TechSpot

Intelppm.sys virus - ccapp.exe & vptray.exe using all cpu

By Nigeljeeves
Oct 9, 2010
  1. Hey All!
    I was recently browsing ebay when i went to click on a item my symantec antivirus flashed red and said said something was trying to steal my passwords and info I immediately turned off my wireless adapter and locked down my laptop with the firewall. My laptop ran slow now i was unable to open my antivirus, task manager, basically anything that could help me fugureout the problem. I rebooted in safemode and i was able to preform a fullscan with my symantec antivirus 22 infected files or folders. Most were quarantined and deleted but the INTELPPM.SYS virus was only partialy removed. I thought this was normal. Is it?
    I restarted after I thought all threats were eliminated the comp continued to run slow i opened task manager and noticed ccapp.exe and vptray.exe each using 50% of the cpu. I have no idea what they are, or how they work. I then restarted in safe mode because it was running so slow and re scanned with antivirus and malwarebytes got 8 infections with malwarebytes and 9 with symantec. How could this be? My computer still has not been back on the internet. The Intelppm.sys came up sgain as well. Any insight on any of these problems would be greatly appreciated. I can attach a screen shot if needed of my problems if that would be helpful I am not extremly proficiant in computers however i understand alot and can do what is advised.

    Thanks
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

  3. Nigeljeeves

    Nigeljeeves TS Rookie Topic Starter

    Very slow progress

    Here are the results from my malware bytes scan. However when scanning with the gmer program the computer rebooted after about an hour and half of scanning. And the only way to run these programs is safe mode. But i cant figure out why the two processes vptray.exe and ccapp.exe are still using all the cpu. This makes it very difficult to open any programs its been trying to restart the gmer program for a half hour now with those two chewing up my cpu and i cant force them to close either. Can i uninstall the symantec some way it wont let me in safe mode
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    10/8/2010 11:30:19 PM
    mbam-log-2010-10-08 (23-30-19).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 277863
    Time elapsed: 1 hour(s), 2 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\PRAGMAhqdtrprqrn (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Administrator\Local Settings\Temp\PRAGMA362e.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\PRAGMAhqdtrprqrn\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\PRAGMAhqdtrprqrn\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\PRAGMAhqdtrprqrn\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  4. Nigeljeeves

    Nigeljeeves TS Rookie Topic Starter

    i will update with addional logs as they become available
     
  5. Nigeljeeves

    Nigeljeeves TS Rookie Topic Starter

    DDS (Ver_10-10-10.02) - NTFSx86 MINIMAL
    Run by EJ at 16:11:13.09 on Sat 10/09/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2043.1750 [GMT -5:00]

    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\WINDOWS\explorer.exe
    F:\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=c:\windows\system32\Userinit.exe
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [IJKUK66HMN] c:\docume~1\admini~1\locals~1\temp\Rk1.exe
    uRun: [Oyutifinosobuzit] rundll32.exe "c:\windows\acoscx8t.dll",Startup
    uRun: [dfrgsnapnt.exe] c:\docume~1\admini~1\locals~1\temp\dfrgsnapnt.exe
    mRun: [nwiz] nwiz.exe /installquiet /nodetect
    mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
    mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [FRYMXINS] "c:\program files\ati technologies\fire gl 3d studio max\atiimxgl"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [KASHCNTNIT71185300895561] "c:\program files\kaseya\agent\KaUsrTsk.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
    mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
    mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
    mRun: [Jvuhiqowal] rundll32.exe "c:\windows\onazikequwamoh.dll",Startup
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\record~1.lnk - c:\program files\milestone\milestone surveillance\DisplayStatus.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
    IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: bmnet.dll
    DPF: {004DF9D9-566D-11D7-B77D-00E018901A05} - hxxp://10.165.0.39/iqeye.ocx.gz
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {41E6DDD6-FBD6-4718-80F7-9B160533C2F5} - hxxp://dkontrack.tulsaschools.org/cabs/IGToolbars50.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236800899418
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236800922282
    DPF: {7340F0E4-AEDA-47C6-8971-9DB314030BD7} - hxxp://10.78.100.209/activex/decoder/h264_dec.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} - hxxp://dkontrack.tulsaschools.org/cabs/IGUltraGrid20.CAB
    DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} - hxxp://dkontrack.tulsaschools.org/cabs/pictureloader.cab
    DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://10.161.4.18/activex/decoder/aac_dec.cab
    DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://10.161.1.58/activex/decoder/intel_mpeg4_dec.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://systemrequirementslab.com.s3.amazonaws.com/iduu/bin/srldetect_intel.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://10.21.15.42/activex/AMC.cab
    DPF: {EF991872-9158-4570-A7FF-E7DBB6A4B8E9} - hxxp://10.21.8.44/iqweb.ocx
    DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} - hxxp://dkontrack.tulsaschools.org/cabs/IGThreed40.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
    Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
    AppInit_DLLs: APSHook.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    LSA: Notification Packages = scecli ASWLNPkg

