe -Embedding
    16/09/2010 21:09:52, error: Dhcp [1008] - Your computer was unable to initialize a Network Interface attached to the system. The error code is: Insufficient system resources exist to complete the requested service. .
    16/09/2010 21:05:53, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: Insufficient system resources exist to complete the requested service. .
    16/09/2010 21:05:53, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Lavasoft\Ad-Aware\Resources.dll. Reference error message: The operation completed successfully. .
    16/09/2010 21:05:53, error: SideBySide [58] - Syntax error in manifest or policy file "C:\WINDOWS\WinSxS\Policies\x86_Policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.1.policy" on line 0.
    16/09/2010 21:04:30, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'mcnasvc000.log' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    16/09/2010 21:04:08, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: Insufficient system resources exist to complete the requested service. .
    16/09/2010 21:04:08, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: Insufficient system resources exist to complete the requested service. .
    16/09/2010 21:04:08, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll. Reference error message: The operation completed successfully. .
    16/09/2010 21:04:08, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll. Reference error message: The operation completed successfully. .
    16/09/2010 18:27:29, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi IntelIde
    16/09/2010 16:45:57, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    16/09/2010 16:45:56, error: Service Control Manager [7034] - The Sony Ericsson OMSI download service service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:56, error: Service Control Manager [7034] - The McAfee SpamKiller Service service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:56, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:56, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    16/09/2010 16:45:56, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
    16/09/2010 16:45:55, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:55, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:55, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    16/09/2010 16:45:55, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The Netropa NHK Server service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The LVCOMSer service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The BrSplService service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7034] - The AVG Anti-Spyware Guard service terminated unexpectedly. It has done this 1 time(s).
    16/09/2010 16:45:54, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    16/09/2010 16:45:54, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    13/09/2010 07:05:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    13/09/2010 07:05:13, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/09/2010 13:05:15, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    10/09/2010 19:53:29, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000476DB8498 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    10/09/2010 19:26:54, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
    10/09/2010 15:03:02, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    10/09/2010 14:26:20, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
    10/09/2010 14:26:20, error: Service Control Manager [7000] - The Intel(R) PRO/DSL 3220 USB Modem Firmware Loader service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    10/09/2010 08:48:31, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

