Inactive N.exn strikes again

Status
Not open for further replies.
Hey guys... as per the rules, I am starting a new thread asking for help specific to my individual case, and not using the help offered to others on the basis of their particular needs.

Started having the usual malware/trojan problems of severely slow system, did everything I could to eradicate it. SuperantiSpyware detected it, malwarebytes found it too, but it keeps coming back. I find n.exn files in both my prefetch folders, windows\temp folders, and my recycle bin also won't show empty, prompts me to "do you really want to delete 'windows'?" unless I log on as admin in safe mode and delete the unseen files from there... I have heard of things hiding in your recycler folder and launching from there, but I don't know what I have. All I know is, I keep getting warning from Rising Antivirus and I keep finding positives from the SAS and malwarebytes, and even in safe mode I am experiencing HORRIBLY slow operation and crashes.

I am running Win XP, s.p. 2.
Please advise the next step... thanks in advance.

PS- I am considering a clean install of windows 7 anyway, so let me know if that would help before we kill ourselves here.
Martin
 
Welcome_crash.gif

(Image courtesy animationplayhouse.com)

Welcome to TechSpot!
I will attempt to help you but need information first:
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
=======================================
PS- I am considering a clean install of windows 7 anyway, so let me know if that would help before we kill ourselves here.
Reformatting/reinstall is always the members choice. I can help you remove the rootkit by running a program is more specific, if you would like. But I first need to see the logs from the scans in the thread above.

We can give it a try, but if the R/R is pretty firm in your mind, then cleaning would be a waste of time>> your choice,
 
Thanks Bobbye... I have made the decision to install Windows 7, on my 64 bit system...

What are you recommending is my first step?
 
Okay... well before I do anything further, here are the results/logs of my scans:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5727

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

2/15/2011 3:58:06 PM
mbam-log-2011-02-15 (15-58-06).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 269323
Time elapsed: 1 hour(s), 10 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_________________________________________________________

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-15 14:47:35
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12 Maxtor_6L200P0 rev.BAH41G10
Running: snmn4hqg.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\kftyqfow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQueryDirectoryFile [0xBA3E4894]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQuerySystemInformation [0xBA3E4939]

Code \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ObReferenceObjectByHandle

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Fastfat \Fat HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\Ip rfwtdi.sys (rfwtdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp rfwtdi.sys (rfwtdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\Udp HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\Udp rfwtdi.sys (rfwtdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp rfwtdi.sys (rfwtdi.sys/Beijing Rising Information Technology Co., Ltd.)

---- EOF - GMER 1.0.15 ----




DDS (Ver_10-12-12.02) - NTFSx86
Run by Compaq_Owner at 16:42:20.15 on Tue 02/15/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1470.969 [GMT -5:00]