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\gs29mwxn.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
    FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {5E9730DC-0DD7-40B2-AA17-5AAA6E1D1FC0} - c:\documents and settings\administrator\local settings\application data\{5E9730DC-0DD7-40B2-AA17-5AAA6E1D1FC0}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-7-11 109184]
    R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-7-11 51376]
    R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-7-11 12928]
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-4 41216]
    S1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-7-11 12496]
    S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
    S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
    S1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\davidb\desktop\xpvirtualcd\VCdRom.sys [2009-3-11 8576]
    S2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
    S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
    S2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
    S2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-12 1164536]
    S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
    S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
    S2 gupdate1ca2e46a438ba50;Google Update Service (gupdate1ca2e46a438ba50);c:\program files\google\update\GoogleUpdate.exe [2009-9-5 133104]
    S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2008-7-8 19968]
    S2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-7-11 256512]
    S2 KACNTNIT71185300895561;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-3-11 806912]
    S2 Milestone Image Import Service;Milestone Image Import Service;c:\program files\milestone\milestone surveillance\ImageImportService.exe [2009-2-27 6320128]
    S2 Milestone Image Server;Milestone Image Server;c:\program files\milestone\milestone surveillance\ImageServer.exe [2009-2-27 7409664]
    S2 Milestone Log Check Service;Milestone Log Check Service;c:\program files\milestone\milestone surveillance\ELFFLogCheckerService.exe [2009-2-27 344064]
    S2 Milestone Recording Server;Milestone Recording Server;c:\program files\milestone\milestone surveillance\RecordingServer.exe [2009-2-27 7061504]
    S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
    S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-6-12 477696]
    S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-7-15 121416]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-9-23 193840]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-3-27 244368]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-8 102448]
    S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-2-18 106624]
    S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-2-8 59648]
    S3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-3-11 13824]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101008.004\naveng.sys [2010-10-8 86064]
    S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101008.004\navex15.sys [2010-10-8 1371184]
    S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-9-23 47616]
    S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]

    =============== Created Last 30 ================

    2010-10-09 00:08:25 120 ----a-w- c:\windows\Rnujajogan.dat
    2010-10-09 00:08:25 0 ----a-w- c:\windows\Adexejubet.bin
    2010-10-09 00:08:24 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{5E9730DC-0DD7-40B2-AA17-5AAA6E1D1FC0}
    2010-10-09 00:05:27 48128 ---ha-w- c:\windows\system32\attrcnfg.dll
    2010-10-08 23:33:58 104960 --sha-r- c:\windows\system32\fontextg.dll
    2010-09-11 22:42:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
    2010-09-11 22:42:33 -------- d-----w- c:\program files\McAfee Security Scan

    ==================== Find3M ====================

    2010-10-09 05:08:26 1100 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-10-09 00:05:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-20 16:42:13 256 ----a-w- c:\windows\system32\pool.bin
    2010-08-20 05:26:26 256 ----a-w- c:\documents and settings\administrator\pool.bin

    ============= FINISH: 16:23:37.01 ===============
     
  6. Nigeljeeves

    Nigeljeeves TS Rookie Topic Starter

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-10-09 16:29:29
    Windows 5.1.2600 Service Pack 3
    Running: hyf7tj52.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwpcrkog.sys


    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\explorer.exe [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT C:\WINDOWS\explorer.exe[1448] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
    IAT F:\hyf7tj52.exe[1980] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  7. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Please download PragmaFix and double click on it to run it.
    It'll produce PragmaFix.log in the C:\ folder.Post the log.

    Note - when you run PragmaFix you need an active internet connection!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...