Jump to content

ping.exe taking up my CPU

Recommended Posts

Hello, I'm new to the forum, but found everyone to be pretty knowledgeable.

I got infected by XP Security 2012, and pretty quickly removed it. But like others on this board, ping.exe keeps taking up most of my CPU, as well as occasional redirects in firefox. Like others have said, when I terminate it, it comes back with a little chime, and starts all over again.

I downloaded Avast free, and it found a few things, which I removed, did a 2nd scan which came back clean. I thought I was in the clear, but hours later ping.exe became a problem again. I would've just followed instructions found in other threads, but warnings how combofix shouldn't be used by just anyone made me nervous. Could anyone here be kind enough to help out? Thanks everyone.

Link to post
Share on other sites

Thanks, you responded so quick I didn't have time to edit my post and say I'd post the log as soon as I got home. Thanks in advance.

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Malwarebytes' Anti-Malware


Database version: 8323

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/6/2011 4:38:11 PM

mbam-log-2011-12-06 (16-38-01).txt

Scan type: Quick scan

Objects scanned: 178813

Time elapsed: 17 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\sqlcsw32.dll (Trojan.Dropper) -> No action taken.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Mark\Local Settings\Application Data\gjm.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Mark\Local Settings\Application Data\gjm.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Mark\Local Settings\Application Data\gjm.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\sqlcsw32.dll (Trojan.Dropper) -> No action taken.

c:\WINDOWS\system32\drivers\cdrom.sys (Rootkit.0Access) -> No action taken.

c:\documents and settings\Mark\local settings\Temp\rld-rx8kg\m8x-keygen.exe (Trojan.Downloader) -> No action taken.

c:\documents and settings\Mark\local settings\Temp\0.20474795906939514.exe (Exploit.Drop.2) -> No action taken.

c:\documents and settings\Mark\local settings\Temp\0.08285063980817342gtye.exe (Exploit.Drop.4) -> No action taken.

Link to post
Share on other sites


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24

Run by Mark at 16:41:50 on 2011-12-06

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.157 [GMT -5:00]


AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *Enabled*


============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs



C:\Program Files\AVAST Software\Avast\AvastSvc.exe





C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\McAfee.com\VSO\oasclnt.exe



C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe



C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe


C:\Program Files\Microsoft LifeChat\LifeChat.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe


C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Plaxo\\PlaxoHelper.exe

C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe


C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

c:\program files\mcafee.com\agent\mcdetect.exe





C:\WINDOWS\System32\svchost.exe -k Sqlses

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe


C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


c:\program files\mcafee.com\shared\mghtml.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe


C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe



============== Pseudo HJT Report ===============


uSearch Bar = hxxp://start.earthlink.net/AL/Search

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://mail.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\elnIE.dll

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: ElnkScamBHO Class: {15f4d456-5baa-4076-8486-eecb38cd3e57} - c:\program files\earthlink totalaccess\toolbar\EScamBlk.dll

BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink totalaccess\toolbar\ElnkPuB.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink totalaccess\toolbar\ProtctIE.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink totalaccess\toolbar\uninsttb.dll

TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn3\yt.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\Toolbar.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File

uRun: [spySweeper]

uRun: [PlaxoUpdate] c:\program files\plaxo\\PlaxoHelper.exe -a

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\mark\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe

mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe

mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe

mRun: [EPSON Stylus C62 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [iPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe

mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"

mRun: [brStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [Logitech Mouse Driver] ldvhost.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunServices: [Logitech Mouse Driver] ldvhost.exe

StartupFolder: c:\docume~1\mark\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\quickcam\eReg.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: mswsock.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: DhcpNameServer =

TCP: Interfaces\{A815920C-92F4-4D13-939E-1379ECE52078} : DhcpNameServer =

Notify: igfxcui - igfxdev.dll

Notify: KERNEL32.DLL - sqlesw32.dll

Notify: sqlesw32 - sqlesw32.dll

Notify: Sqlseses - sqlesw32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll


================= FIREFOX ===================


FF - ProfilePath - c:\documents and settings\mark\application data\mozilla\firefox\profiles\g68m1ak3.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20101202112413703&tb_oid=16-11-2008&tb_mrud=02-12-2010

FF - prefs.js: browser.search.selectedEngine - AOL Search

FF - prefs.js: browser.startup.homepage - hxxp://www.tfw2005.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20101202112413703&tb_oid=16-11-2008&tb_mrud=02-12-2010&query=