AV: Rising Antivirus *Enabled/Updated* {234E4A88-48FA-4220-A994-5323706FF524}
FW: Rising Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Rising\RSD\RsMgrSvc.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\Program Files\Rising\RFW\RavMonD.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Rising\RFW\RSTRAY.EXE
C:\Program Files\Rising\Rav\RSTRAY.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [PCDrProfiler]
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [CorelDRAW Graphics Suite 11b] c:\program files\corel\corel graphics 12\languages\en\programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=022511 serial=DR12WUX-0606275-REX lang=EN
mRun: [RFWTRAY] "c:\program files\rising\rfw\RSTRAY.EXE" -system
mRun: [RavTRAY] "c:\program files\rising\rav\RSTRAY.EXE" -system
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 192.168.2.6 HP000D9D071653
Hosts: 69.63.189.16 static.ak.fbcdn.net
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\itkk5cx6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-11 64288]
R1 hooksys;hooksys;c:\windows\system32\drivers\Hooksys.sys [2010-12-1 165912]
R1 HookTdi;HookTdi;c:\windows\system32\drivers\HookTdi.sys [2010-12-1 23576]
R1 HyperVM;HyperVM;c:\windows\system32\drivers\hvm.sys [2010-12-1 31896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 RFWARP;Rising RfwARP Driver;c:\windows\system32\drivers\rfwarp.sys [2010-12-1 27672]
R2 rfwtdi;rfwtdi;c:\program files\rising\rfw\rfwtdi.sys [2010-12-1 25624]
R2 rsfwdrv;rsfwdrv;c:\program files\rising\rfw\rsfwdrv.sys [2010-12-1 57880]
R2 RsMgrSvc;Rsd Service;c:\program files\rising\rsd\RsMgrSvc.exe [2010-12-1 88728]
R2 RsRavMon;Rav Service;c:\program files\rising\rav\RavMonD.exe [2010-12-1 167544]
R2 RsRFWMon;RFW Service;c:\program files\rising\rfw\RavMonD.exe [2010-12-1 167544]
R3 RFWNDIS;Rising RfwNdis Driver;c:\windows\system32\drivers\rfwndis.sys [2010-12-1 20248]
S3 ATICDSDr;ATICDSDr;c:\program files\ati technologies\ati control panel\atiicdxx.sys [2005-8-3 6144]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2011-02-15 08:46:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-02-15 08:46:22 -------- d-----w- c:\program files\McAfee Security Scan
2011-02-15 02:48:47 -------- d-----w- c:\windows\Performance
2011-02-15 02:48:29 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\Microsoft Corporation
2011-02-15 02:47:39 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-02-15 00:31:21 -------- dc-h--w- c:\windows\ie8
2011-02-14 05:12:59 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-14 05:11:58 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-02-14 05:11:37 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-02-14 05:11:37 117760 ------w- c:\windows\system32\prntvpt.dll
2011-02-14 05:11:36 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-02-14 05:11:36 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-02-14 05:11:36 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-02-14 05:11:36 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-02-14 05:11:35 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-02-14 05:11:35 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-02-14 05:11:34 -------- d-----w- C:\af8b021c70bc72bd3b5735795c4b8981
2011-02-13 22:12:38 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-02-13 22:12:38 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-02-13 22:12:38 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-02-13 22:12:37 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-13 22:12:37 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-02-13 22:12:37 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-02-13 22:12:35 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-02-13 21:45:50 -------- d-----w- c:\program files\MSXML 6.0
2011-02-13 21:40:08 -------- d-----w- c:\windows\ServicePackFiles
2011-02-13 20:44:38 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-02-13 20:43:22 2137088 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-13 20:43:20 2181376 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-02-13 20:43:17 2016768 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-02-13 20:43:15 2058368 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-02-13 20:40:56 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-02-13 20:40:56 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-02-13 19:14:10 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-02-13 19:12:29 -------- d-----w- c:\windows\system32\PreInstall
2011-02-13 16:58:19 -------- d-----w- C:\VundoFix Backups
2011-02-12 18:13:30 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-02-12 16:36:20 -------- d-----w- c:\windows\Temp1
2011-02-11 17:41:08 -------- d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2011-02-11 17:41:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-11 17:39:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-11 17:01:42 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-11 16:53:08 917504 ----a-w- c:\windows\system32\FLASH.OCX
2011-02-11 11:16:24 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-02-11 11:03:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-10 06:44:33 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2011-02-10 06:44:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-10 06:44:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-10 06:44:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 06:44:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-09 01:27:04 -------- d-----w- c:\program files\PIXELA
2011-02-07 23:10:57 327904 ----a-w- c:\program files\mozilla firefox\plugins\np32asw.dll
2011-02-07 23:10:57 327904 ----a-w- c:\program files\mozilla firefox\components\np32asw.dll
2011-02-05 15:40:49 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\Temp
2011-02-05 07:22:32 912344 ----a-w- c:\program files\mozilla firefox\firefox.exe
2011-02-05 07:22:32 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2011-02-05 07:22:32 107480 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-01-30 15:45:12 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-01-30 15:45:12 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-01-26 18:37:53 -------- d-----w- c:\docume~1\compaq~1\applic~1\WinBatch
2011-01-26 05:23:34 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-01-26 05:23:34 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-01-26 05:22:44 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-01-26 05:22:44 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys

