TechSpot

Redirect and svchost.exe problems

By obobo
Aug 14, 2011
  1. I am running Avira, Malware bytes, and Advanced Systemcare PRO on XP. All have detected an fixed many things, however, I am still redirecting and also have scvhost.exe using 99% of my resources.
    I notice that in STEP1 you mention NOT to use one of the two free antivirus programs (listed below) and Avira is one of them.
    How should I proceed?
    Thank you in advance for your help!

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7458

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18372

    8/14/2011 12:23:37 PM
    mbam-log-2011-08-14 (12-23-37).txt

    Scan type: Quick scan
    Objects scanned: 346999
    Time elapsed: 16 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's get you started off right: Directions must be read carefully:

    What is says:
    It seems that no matter how clear we try to make this direction, members are still not reading it carefully:

    What it means
    It means that you should only have one antivirus program on the system. If you have one already, don't add another one!

    We added that line because members thought they were suppose to add one of the AV programs, whether they already had one or not. So we frequently started out help telling them to remove one of the AV programs.

    What you should do
    If you did not have an AV program on the system, so you installed Avira> leave it.
    Or if Avira is the AV program that has been running on the system> leave it.
    If you already had an AV such as AVG, McAfee, Norton, etc. and it is current and working> remove Avira..
    ===================================
    Do you understand?
    ==================================
    Please proceed with the rest of the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. obobo

    obobo TS Rookie Topic Starter Posts: 28

    I do understand

    Step1
    I have removed Advanced Systemcare PRO because it was a recent addition.
    So I now have Avira and Malware bytes, both have been used and updated regularly.

    Step2
    Ran Malware bytes. Log as follows:
    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7458

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18372

    8/14/2011 12:23:37 PM
    mbam-log-2011-08-14 (12-23-37).txt

    Scan type: Quick scan
    Objects scanned: 346999
    Time elapsed: 16 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Step 3
    Disabled internet connection
    disabled Avira
    gmer log as follows:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-14 16:12:31
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
    Running: 2w3l70b8.exe; Driver: C:\DOCUME~1\BOBADV~1.AIA\LOCALS~1\Temp\kwpcypow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 897CF51B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 897CF51B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 897CF51B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 897CF51B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 897CF51B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 897CF51B

    ---- EOF - GMER 1.0.15 ----
     
  4. obobo

    obobo TS Rookie Topic Starter Posts: 28

    testing reply to thread failure

    0123456789
     
  5. obobo

    obobo TS Rookie Topic Starter Posts: 28

    Step 4

    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
    Run by Bob Advent at 16:22:17 on 2011-08-14
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.841 [GMT -4:00]
    .
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
    C:\Program Files\MagicDisc\MagicDisc.exe
    C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\system32\nvsvc32.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iPod\bin\iPodService.exe
    svchost.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    .
     
  6. obobo

    obobo TS Rookie Topic Starter Posts: 28

    Step 4b

    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    mDefault_Page_URL =
    mDefault_Search_URL =
    mSearch Page =
    mStart Page =
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Google Update] "c:\documents and settings\bob advent.aia-62ce443b0df\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\bobadv~1.aia\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Per PM, give me details of connectivity problem.

    Also, another reminder to read the directions. There is no instructions to do the following to run GMER:
    Maybe you had a problem with DDS because you were not connected!

    Also a reminder> Avast is outdated. I don't need a scan from Avast, but you should updates it for the time it runs between the scans.
    ========================================
    When able, please repost the complete DDS.txt log and the 2nd log from DDS names Attach.txt.>> Please note: the word 'attach' is a name, not a direction. So follow the instruction to paste it in and do not zip it.
     
  8. obobo

    obobo TS Rookie Topic Starter Posts: 28

    I am connected. Pages come up fine until I hit 'submit reply' posting the logs.
    The page says no connectivity only for that operation, everything else is fine.
    So this morning I tried again and same thing. I did cut up the log file and it worked a couple of times as you can see. No connectivity seems like a crazy response for having too many characters. You have not heard of this before?

    I will try again now
     
  9. obobo

    obobo TS Rookie Topic Starter Posts: 28

    From scratch

    I updated avira
    re-ran malware bytes also updated
    ran gmer
    ran dds.scr
    logs as follows:


    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7474

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18372

    8/15/2011 7:48:35 PM
    mbam-log-2011-08-15 (19-48-35).txt

    Scan type: Quick scan
    Objects scanned: 349599
    Time elapsed: 18 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\bob advent.aia-62ce443b0df\local settings\Temp\0.09496248407591135.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
     
  10. obobo

    obobo TS Rookie Topic Starter Posts: 28

    gmer

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-15 19:58:09
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
    Running: 2w3l70b8.exe; Driver: C:\DOCUME~1\BOBADV~1.AIA\LOCALS~1\Temp\kwpcypow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8980551B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8980551B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8980551B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8980551B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8980551B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8980551B

