Jump to content

negster22

Experts
 View Profile  See their activity

  • Posts

    1,157

  • Joined

  • Last visited

 Content Type 

Everything posted by negster22

  1. negster22
    Hello again, Disable Spybot's Teatimer Start Spybot and select the Mode button and then select Advanced. Go to Tools --> Resident and UNcheck Resident "TeaTimer" (Protection of over-all system settings) Active. If Teatimer gives you a warning afterward that some changes were made, allow this instead of blocking it. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit". You can re-enableTeatimer when we are totally done with the cleanup. Leave TeaTimer OFF until we are totally done with the cleanup and turn it back on afterward by reversing the steps outlined above!!! Please backup your Registry using ERUNDT: http://www.geekstogo.com/forum/Backing-Up-...NT-t208859.html -------- You may not be able to run RootRepeal but try to run this similar program and see what happens First clean some clutter: Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Reboot. Next, download this Antirootkit Program, by choosing the "Download EXE" button, to a folder that you create such as C:\ARK\: Disable the active protection component of your antivirus by following the directions that apply here: http://www.bleepingcomputer.com/forums/topic114351.html For Nod32AV - double-click the green & white Nod32 system tray icon to open the Nod32 Control Panel Click Setup -> Temporarily disable Antivirus and antispyware protection. ------------------ Please perform a rootkit scan (quick method): Double-click the randonly name EXE located in the C:\Ark folder that you just downloaded to run the program. When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places. When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the scan button. Leave your system completely idle while this longer scan is in progress. When the scan is done, save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V Exit the Program Save the Scan log and post it in your next reply. After, I review that log, if everything looks as anticipated, we'll proceed to Part 2. ---------------------------------------------------------------------------------------------------------------------- PART 2 ---------------------------------------------------------------------------------------------------------------------- Download The Avenger by Swandog46: http://swandog46.geekstogo.com/avenger2/download.php Unzip/extract it to a folder on your desktop. Double click on avenger.exe to launch Avenger. Click OK. Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked. Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box: Files to delete:c:\windows\system32\gaopdxirwxymqfjnbamapbwrqpxudrudiopxcv.dllc:\windows\system32\drivers\vnivpdribcccimiq.sysc:\windows\system32\8ee.tmp Drivers to delete:vnivpdribcccimiqClick the Execute button. You will be prompted with "Are you sure you want to execute the current script?" Click "Yes" You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?. Click "Yes". Your PC will reboot. After your PC has completed the necessary reboot, a log should automatically open. If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt) Please post the Avenger log, along with a new HijackThis log, in your next reply. Enable viewing of Hidden files and folder. To do that, follow these steps: Close all programs so that you are at your desktop. Double-click on the My Computer icon. Select the Tools menu and click Folder Options. After the new window appears select the View tab. Put a checkmark in the checkbox labeled Display the contents of system folders. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types. Remove the checkmark from the checkbox labeled Hide protected operating system files. Press the Apply button and then the OK button and exit My Computer. Upload the following files, one at a time, to the Virus Total Scanner by browsing to their folder locations. Virus Total Scanner will employ several scanners to test the file for its threat potential. Please post the results of the VirusTotal scans back here in your next reply, only if threats were detected: c:\windows\system32\winsetup64.exe c:\documents and settings\edwin\application data\IPBENG32.DAT c:\windows\system32\drivers\edwl.sys Launch Malwarebytes' Anti-Malware Click the Update tab and the Check for Updates button. MBAM will automatically update. Once the program launches, select Perform quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. ____________ NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ____________ Can I see the Avenger log, the VT threat reports, and the MBAM scan log please. Also, since I see you ran RootRepeal can I see a hidden file scan log
  2. negster22