==================== Find3M ====================

2011-02-11 11:02:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-26 04:36:12 256 ----a-w- c:\windows\system32\pool.bin
2010-12-22 23:12:38 6656 ----a-w- c:\windows\system32\haspvdd.dll
2010-12-22 23:12:38 383 ----a-w- c:\windows\system32\haspdos.sys
2010-12-22 22:18:10 8192 ----a-w- c:\windows\system32\GTCGLMON.DLL
2010-12-01 08:20:40 146072 ------w- c:\windows\system32\ravext.dll
2010-12-01 08:15:32 239768 ------w- c:\windows\system32\bsmain.exe

============= FINISH: 16:43:02.87 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/29/2010 11:43:19 AM
System Uptime: 2/15/2011 2:34:41 PM (2 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 2200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 180 GiB total, 130.382 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 1.188 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP280: 2/10/2011 12:31:04 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP281: 2/11/2011 3:15:24 AM - Removed J2SE Runtime Environment 5.0
RP282: 2/11/2011 3:17:07 AM - Removed Java(TM) 6 Update 20
RP283: 2/11/2011 6:02:46 AM - Installed Java(TM) 6 Update 23
RP284: 2/11/2011 12:21:38 PM - Configured easy Internet sign-up
RP285: 2/12/2011 1:52:46 PM - System Checkpoint
RP286: 2/13/2011 12:14:24 PM - Software Distribution Service 3.0
RP287: 2/13/2011 2:10:11 PM - Software Distribution Service 3.0
RP288: 2/13/2011 4:34:37 PM - Software Distribution Service 3.0
RP289: 2/13/2011 5:16:01 PM - Installed Windows Internet Explorer 8.
RP290: 2/13/2011 5:16:50 PM - Software Distribution Service 3.0
RP291: 2/14/2011 12:05:20 AM - Software Distribution Service 3.0
RP292: 2/14/2011 12:38:26 AM - Installed Windows Internet Explorer 8.
RP293: 2/14/2011 12:39:18 AM - Software Distribution Service 3.0
RP294: 2/14/2011 12:44:21 AM - Software Distribution Service 3.0
RP295: 2/14/2011 12:28:44 PM - Software Distribution Service 3.0
RP296: 2/14/2011 2:23:06 PM - Software Distribution Service 3.0
RP297: 2/14/2011 7:32:36 PM - Installed Windows Internet Explorer 8.
RP298: 2/14/2011 7:33:41 PM - Software Distribution Service 3.0
RP299: 2/14/2011 9:47:37 PM - Installed Windows 7 Upgrade Advisor
RP300: 2/15/2011 2:40:24 AM - Software Distribution Service 3.0
RP301: 2/15/2011 3:48:20 AM - Removed Adobe Reader 7.0
RP302: 2/15/2011 3:48:42 AM - Installed Adobe Reader X (10.0.1).