    ---- EOF - GMER 1.0.15 ----
     
  11. obobo

    obobo TS Rookie Topic Starter Posts: 28

    dds

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
    Run by Bob Advent at 20:01:09 on 2011-08-15
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.795 [GMT -4:00]
    .
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\MagicDisc\MagicDisc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\mshta.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Documents and Settings\Bob Advent.AIA-62CE443B0DF\Desktop\2w3l70b8.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
     
  12. obobo

    obobo TS Rookie Topic Starter Posts: 28

    dds2

    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    mDefault_Page_URL =
    mDefault_Search_URL =
    mSearch Page =
    mStart Page =
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Google Update] "c:\documents and settings\bob advent.aia-62ce443b0df\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\bobadv~1.aia\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn311\wlancfg5.exe
    uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218071978937
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{06160C32-4B76-47B8-9813-2535EBCCFD30} : DhcpNameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{521526A3-A489-47C1-8DCC-34B1155D925A} : DhcpNameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{65E5B941-654D-4A0B-8D33-E6837EC45C3B} : DhcpNameServer = 65.32.5.111 65.32.5.112
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
     
  13. obobo

    obobo TS Rookie Topic Starter Posts: 28

    dds3

    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\bob advent.aia-62ce443b0df\application data\mozilla\firefox\profiles\x6x6xulf.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\bob advent.aia-62ce443b0df\application data\move networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\documents and settings\bob advent.aia-62ce443b0df\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-20 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-20 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-20 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-20 66616]
    R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-20 41272]
    .
    =============== File Associations ===============
    .
    exefile="c:\documents and settings\networkservice.nt authority.001\local settings\application data\ryj.exe" -a "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-08-13 23:57:52 595017 ----a-w- c:\windows\system32\0.10011759339062531.exe
    2011-08-13 23:56:45 79145 ----a-w- c:\windows\system32\0.6652486097998987.exe
    2011-08-12 03:39:25 -------- d-----w- c:\documents and settings\bob advent.aia-62ce443b0df\application data\IObit
    2011-08-12 03:39:21 -------- d-----w- c:\program files\IObit
    2011-08-11 17:09:36 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-08-11 17:09:36 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-08-11 15:45:01 0 ----a-w- c:\documents and settings\all users.windows\application data\mrmb.exe
    2011-08-11 15:45:00 0 ----a-w- c:\documents and settings\all users.windows\application data\wmqf.exe
    2011-08-11 15:45:00 0 ----a-w- c:\documents and settings\all users.windows\application data\smks.exe
    2011-08-11 15:45:00 0 ----a-w- c:\documents and settings\all users.windows\application data\doku.exe
    2011-08-10 15:41:28 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 15:39:38 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    2011-08-09 13:41:25 -------- d-----w- C:\SPEARSMFG
    2011-08-09 13:38:11 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
    2011-08-09 13:38:11 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
    2011-08-09 13:38:11 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
    2011-08-09 13:38:11 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
    2011-08-09 13:38:10 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
    2011-08-09 13:38:09 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
    2011-08-09 13:38:09 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
    2011-08-04 13:36:53 -------- d-----w- c:\documents and settings\bob advent.aia-62ce443b0df\Turbo Squid Tentacles
    2011-08-04 04:27:04 -------- d-----w- c:\program files\Turbo Squid Tentacles
    2011-08-04 04:26:43 -------- d-----w- c:\program files\Microsoft WSE
    2011-08-04 04:20:28 -------- d-----w- c:\program files\Autodesk
    2011-08-04 03:57:06 -------- d-----w- c:\program files\3ds
    2011-07-31 23:34:13 -------- d-----w- c:\program files\common files\SolidWorks Shared
    2011-07-31 23:33:36 -------- d-----w- c:\program files\common files\eDrawings2011
    2011-07-28 21:09:51 -------- d-----w- c:\program files\Right Hemisphere
    2011-07-28 17:17:19 -------- d-----w- c:\documents and settings\bob advent.aia-62ce443b0df\application data\Right Hemisphere
    2011-07-28 17:17:19 -------- d-----w- c:\documents and settings\all users.windows\application data\Reprise
    2011-07-28 15:32:11 348256 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\vstahost\coreldesigner\9.0\1033\ResourceCache.dll
    2011-07-28 14:49:27 -------- d-----w- c:\documents and settings\all users.windows\application data\Corel DESIGNER Technical Suite X5
     