    You're Welcome IMTech, One favor though, please copy and paste the logs into your reply. This way everyone can see them for learning purposes, and it makes it much easier for me so I don't have to download and open all of them. HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:45:26, on 9/04/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32krn.exe C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Edwin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\LaCie\Ethernet Agent\LaCie Ethernet Agent.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 164.58.28.250:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [WD Anywhere Backup] C:\Program Files\WD\WD Anywhere Backup\MemeoLauncher2.exe --silent O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Edwin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [LaCie Ethernet Agent Startup] "C:\Program Files\LaCie\Ethernet Agent\LaCie Ethernet Agent.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114267497999 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1119866910078 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Leica Microsystems Data Container V1 - Leica Microsystems - C:\Program Files\Leica\Data Container\Data Container V1\LMSDataContainerServer.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- End of file - 13372 bytes -- DDS DDS (Ver_09-03-16.01) - NTFSx86 Run by Edwin at 9:42:48.00 on Thu 09/04/2009 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.317 [GMT 10:00] AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) FW: Norton Internet Worm Protection *disabled* ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32krn.exe C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Edwin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\LaCie\Ethernet Agent\LaCie Ethernet Agent.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Edwin\Desktop\dds.scr ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = 164.58.28.250:80 BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\program files\flashget\jccatch.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - No File TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [Google Update] "c:\documents and settings\edwin\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [LaCie Ethernet Agent Startup] "c:\program files\lacie\ethernet agent\LaCie Ethernet Agent.exe" uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm IE: Download using FlashGet - c:\program files\flashget\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\flashget.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll IE: {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - c:\windows\system32\mscoree.DLL IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll LSP: c:\windows\system32\imon.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114267497999 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1119866910078 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\edwin\applic~1\mozilla\firefox\profiles\l1npq8nx.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google.co.uk FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/ig?hl=en FF - component: c:\documents and settings\edwin\application data\mozilla\firefox\profiles\l1npq8nx.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll FF - plugin: c:\documents and settings\edwin\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll ---- FIREFOX POLICIES ---- FF - user.js: network.proxy.type - 0 FF - user.js: network.proxy.http - user_pref(network.proxy.http_port,); FF - user.js: network.proxy.no_proxies_on - ============= SERVICES / DRIVERS =============== R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-4-8 15424] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-7 179856] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2009-3-5 25824] R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2006-5-1 552064] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-1-30 106496] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-7 15504] S2 BT848;Conexant WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-2-13 75861] S2 tv2ktunr;Conexant WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-2-6 33959] S2 Tv2kXbar;Conexant WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2004-2-6 10005] S3 ARDRIVER;ARDRIVER;\??\c:\windows\system32\drivers\ardriver.sys --> c:\windows\system32\drivers\ARDRIVER.SYS [?] S3 edwl;edwl;c:\windows\system32\drivers\edwl.sys [2009-4-7 30720] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8ee.tmp --> c:\windows\system32\8EE.tmp [?] S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2005-10-26 31872] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] =============== Created Last 30 ================ 2009-04-08 21:13 15,424 a------- c:\windows\system32\drivers\nod32drv.sys 2009-04-08 19:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-04-08 19:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-04-08 18:55 <DIR> --d----- c:\program files\Sophos 2009-04-08 18:49 <DIR> --d----- C:\stdtsa 2009-04-07 22:23 30,720 a------- c:\windows\system32\drivers\edwl.sys 2009-04-07 22:21 446,464 a------- C:\RootRepeal.exe 2009-04-07 22:08 <DIR> --d----- c:\program files\Trend Micro 2009-04-07 19:34 <DIR> --d----- c:\docume~1\edwin\applic~1\Malwarebytes 2009-04-07 09:05 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-04-07 09:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-07 09:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-04-07 09:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-04-07 09:05 83,968 a------- c:\windows\system32\drivers\vnivpdribcccimiq.sys 2009-04-07 08:47 <DIR> --d----- c:\docume~1\edwin\applic~1\URSoft 2009-04-07 08:47 <DIR> --d----- c:\program files\Your Uninstaller 2008 2009-04-06 08:24 131,072 a------- c:\windows\system32\winsetup64.exe 2009-04-06 08:19 2,906,216 a------- c:\docume~1\edwin\applic~1\mbam-setup.exe 2009-04-01 07:57 13,824 a------- c:\windows\system32\gaopdxirwxymqfjnbamapbwrqpxudrudiopxcv.dll ==================== Find3M ==================== 2009-04-08 21:13 512,096 a------- c:\windows\system32\drivers\amon.sys 2009-04-08 21:13 298,104 a------- c:\windows\system32\imon.dll 2009-04-08 19:44 2,558 a------- c:\windows\system32\tmp.reg 2009-02-09 21:13 1,846,784 a------- c:\windows\system32\win32k.sys 2008-04-13 20:42 2,353 a------- c:\docume~1\edwin\applic~1\IPBENG32.DAT 2008-09-14 21:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat ============= FINISH: 9:43:35.98 =============== EXTRA: UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-03-16.