    ==== End Of File ===========================
     
  4. kmck

    kmck TS Rookie Topic Starter Posts: 20

    DDS.txt part 1

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Kevin at 9:01:36.35 on 17/09/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.124 [GMT 1:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    svchost.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\DrvMon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Documents and Settings\Kevin\My Documents\Downloads\Techspot 09-10\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://skysports.com/football
    uWindow Title = Internet Explorer Provided By Sky Broadband
    uDefault_Page_URL = hxxp://www.sky.com
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4hj7fuys\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4hj7fuys\160-60~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\pfrd3z1q\bittor~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\pfrd3z1q\728-90~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\6o2f0vkt\xml_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\a450xxtj\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\a450xxtj\cashow~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\83wb9xcj\compos~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\83wb9xcj\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\_ord_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\mainte~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\iframe~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\in552d~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\search~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\f3_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\in551d~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\rw_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\usenex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\cashow~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\all_pr~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\blank_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\pgnum-~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\3ngtpdsd\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\56c40m9d\search~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fes7kydz\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\658tmz0k\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tgon2wkn\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tfyvwq2o\home_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fk65z8cx\loggin~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\np11abmc\list_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kpcj4xwx\skymen~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kpcj4xwx\skyhea~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\rmm760ml\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\xlhnb2o6\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\29ue9zl7\header~1.sh! c:\docume~1\kevin\locals~1\temp\hsperf~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fc2ed85i\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zv4ktdct\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fc2ed85i\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\rdz9qp5e\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\rdz9qp5e\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zv4ktdct\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ftryn7ou\subpla~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\j3y9jf4x\welcom~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\j3y9jf4x\ml_win~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\egcvje7b\contex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ibyuqp73\am_win~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\iagdl6vk\downlo~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\5i7bcgcz\topsea~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1i59qzon\hotmai~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\90dkugpq\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\2nyuz477\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\heb2ge4g\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wu8m8jrs\mapsgo~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\bzr31yq7\costco~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\dtrw764v\closed~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wu8m8jrs\maps_2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y3pt41lf\openha~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wu8m8jrs\home_4~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y5p0r41z\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y5p0r41z\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tg4a22x4\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\uo2372ae\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tg4a22x4\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\16eblwkh\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\xvhdjwfl\torren~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9f9xjzwp\pirate~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\xvhdjwfl\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\en9sh9os\pirate~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0x11xnki\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wylhdxsy\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kwt0q7fg\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kwt0q7fg\crackt~1.sh! c:\docume~1\kevin\locals~1\temp\cddb\2793472.sh! c:\docume~1\kevin\locals~1\temp\cddb.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ywbsb0mu\defaul~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ywbsb0mu\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\pngbeh~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\v6_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\finish~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\topic5~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\glossa~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\banner~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\defaul~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\stage2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\stage1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\contex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\pngbeh~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\finish~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\baseli~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\stage2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\index_~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\stage1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\contex~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\pngbeh~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\banner~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\v6_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\finish~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\banner~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\pngbeh~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\_ord_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\stage2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\index_~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\stage1~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\contex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\pngbeh~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\finish~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\baseli~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\topic5~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\glossa~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\vundof~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\58yj0l9r\closed~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\46sduehi\maps_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\58yj0l9r\maps_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\8ltbcu3p\openha~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z39fu4in\avs-vi~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\973bf3vd\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\3ltrck8z\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\s0dnrzys\audio_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c0tom6kg\statio~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\j02n4xcw\adzdef~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\s0dnrzys\fc_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c0tom6kg\ondema~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ekps3303\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1tr8sc82\687474~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ekps3303\687474~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\687474~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\687474~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ekps3303\687474~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\687474~4.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1tr8sc82\363936~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1tr8sc82\363936~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\2f2f77~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\687474~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\681533~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\02yid24v\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\02yid24v\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vd238imi\auctio~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vd238imi\search~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\02yid24v\filter~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\t7xy82hk\mail_1~1.sh! c:\docume~1\kevin\locals~1\temp\{7689c~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9b0qu169\fc_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\68c537~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\68b759~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\6c6174~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\nhz6bxdn\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\p1nxa9rk\6c6174~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\703a2f~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\cgvio2i3\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fcmsunna\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kq1f9wi1\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\3l17dsea\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\movk9ij1\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zmkjfoc9\tr1699~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\qiowpate\loggin~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zmkjfoc9\tre910~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zmkjfoc9\tr057f~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\326pu3fg\secfa8~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\me62rc59\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y7g1qxoi\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\srbxhurk\trb6af~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\44e5lm1e\loggin~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ydsgn26b\trb61c~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ex2lfkm4\tr0fb4~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\44e5lm1e\tr165e~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\44e5lm1e\traa3f~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mmfy12eo\loggin~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\8fzi9hdw\trb130~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\16z5xazp\tr932c~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\8fzi9hdw\tr0410~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mmfy12eo\tr13a8~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\qwkr61uf\tr8320~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0b2iyme7\search~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\585o1e0f\elliet~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ikqddtsu\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ikqddtsu\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\k1js6ucw\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vsk79cpc\mail_2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\deuibcvq\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vsk79cpc\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vsk79cpc\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\2ngyoktq\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\g3jol5rm\GETMSG~1.SH!
     
  5. kmck

    kmck TS Rookie Topic Starter Posts: 20

    DDS.txt part 2

    mRun: [MISAggregator]
    mRun: [MWLExe] c:\program files\mcafee\mwl\MWLGuiSt.exe
    mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [DSL Connection Manager] c:\program files\intel\dslsetup\ProDsl.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [<NO NAME>]
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    uPolicies-explorer: NoViewOnDrive = 0 (0x0)
    uPolicies-system: RunStartupScriptSync = 1 (0x1)
    mPolicies-system: RunStartupScriptSync = 1 (0x1)
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206624755015
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    Hosts: 127.0.0.1 www.spywareinfo.com
    ============= SERVICES / DRIVERS ===============

    R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2003-11-16 9344]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-7 64288]
    R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
    R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-4-4 10872]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-3 214664]
    R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2003-11-16 457088]
    R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2002-3-7 21233]
    R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2002-3-7 19534]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-3 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-3 35272]
    R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-3 34248]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-3 40552]
    R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2002-3-7 6942]
    R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-16 27632]
    S2 P31LOAD;Intel(R) PRO/DSL 3220 USB Modem Firmware Loader;c:\windows\system32\drivers\p31usbld.sys [2004-6-3 18906]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-6-16 13224]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
    S3 PRO3200P;Intel(R) USB ADSL Modem;c:\windows\system32\drivers\p32d2kp.sys [2002-4-27 530785]
    S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2010-2-16 89256]
    S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2010-2-16 15016]
    S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2010-2-16 120744]
    S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2010-2-16 114216]
    S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2010-2-16 25512]
    S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2010-2-16 110632]
    S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2010-2-16 115752]