  14. obobo

    obobo TS Rookie Topic Starter Posts: 28

    dds final

    ==================== Find3M ====================
    .
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 19:06:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-29 00:17:26 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-08 14:40:10 313168 ----a-w- c:\windows\system32\WPPFilt.dll
    2011-06-06 19:55:34 47512 ----a-w- c:\windows\system32\AdobePDF.dll
    2011-06-06 19:55:32 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2004-03-30 05:04:00 49152 ----a-w- c:\program files\common files\tx11_gif.flt
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x898056D0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8980b9d0]; MOV EAX, [0x8980ba4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89879AB8]
    3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000060[0x89867F18]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89863D98]
    \Driver\atapi[0x89860C78] -> IRP_MJ_CREATE -> 0x898056D0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8980551B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 20:03:04.84 ===============
     
  15. obobo

    obobo TS Rookie Topic Starter Posts: 28

    attach

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/4/2008 8:02:34 PM
    System Uptime: 8/15/2011 7:49:46 PM (1 hours ago)
    .
    Motherboard: Dell Inc | | 0UW457
    Processor: AMD Sempron(tm) Processor 3400+ | Socket M2 | 1802/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 71 GiB total, 16.909 GiB free.
    D: is CDROM ()
    I: is CDROM ()
    J: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1110: 8/4/2011 12:20:14 AM - Installed DirectX
    RP1111: 8/4/2011 2:00:21 PM - Removed DraftSight.
    RP1112: 8/4/2011 2:05:17 PM - Removed Microsoft IntelliPoint 5.2
    RP1113: 8/4/2011 4:10:49 PM - Software Distribution Service 3.0
    RP1114: 8/9/2011 9:41:24 AM - Installed Spears® Product Price Schedule
    RP1115: 8/10/2011 12:02:59 PM - Software Distribution Service 3.0
    RP1116: 8/11/2011 12:47:08 PM - Restore Operation
    RP1117: 8/11/2011 1:08:44 PM - Restore Operation
    RP1118: 8/11/2011 2:16:08 PM - Software Distribution Service 3.0
    RP1119: 8/13/2011 7:34:25 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    7300
    7300_Help
    7300Trb
    Acrobat.com
    Adobe Acrobat X Pro - English, Français, Deutsch
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    AiO_Scan
    AiOSoftware
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Autodesk 3ds Max Design 2009 32-bit
    Autodesk 3ds Max Design 2009 32-bit Additional Maps and Material Libraries
    Autodesk 3ds Max Design 2009 32-bit Architectural Materials Library
    Autodesk 3ds Max Design 2009 32-bit Movies
    Autodesk 3ds Max Design 2009 32-bit ProMaterials™ Library
    Autodesk 3ds Max Design 2009 32-bit Vault 2008 Plug-In
    Autodesk 3ds Max Design 2009 32-bit Vault 2009 Plug-In
    Autodesk Backburner 2008.1
    Avira AntiVir Personal - Free Antivirus
    Bluerock Technologies Flight Studio 3ds Max Design 2009 32-bit
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    Broadcom Management Programs
    BufferChm
    CD-DVD Printer Application
    Copy
    Corel DESIGNER Technical Suite X5
    Corel DESIGNER Technical Suite X5 - EN
    Corel DESIGNER Technical Suite X5 - IPM
    Corel DESIGNER Technical Suite X5 - Setup Files
    Corel Graphics - Windows Shell Extension
    CorelDRAW Graphics Suite X5 - Capture
    CorelDRAW Graphics Suite X5 - Common
    CorelDRAW Graphics Suite X5 - Connect
    CorelDRAW Graphics Suite X5 - Custom Data
    CorelDRAW Graphics Suite X5 - Designer
    CorelDRAW Graphics Suite X5 - Draw
    CorelDRAW Graphics Suite X5 - EN
    CorelDRAW Graphics Suite X5 - Filters
    CorelDRAW Graphics Suite X5 - FontNav
    CorelDRAW Graphics Suite X5 - PHOTO-PAINT
    CorelDRAW Graphics Suite X5 - Photozoom Plugin
    CorelDRAW Graphics Suite X5 - Redist
    CorelDRAW Graphics Suite X5 - VBA
    CorelDRAW Graphics Suite X5 - VideoBrowser
    CorelDRAW Graphics Suite X5 - VSTA
    CorelDRAW Graphics Suite X5 - WT
    CreativeProjects
    CreativeProjectsTemplates
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    Debugging Tools for Windows (x86)
    Deep Exploration 6 CE
    Destinations
    Director
    DocProc
    DocumentViewer
    E.M. Total Video Player 1.31
    eDrawings for SketchUp
    Fax
    FBX Plugin 2009.0 for Max 2009
    gBurner
    Google Chrome
    Google Earth
    Google SketchUp 8
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Diagnostic Assistant
    HP Image Zone 4.7
    HP Image Zone Express
    HP PSC & OfficeJet 4.2
    HP Software Update
    HPSystemDiagnostics
    Image Resizer Powertoy for Windows XP
    InstantShare
    iTunes
    Java(TM) 6 Update 13
    Java(TM) 6 Update 7
    Magic ISO Maker v5.5 (build 0265)
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Media Player Codec Pack 3.2.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Outlook Personal Folders Backup
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual Studio Tools for Applications 2.0 - ENU
    Microsoft Visual Studio Tools for Applications 2.0 Runtime
    Microsoft WSE 3.0 Runtime
    MobileMe Control Panel
    Mozilla Firefox 5.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser
    NETGEAR WPN311 Wireless Adapter
    NVIDIA Drivers
    Overland
    PhotoGallery
    PrintScreen
    ProductContext
    QFolder
    QuickProjects
    QuickTime
    Readme
    Rosetta Stone Version 3
    Safari
    Scan
    ScannerCopy
     