==== Installed Programs ======================

7300
7300_Help
7300Trb
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader X (10.0.1)
AiO_Scan
AiOSoftware
Apple Application Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Barnyard Invasion from Compaq (remove only)
Bejeweled 2 Deluxe from Compaq (remove only)
Big Kahuna Reef from Compaq (remove only)
Blackhawk Striker 2 from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Blasterball 2 Holidays from Compaq (remove only)
Boggle Supreme from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
BufferChm
Compaq Connections (remove only)
Compaq Game Console and games
Compaq Multimedia Keyboard Software
Compaq Organize
Compatibility Pack for the 2007 Office system
CorelDRAW Graphics Suite 12
Crystal Maze from Compaq (remove only)
Destinations
Digby's Donuts from Compaq (remove only)
Director
FATE Demo from Compaq (remove only)
Fax
Flip Words from Compaq (remove only)
Google Toolbar for Internet Explorer
HASP4 Device Drivers
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Diagnostic Assistant
HP Image Zone 4.2
HP Photosmart Essential
HP PSC & OfficeJet 4.2
HP Software Update
HpSdpAppCoreApp
HPSystemDiagnostics
Insaniquarium Deluxe from Compaq (remove only)
InterVideo WinDVD Player
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Jewel Quest from Compaq (remove only)
LightScribe 1.4.31.1
Mah Jong Quest from Compaq (remove only)
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Money 2005
Microsoft Office Professional Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Motorola SM56 Speakerphone Modem
Mouse Suite
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NetMos Multi-IO Controller
Office 2003 Tour
Overland
PC-Doctor 5 for Windows
Polar Bowler from Compaq (remove only)
Polar Golfer from Compaq (remove only)
ProductContext
PS2
Puzzle Express from Compaq (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
Quicken 2005
QuickTime
Readme
RealPlayer
Remove WeatherBug Installer
Ricochet Lost Worlds from Compaq (remove only)
Rising Antivirus
Rising Personal Firewall
Rising Software Deployment System
Scan
SCRABBLE Blast from Compaq (remove only)
SCRABBLE from Compaq (remove only)
SCRABBLE Rack Attack from Compaq (remove only)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Shrek 2 Ogre Bowler from Compaq (remove only)
SignLab ES2 (C:\CADlink\SignLab ES2)
Slingo Deluxe from Compaq (remove only)
Slyder from Compaq (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Super Granny from Compaq (remove only)
SUPERAntiSpyware
Swarm from Compaq (remove only)
Tradewinds from Compaq (remove only)
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows 7 Upgrade Advisor
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066

==== Event Viewer Messages From Past Week ========

2/14/2011 3:20:38 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
2/13/2011 5:07:25 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
2/13/2011 11:56:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
2/13/2011 11:56:58 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/13/2011 11:56:53 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
2/13/2011 11:56:53 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
2/13/2011 11:56:53 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/13/2011 11:56:53 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/13/2011 11:56:53 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/13/2011 11:56:41 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
2/13/2011 11:56:41 PM, error: Service Control Manager [7031] - The Rsd Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/13/2011 11:56:41 PM, error: Service Control Manager [7031] - The RFW Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/13/2011 11:50:25 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SHANNON-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{AACFE542-540F-410. The master browser is stopping or an election is being forced.
2/13/2011 11:43:25 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
2/12/2011 12:36:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/12/2011 12:15:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips HookTdi IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
2/12/2011 12:15:42 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/12/2011 12:15:42 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/12/2011 1:09:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/12/2011 1:07:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

==== End Of File ===========================
 
Just on general principle, I guess? I posted here originally because I have no idea if I have the dreaded n.exn trojan poised to steal my banking info at any moment, and I still don't know if it's gone...

That, and I am not sure if laying out the cash for win7 to install on an otherwise stable xp system is necessary... Things have been working smooth since I did the 8 steps, most notably after running the TFC cleaner, thanks for that! But I just wanted to make double sure nothing was out of the norm with my scans before I commit to formatting and installing, for posterity.

Thanks again.
Regards,
Marty
 
Comments:
1.
Started having the usual malware/trojan problems of severely slow system,
In order to have a 'severely slow system' caused by malware, you would have to have a 'severely infected system with malware.'
2.
I have heard of things hiding in your recycler folder and launching from there,
The Recycler Folder is a hidden system file. It is where the Recycle Bin sends deleted items. Malware in this folder will show up in the scans and directions for removal can be given.
3.
am experiencing HORRIBLY slow operation and crashes.
It is possible that neither of these has to do with malware.
4.
I am not sure if laying out the cash for win7 to install on an otherwise stable xp system is necessary.
Is there any reason why you can't do the reformat/reinstall with Windows XP?

If there is any doubt at all, especially if you use a system for banking purposes, the only sure way is to do the R/R No one can guarantee that the system hasn't been compromised and additional personal information gotten or transmitted.

Please tell me how much RAM is installed > Click on Control Panel> System> Look on System Properties tab.

Are you aware that you are also running security from McAfee as well as Rising Software? This makes a system more vulnerable and also slows it down:
Uninstall:
McAfee Removal
 
Status
Not open for further replies.
Back