    =============== Created Last 30 ================

    2010-09-16 16:03:21 0 d-----w- c:\docume~1\kevin\applic~1\Malwarebytes
    2010-09-16 16:01:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-16 16:01:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-16 16:00:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-16 16:00:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-16 09:41:54 0 d-----w- c:\docume~1\kevin\applic~1\ElevatedDiagnostics
    2010-09-15 12:40:31 0 d-----w- c:\program files\iPod
    2010-09-15 12:40:11 0 d-----w- c:\program files\iTunes
    2010-09-08 20:44:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-09-07 14:58:24 71 ----a-w- c:\documents and settings\kevin\Application DatadMb.dat
    2010-09-07 14:23:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-09-07 14:23:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-09-07 12:25:20 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-09-07 12:23:33 0 d-----w- c:\program files\Lavasoft
    2010-09-03 11:37:55 0 d-----w- c:\program files\Winamp Detect
    2010-08-20 10:11:17 423656 ----a-w- c:\windows\system32\deployJava1.dll

    ==================== Find3M ====================

    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
    2010-07-28 17:02:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggflt_01007.Wdf
    2010-07-28 17:02:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
    2010-07-28 17:01:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-24 16:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
    2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
    2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
    2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2005-02-27 14:25:22 1031 --sh--w- c:\windows\system\ws32ntfa.dat
    2006-01-05 09:01:05 1031 --sh--w- c:\windows\system\ws32ntfl.dat
    2002-04-16 11:27:54 5 --sha-w- c:\windows\system32\CdI5T.drv
    1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
    1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
    1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
    1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
    2008-08-21 09:29:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

    ============= FINISH: 9:04:56.98 ===============
     
  6. crunchie

    crunchie Malware Helper Posts: 728

    GMER log also please.
     
  7. kmck

    kmck TS Rookie Topic Starter Posts: 20

    GMER log part1

    First time i ran GMER, it seemed to work successfully and i saved log file, then got blue screen. on rebooting i was unable to retrieve log file, so i ran GMER again and saved log file again. once again i got a blue screen, but on reboot i was able to retrieve log file and it is attached in several parts:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-17 21:19:43
    Windows 5.1.2600 Service Pack 3
    Running: mlfjnik6.exe; Driver: C:\DOCUME~1\Kevin\LOCALS~1\Temp\awldapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF85C687E]
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF8C258AC]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF85C6BFE]
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF8C25812]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB651478E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB651473C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6514750]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB651483B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6514867]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB65148D5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB65148BF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB65147CE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6514901]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6514811]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6514728]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB65147A2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB651493D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB65148A9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6514893]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6514851]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6514929]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6514915]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB651477A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6514766]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB65148EB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB65147E4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB65147B8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 235 804E28A1 3 Bytes [58, C2, F8]
    .text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP B65147BC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP B6514815 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP B6514897 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP B6514792 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP B651476A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP B6514941 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP B65148D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP B65147A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP B65147E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP B65147D2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP B6514754 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP B65148C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP B651472C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP B6514905 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP B651486B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP B651483F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP B6514740 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP B651477E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP B65148EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP B65148AD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP B6514855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwRestoreKey 8064EFDD 5 Bytes JMP B6514919 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntoskrnl.exe!ZwReplaceKey 8064F446 5 Bytes JMP B651492D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7693340, 0xFFF3F, 0xF8000020]
    .text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012300, 0x234A20, 0xF8000020]
     
  8. kmck

    kmck TS Rookie Topic Starter Posts: 20

    GMER log part2

    File too large so i have zipped and attached.
     

    Attached Files:

  9. crunchie

    crunchie Malware Helper Posts: 728

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!

    ===============

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. kmck

    kmck TS Rookie Topic Starter Posts: 20

    ComboFix Log, OTL Log, Extras.txt

    Logs attached, as requested. When running ComboFix i had to reconnect to internet as it wanted to download RestorePoint from Microsoft.com?
    Other than that, all seemed to go smoothly.

    Thanks for your help.

    K
     

    Attached Files:

  11. crunchie

    crunchie Malware Helper Posts: 728

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      
      :OTL
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} -  File not found
      :Commands
      [emptyflash]
      [Purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered, reboot the PC when it is done.
    • Post log from this run.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

    ====

    Let me know how things are now.
     
  12. kmck

    kmck TS Rookie Topic Starter Posts: 20

    OTL Logs

    Hi

    Attached are the log files you requested.
    Hope they can shed some light on things!

    K
     

    Attached Files:

  13. crunchie

    crunchie Malware Helper Posts: 728

    How is it?
     