FF - component: c:\documents and settings\mark\application data\mozilla\firefox\profiles\g68m1ak3.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll

FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\documents and settings\mark\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\mark\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\mark\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\mark\local settings\application data\google\update\\npGoogleUpdate3.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.50524.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll




FF - user.js: browser.sessionstore.resume_from_crash - false

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, true

============= SERVICES / DRIVERS ===============


R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-4 435032]

R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2006-2-25 80640]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-4 20568]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-4 44768]

R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-6 366152]

R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-2-25 126976]

R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-2-25 221184]

R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-2-25 122368]

R2 SqlCSS;SQL Server EXPRESS;c:\windows\system32\svchost.exe -k Sqlses [2004-8-10 14336]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-10 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-6 22216]

R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-2-25 114464]

S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2010-12-4 245760]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]

S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-2-25 245760]

S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-11-28 42512]


=============== Created Last 30 ================


2011-12-06 21:11:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-12-06 21:10:23 -------- d-----w- c:\documents and settings\mark\application data\Malwarebytes

2011-12-06 21:10:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-06 21:09:53 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-06 21:09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-06 00:44:58 1409 ----a-w- c:\windows\QTFont.for

2011-12-05 00:53:22 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-12-05 00:52:33 41184 ----a-w- c:\windows\avastSS.scr

2011-12-05 00:52:02 -------- d-----w- c:\program files\AVAST Software

2011-12-05 00:52:02 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-12-04 19:03:45 37888 ----a-w- c:\windows\system32\sqlesw32.dll

2011-12-04 19:03:45 156672 ----a-w- c:\windows\system32\sqlcsw32.dll

2011-12-04 18:51:14 304640 ----a-w- c:\documents and settings\mark\local settings\application data\qwerty.exe

2011-11-28 00:48:00 -------- d-----w- c:\documents and settings\mark\application data\Sony Online Entertainment

2011-11-28 00:47:57 -------- d-----w- c:\documents and settings\mark\local settings\application data\SCE

2011-11-28 00:44:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-11-28 00:40:21 -------- d--h--w- c:\windows\msdownld.tmp

2011-11-28 00:40:04 -------- d-----w- c:\program files\Sony Online Entertainment


==================== Find3M ====================


2011-11-28 00:47:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-28 22:19:58 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-10-28 22:19:55 104 --sh--r- c:\windows\system32\B031864702.sys


============= FINISH: 16:43:09.18 ===============

Link to post
Share on other sites

  • Staff


Please update MBAM, run a Quick Scan, and post its log.

Ensure that you remove everything found.

Next, please visit this webpage for instructions for running ComboFix:


  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


Link to post
Share on other sites

I updated to the most recent MBAM version. It said it found no malicious items and produced the following log:

Malwarebytes' Anti-Malware


Database version: 8325

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/6/2011 6:07:46 PM

mbam-log-2011-12-06 (18-07-45).txt

Scan type: Quick scan

Objects scanned: 176966

Time elapsed: 17 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Next I'll get combofix done...

Link to post
Share on other sites

I'm not able to get combo fix to run. I have McAfee and avast. I closed both according to the guide (task bar), but when I double-clicked on Combofix it said McAfee virus scan was active, and to deactivate it before hitting ok. I went to my task manager and ended anything I recognized as some part of McAfee...clicked ok, and nothing happened except the dialog box disappeared. I restarted and tried again with the same effect. The 3 time I just hit ok anyway, it gave me a warning and proceeded to the "blue screen" outlined in the combofix guide. However no text came up saying to wait. It was just a blank, blue window. I waited a long while...but nothing happened.

Link to post
Share on other sites

  • Staff


Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet. Before you download it, rename it to sega.com

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall

See if it will run successfully now. Stop it after half an hour of no activity.

Link to post
Share on other sites

I got a new copy and renamed it and put it on my desktop..restarted...went to safe mode...typed what you instructed and it said it couldn't find the file. I am sure I typed it correctly as I went back and forth 3 times to check. "%userprofile%\desktop\sega.com" /killall (first time I missed the space, but then put it in thereafter.)

Besides seeing it on my desktop, I go into the directory it's looking for (C:\documents and settings\Mark\desktop)and clearly see it is there...and it is called sega.com

Link to post
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.