  16. obobo

    obobo TS Rookie Topic Starter Posts: 28

    attach2

    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
     
  17. obobo

    obobo TS Rookie Topic Starter Posts: 28

    attach final

    Serif Premium Template Pack 1 for WebPlus
    Serif WebPlus X4
    Serif WebPlus X4 Resources
    SigmaTel Audio
    SkinsHP1
    System Requirements Lab
    TrayApp
    TuneUp Companion 1.8.0
    Turbo Squid Tentacles 3ds Max 2009 32-bit
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Outlook 2007 Junk Email Filter (KB2586924)
    Update for Windows Internet Explorer 8 (KB961813)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual Basic for Applications (R) Core
    Visual Basic for Applications (R) Core - English
    Vuze
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8 Release Candidate 1
    Windows Live ID Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/14/2011 3:53:45 PM, error: Service Control Manager [7034] - The Advanced SystemCare Service service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The HID Input Service service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
    8/13/2011 6:59:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Live ID Sign-in Assistant service to connect.
    8/13/2011 6:59:56 PM, error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/12/2011 9:44:40 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    8/12/2011 9:29:45 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    8/12/2011 9:29:45 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 7 time(s).
    8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 7 time(s).
    8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 7 time(s).
    8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 7 time(s).
    8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 7 time(s).
    8/12/2011 4:42:47 PM, error: Service Control Manager [7031] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/12/2011 4:42:47 PM, error: Service Control Manager [7031] - The Windows Time service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/12/2011 4:42:47 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 7 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/12/2011 11:26:01 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 9 time(s).
    8/12/2011 11:26:01 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 9 time(s).
    8/12/2011 11:14:50 PM, error: Service Control Manager [7034] - The MS Software Shadow Copy Provider service terminated unexpectedly. It has done this 1 time(s).
    8/11/2011 3:19:45 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
    8/11/2011 3:19:45 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    8/11/2011 3:19:45 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/11/2011 11:43:00 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 2 time(s).
    8/11/2011 11:43:00 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
    8/11/2011 11:43:00 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    8/11/2011 1:05:10 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    .
    ==== End Of File ===========================
     
  18. obobo

    obobo TS Rookie Topic Starter Posts: 28

    let me know how I did

    I appreciate your help I have been down for days
    BOB
     
  19. obobo

    obobo TS Rookie Topic Starter Posts: 28

    Svchost

    the malware bytes update may have handled the svchost.exe issue. I can actually use the machine
     
  20. obobo

    obobo TS Rookie Topic Starter Posts: 28

    revised

    that was a lie
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay Bob- I have 3 1-sentence emails from you. How about telling me what's going on.
     
  22. obobo

    obobo TS Rookie Topic Starter Posts: 28

    Seriously?

    I explained my connectivity situation followed by 9 pages of logs.
    That is prior to my "three 1-line messages" one of which was thanking you. Can you help?
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you're timing out while posting, please contact your ISP. "Too many characters" doesn't time you out. IF you are on some type of contract with your ISP for limited bandwidth use, that could explain it. But again, it's between you and the ISP.

    Looking at the logs you've posted, they are not exceeding the character limit for TechSpot. You do not have to put each log in a separate post. As long as you define the end of one log and the beginning of the next log, there is character space you are not using.

    If you are on a limited bandwidth, try doing as much as you can by using Work Offline in the browser File menu.
    ========================================
    You have used one post to tell me this:
    Then another to tell me this:
    Neither one of these post give me any information.
    ========================================
    Please run this: Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    Results should be one of the following:
    • OK (DOS/Win32 Boot code found)
      - MBR boot code is clean.
    • Unknown boot code
      - MBR boot code is modified. This practically corresponds to either
      an active bootkit infection, or a custom boot manager installed (such
      as GRUB).
    • Controlled by rootkit!
      - a bootkit with self-hiding capabilities is detected.
    ==============================================
     
  24. obobo

    obobo TS Rookie Topic Starter Posts: 28

    remover

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START remover.exe fix  \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run remover.exe again and post its output.

    When done, run remover.exe again and post its output.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...