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 24/04/2005 12:40:55 AM System Uptime: 4/09/2009 9:40:07 AM (-3552 hours ago) Motherboard: AOpen | | EZ65 Processor: Intel® Pentium® 4 CPU 2.80GHz | Socket 478 | 2793/200mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 49 GiB total, 12.134 GiB free. D: is FIXED (NTFS) - 98 GiB total, 3.986 GiB free. E: is FIXED (NTFS) - 42 GiB total, 4.115 GiB free. F: is FIXED (NTFS) - 44 GiB total, 18.869 GiB free. G: is CDROM () H: is CDROM () I: is CDROM () J: is Removable K: is Removable L: is Removable M: is Removable U: is NetworkDisk (NTFS) - 465 GiB total, 137.689 GiB free. W: is NetworkDisk (NTFS) - 465 GiB total, 137.689 GiB free. X: is NetworkDisk (NTFS) - 465 GiB total, 137.689 GiB free. Y: is NetworkDisk (NTFS) - 465 GiB total, 137.689 GiB free. Z: is NetworkDisk (NTFS) - 465 GiB total, 137.689 GiB free. ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP952: 5/02/2009 9:20:18 AM - System Checkpoint RP953: 9/02/2009 9:03:46 AM - System Checkpoint RP954: 11/02/2009 10:08:18 AM - System Checkpoint RP955: 11/02/2009 10:22:05 AM - Software Distribution Service 3.0 RP956: 12/02/2009 7:50:36 PM - System Checkpoint RP957: 16/02/2009 11:59:08 AM - System Checkpoint RP958: 19/02/2009 11:08:31 AM - System Checkpoint RP959: 21/02/2009 10:25:13 AM - System Checkpoint RP960: 25/02/2009 8:49:36 AM - System Checkpoint RP961: 25/02/2009 9:10:29 AM - Software Distribution Service 3.0 RP962: 26/02/2009 9:35:53 AM - System Checkpoint RP963: 28/02/2009 5:54:56 AM - Software Distribution Service 3.0 RP964: 2/03/2009 9:57:24 AM - System Checkpoint RP965: 4/03/2009 8:18:45 AM - System Checkpoint RP966: 8/03/2009 8:25:08 PM - System Checkpoint RP967: 9/03/2009 9:52:08 PM - System Checkpoint RP968: 12/03/2009 8:06:28 AM - Software Distribution Service 3.0 RP969: 14/03/2009 4:20:48 PM - System Checkpoint RP970: 14/03/2009 6:56:08 PM - Software Distribution Service 3.0 RP971: 15/03/2009 10:46:37 PM - System Checkpoint RP972: 18/03/2009 8:10:59 AM - System Checkpoint RP973: 19/03/2009 8:39:06 AM - System Checkpoint RP974: 21/03/2009 2:51:22 PM - System Checkpoint RP975: 22/03/2009 3:34:35 PM - System Checkpoint RP976: 25/03/2009 9:34:27 AM - Software Distribution Service 3.0 RP977: 27/03/2009 11:03:50 AM - System Checkpoint RP978: 28/03/2009 7:50:53 PM - System Checkpoint RP979: 30/03/2009 10:08:57 AM - System Checkpoint RP980: 31/03/2009 11:03:04 AM - System Checkpoint RP981: 8/04/2009 5:47:15 PM - System Checkpoint RP982: 8/04/2009 6:51:50 PM - Installed Sophos Anti-Virus RP983: 8/04/2009 7:34:31 PM - Installed Sophos Anti-Virus ==== Installed Programs ======================
  3. negster22
    Hi kcartwri, Let's try this tool to see if you have an infected DLL being loaded by netsvcs. Download, unzip and launch the Process Explorer program and look for the svchost process with PID = 1428. If you have rebooted, that PID will have changed but you can identify the correct svchost by placing your cursor over each running svchost instance, and examining the services listed in the "tool tip", to identify what services are loaded by that particular svchost. The one which has "Background Intelligent Transfer Service" and "Windows Update" listed among the services loaded, is the correct one. On the Menu, Click Options and check "Verify Image signatures". Then on the Menu again, click View ==> Refresh Now, and the screen will update. On the toolbar, make sure the fifth icon from the right is a gear symbol (Lower Pane - DLL view). If it isn't - click it once (toggle it), so the gear icon is displayed In the upper pane Process tree listing, click the process you identified as the correct svchost, and the lower pane will update to reflect signature data for all DLLs loaded by that svchost.exe instance. Click File => Save and save the log. Post the Process Explorer log in your next reply Note: Process Explorer creates a "CPU History" system tray icon which gauges CPU activity at a glance. It is a black square in which red/green colors represent process activity. When your CPU is maxed out, only green and red appear in the square and there is no black background. When that happens, you can immediately see what process if the offending one, by hovering your cursor over the Process Explorer system tray icon. You will see two figures: the total % CPU consumption, and the %CPU cycles being consumed by the "greediest" process (it will identify that process by name). When your system slows down, you can immediately glance at the system tray to verify that and identify which process is a resource hog. ======================================================================= Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from: BestTechie.net http://www.besttechie.net/tools/mbam-setup.exe or MajorGeeks.com: http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html Double-click mbam-setup.exe and follow the prompts to install the program. At the end of the install, place a checkmark next to the following two options: Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-Malware Click Finish. MBAM will automatically update, if the above options are checked. Once the program launches, select Perform quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. ____________ NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ____________ Download DDS and save it to your desktop from here or here Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt [*]Save both reports to your desktop [*]Please copy and paste both logs into your next reply - Do NOT attach them =============================================================== Please post the Process Explorer log, the MBAM log, the DDS scan reports, and a new HJT log.