  14. kmck

    kmck TS Rookie Topic Starter Posts: 20

    Still really slow, 60 processes running, commit Charge 740M+/1249M?
    Hard disk chattering away while pc doesn't appear to be doing anything.
    McAfee no longer updating. Before it used to run automatically whenever i connected to the internet, and would take a really long time to download (10mins plus). Now, nothing happens and no "M" icon displayed in systray anymore. How bad is it?

    Your hopefully
    K
     
  15. crunchie

    crunchie Malware Helper Posts: 728

    Lets have a go at an online scan whilst we are at it and see what it turns up.

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  16. kmck

    kmck TS Rookie Topic Starter Posts: 20

    Hi

    Tried to run eset but it kept asking for proxy info and wouldnt run. Then tried Kaspersky online scan and it wouldn't run. So ran pandasoftware activescan. This took 30+hrs to run! found 5 items (log attached). At about 70% complete i got the following warning:

    WINDOWS VIRTUAL MEMORY MINIMUM TOO LOW.

    Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process memory requests for some applications may be denied. For more information, see Help.

    At this point processes running were 60, CPU usage was 100%.

    Hope this makes sense.

    Thanks
    K
     

    Attached Files:

  17. crunchie

    crunchie Malware Helper Posts: 728

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :Files
      c:\windows\system32\cmd.ftp
      c:\system volume information\_restore{e87a81fb-fdcf-4b92-a20c-951710f82d7c}\rp642\a0137383.exe
      c:\system volume information\_restore{e87a81fb-fdcf-4b92-a20c-951710f82d7c}\rp642\a0137382.dll
      
      :Commands
      [emptytemp]
      [clearallrestorepoints]
      [Reboot]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered, reboot the PC when it is done.
    • Post log from this run.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  18. kmck

    kmck TS Rookie Topic Starter Posts: 20

    Hi,

    Sorry for delay but have been away for few days.

    Ran virusscan.jotti and findings as follows:

    Scanners
    2010-09-28 Found nothing 2010-09-28 Trojan.FTPGet.B
    2010-09-27 Found nothing 2010-09-28 Trojan.FTPGet.B
    2010-09-27 Found nothing 2010-09-28 Found nothing
    2010-09-28 Found nothing 2010-09-27 Found nothing
    2010-09-28 Trojan.FTPGet.B 2010-09-27 W32/Sasser.ftp
    2010-09-28 Trojan.Downloader.Bat.Ftp.gen-3 2010-09-28 Found nothing
    2010-09-28 Troj.Downloader.BAT.Ftp.R 2010-09-28 Troj/BatFtp-B
    2010-09-28 Found nothing 2010-09-26 Found nothing
    2010-09-27 Found nothing 2010-09-27 Found nothing


    Hope this helps.

    K


    --------------------------------------------------------------------------------
     
  19. crunchie

    crunchie Malware Helper Posts: 728

    Have I missed something? What file did you upload?

    Did you do the last OTL fix?
     
  20. kmck

    kmck TS Rookie Topic Starter Posts: 20

    Hi,

    Sorry, per email from techspot openboards on 25/09/10 I was advised that you wanted me to run virusscan.jotti and to upload file c:\windows32\cmd.ftp. The log in my previous reply relates to this file.

    I have now run otl and attach both requested logs for you.

    Again, I hope this makes sense to you.

    Thanks
    K
     

    Attached Files:

  21. crunchie

    crunchie Malware Helper Posts: 728

    Was that the exact file path?

    c:\windows32\cmd.ftp

    It wasn't C:\Windows\system32\cmd.ftp?
     
  22. kmck

    kmck TS Rookie Topic Starter Posts: 20

    Hi

    I'm not sure! I had to browse to the file and the filepath was C:\WINDOWS\SYSTEM32\cmd.ftp

    This file is no longer there when I navigate to it in Windows Explorer.

    K
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    What happened between you scanning that file at Jotti's and your last post?
    The file existed when you went to Jotti's. I don't understand why it is now no longer there.
     
  24. kmck

    kmck TS Rookie Topic Starter Posts: 20

    Hi

    I went to virusscan.jotti.org and browsed to find C:\WINDOWS\SYSTEM32\cmd.ftp. Then I clicked on 'Upload File' button. it seemed to go through a routine. Then I ran OTL with the notations you suggested and posted both logs here.

    I since tried a "search" of my pc for 'cmd.ftp' and it came back with 0 results. Its like the file has just vanished. Should I be worried?

    Thanks
    K
     
  25. crunchie

    crunchie Malware Helper Posts: 728

    I have just gone back through the posts to 4 days ago and that is a file that I had you remove with OTL.

    Let me know how your PC is now please.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...