  4. negster22
    Hi Kerryb, If you followed the tutorial here it instructs you to use RootRepeal's "Wipe File" function on the rootkit driver noted here: C:\WINDOWS\SYSTEM32\DRIVERS\gxvxcnbowpdvjnswqvnriltlwbqkkusexvimp.sys If you did not do that, please relaunch RootRepeal. Select the file Tab, the hit the Scan button, and when the hidden file list appears locate the above file. Just highlight the following file in the scan results, then right-click it and select "Wipe File" from the context menu. C:\WINDOWS\SYSTEM32\DRIVERS\gxvxcnbowpdvjnswqvnriltlwbqkkusexvimp.sys Next, immediately reboot . Rescan with RootRepeal and post the log. Rescan with MBAM after updating, and then post a new MBAM log
  5. negster22
    Yes, that is a serious backdoor trojan threat and I would recommend changing passwords from a clean compter. FYI: http://www.greatis.com/appdata/d/s/securentm.sys.htm The version of MBAM you are running is old. Please rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\stuff.exe" Then relaunch MBAM by navigating to the C:\Program Files\Malwarebytes' Anti-Malware\ folder using Windows Explorer and double-clicking stuff.exe Once the program launches, click the "Update" tab and allow the new data base to download Next, select the Scanner tab, check "Perform quick scan", then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ______________________________________________________________ Please download Combofix from one of these locations: http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe I want you to rename Combofix.exe as you download it to a name of your choice like such as lingo.exe. Notes: It is very important that save the newly renamed EXE file to your desktop. You must rename Combofixe.exe as you download it and not after it is on your computer. You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:Open Firefox Click Tools -> Options -> Main Under the downloads section check the button that says "Always ask me where to save files". Click OK [*]For Internet Explorer: Choose to save, not open the file When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end. Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective: http://www.bleepingcomputer.com/forums/topic114351.html Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the following instructions, so make sure you complete the renaming step before launching Combofix. Running Combofix In the event you already have Combofix, please delete it as this is a new version. Close any open browsers. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 1. Double click on the renamed combofix.exe & follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt, if you renamed combofix the TXT file may also be renamed, in the same way (let me know). 3. Post the contents of that log in your next reply with a new hijackthis log. Note: Do not mouse-click combofix's window while it is running. That may cause your system to stall/hang. Please post new logs for: 1. MBAM (accessed by opening the "Logs" tab within MBAM) 2. Combofix (C:\ComboFix.txt) 3. HJT
  6. negster22
    Hi and sorry to hear of your difficulties. Please download ATF Cleaner by Atribune Close Internet Explorer and any other open browsers Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Launch HijackThis (HJT) by double-clicking the desktop shortcut and choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked": O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) Close HJT and reboot into safe mode. To use a Safe Boot option, follow these steps: 1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears. 2. Select the "Safe Mode with Networking" option when the Windows Advanced Options menu appears, and then press ENTER. While in safe mode, please relaunch the renamed Malwarebytes' Anti-Malware (MBAM) executable using the name you gave it. Select the Update tab Select Perform quick scan, then click Scan. When the scan is complete, click OK -> Show Results to view the scan results. Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine. When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply. NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ____________________________________________________________________ Download DDS and save it to your desktop from here or here Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool. When done, DDS will open two (2) logs:DDS.txt Attach.txt [*]Save both reports to your desktop [*]Please copy and paste both logs into your next reply, Please I need to see the DDS, new MBAM, and a new HJT log.
  7. negster22
    Please read this post and comply with the directions: http://www.malwarebytes.org/forums/index.php?showtopic=9573 We need to see MBAM and HJT logs. Rerun MBAM again and update it before posting a log. The scan needs to be current because new definition updates are added several times a day. Thank you!
  8. negster22
    Please read this topic and post post both an MBAM log and a HJT log: http://www.malwarebytes.org/forums/index.php?showtopic=9573 I believe this file may be legit: http://crs.tallemu.com/oasis2/file/symante...si148_tmp/91996
  9. negster22

    Congrats!

    negster22 replied to Blair's topic in General Chat

    It's great to see everything worked out for you!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.