Jump to content

computer seems to be working hard at idle-scan was OK


Recommended Posts

Hello helpful people,

I seem to remember I had this problem once before, (when I found out I was infected), and got great help here by MickeyMous? My computer seems to be working hard at idle recently, and I don't know why.

I updated my Malwarbites software, and ran a quick scan, which revealed no threats discovered.

Any suggestions?

Thank you,

Barry

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

OK, thanks Mr Charlie, here are the two logs from DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 14:20:47 on 2012-08-20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.51 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\GlidePoint\glidesvc.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Spyware Terminator\st_rsser.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\AOL\1177334885\ee\AOLSoftware.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Real\RealPlayer\update\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe

C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AOL Desktop 9.6\waol.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AOL Desktop 9.6\shellmon.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Program Files\AOL Desktop 9.6\AOLBrowser\aolbrowser.exe

C:\Program Files\MSN\MSNCoreFiles\msn.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120627083759.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: SVIEBHO Class: {b3c54716-9d0a-4666-a81a-6072a6325a5a} - c:\program files\selectview\svie.dll

TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Cookienator] "c:\documents and settings\owner\desktop\cookienator.exe" /auto

uRun: [AOL Fast Start] "c:\program files\aol desktop 9.6\AOL.EXE" -b

mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [HostManager] c:\program files\common files\aol\1177334885\ee\AOLSoftware.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [FLMK08KB] c:\program files\multimedia keyboard utility\1.3\MMKEYBD.EXE

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [spywareTerminatorShield] c:\program files\spyware terminator\SpywareTerminatorShield.exe

mRun: [spywareTerminatorUpdater] c:\program files\spyware terminator\SpywareTerminatorUpdate.exe

mRunOnce: [OOBEDDDemise] cmd /x /c erase c:\windows\system32\oobe\msoobe.exe

dRun: [AOL Fast Start] "c:\program files\america online 9.0a\AOL.EXE" -b

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\callwave.lnk - c:\program files\callwave\IAM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Crawler Search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm

IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {16D60F96-2FF6-40b2-96D3-C32170E45A01} - {DA45FFEB-CD7D-4220-9B9B-F71967DE2B60} - c:\program files\selectview\svie.dll

IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: hotmail.com

Trusted Zone: msn.com

Trusted Zone: passport.com

Trusted Zone: windowslive.com

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://mywayphotos.riteaid.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{35C43EFE-F177-4AF5-AF85-FA7F44378359} : NameServer = 205.188.146.145

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-24 464304]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-30 89792]

R1 sp_rsdrv2;Spyware Terminator 2012 Realtime Shield Driver;c:\windows\system32\drivers\sp_rsdrv2.sys [2012-3-5 32768]

R3 Arfumftr;Trust RF-Mouse filter driver;c:\windows\system32\drivers\Arfumftr.sys [2001-12-17 10904]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-30 57600]

R3 glidehid;GlidePoint HID Touchpad Minidriver;c:\windows\system32\drivers\glidehid.sys [2011-1-3 61096]

R3 glideps2;GlidePoint PS/2 Touchpad Filter;c:\windows\system32\drivers\glideps2.sys [2011-1-3 25384]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-30 180848]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-30 59456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-30 340920]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-30 83856]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-30 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-30 87656]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-24 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-24 40552]

.

=============== Created Last 30 ================

.

2012-08-10 17:55:00 -------- d-----w- c:\program files\CCleaner

.

==================== Find3M ====================

.

2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-07-02 17:49:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec

2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

.

============= FINISH: 14:24:55.96 ===============

Link to post
Share on other sites

And here is the RK report, and thank you again!:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Owner [Admin rights]

Mode: Scan -- Date: 08/20/2012 14:41:52

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Cookienator ("C:\Documents and Settings\Owner\Desktop\cookienator.exe" /auto) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-3295163956-1233078660-4171340023-1003[...]\Run : Cookienator ("C:\Documents and Settings\Owner\Desktop\cookienator.exe" /auto) -> FOUND

[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{35C43EFE-F177-4AF5-AF85-FA7F44378359} : NameServer (205.188.146.145) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3100011A +++++

--- User ---

[MBR] eba094f26b57c1df4405d87b00fe734e

[bSP] 95ed84d82cf00005de23acd4c67b3ee8 : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 6924015 | Size: 92012 Mo

1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 3380 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

I don't see much, lets run some scans.......

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

MrC

Link to post
Share on other sites

15:43:06.0468 2696 aspnet_state ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:06.0609 2696 C:\Program Files\Bonjour\mDNSResponder.exe - copied to quarantine

15:43:07.0109 2696 Bonjour Service ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:07.0171 2696 C:\WINDOWS\system32\drivers\Cdr4_xp.sys - copied to quarantine

15:43:07.0515 2696 Cdr4_xp ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:07.0562 2696 C:\WINDOWS\system32\drivers\Cdralw2k.sys - copied to quarantine

15:43:07.0734 2696 Cdralw2k ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:07.0859 2696 C:\WINDOWS\system32\HPZipm12.exe - copied to quarantine

15:43:08.0203 2696 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:08.0296 2696 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS - copied to quarantine

15:43:08.0671 2696 PrismXL ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:08.0734 2696 C:\WINDOWS\system32\drivers\sp_rsdrv2.sys - copied to quarantine

15:43:09.0109 2696 sp_rsdrv2 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:09.0187 2696 C:\WINDOWS\System32\Drivers\sunkfilt.sys - copied to quarantine

15:43:09.0625 2696 SunkFilt ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:10.0281 2696 C:\WINDOWS\wanmpsvc.exe - copied to quarantine

15:43:10.0609 2696 WANMiniportService ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

15:43:10.0703 2696 C:\Program Files\Windows Live\installer\WLSetupSvc.exe - copied to quarantine

15:43:10.0953 2696 WLSetupSvc ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

16:47:04.0093 3880 Deinitialize success

These are all good files, there was no need to quarantine them.

~~~~~~~~~~~~~~~~~~~~~~~

Download TDSSQlook.exe

http://www.malwarein...s/TDSSQlook.exe

Run it and choose A scan and press Enter

Copy the log back here TDSSQ.txt

You can find it in C:\TDSSQ.txt

MrC

Link to post
Share on other sites

OK, finally back at this. Here's the A scan you requested:

TDSSKiller Quarantine Information log

TDSS Qlook Version 1.0.0.5 - Owner - Tue 08/21/2012 - 12:24:19.54.

Microsoft Windows XP Home Edition 5.1.2600 Service Pack 3

***** START SCAN Tue 08/21/2012 12:24:29.03 *****

---------- TDSSKiller logs ----------

TDSSKiller.2.8.7.0_20.08.2012_15.14.49_log.txt

TDSSKiller.2.8.7.0_20.08.2012_15.29.44_log.txt

TDSSKiller.2.8.7.0_20.08.2012_15.34.03_log.txt

TDSSKiller.2.8.7.0_21.08.2012_11.24.24_log.txt

TDSSKiller.2.8.7.0_21.08.2012_12.22.30_log.txt

---------- TDSSStarter logs ----------

---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\tsk0000.dta

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\object.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\tsk0000.ini

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\tsk0000.dta

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\object.ini

[infectedObject]

Type: Service

Name: aspnet_state

Type: n/a (0x10)

Start: Demand (0x3)

ImagePath: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

md5: E1A1206A4FB19B675E947B29CCD25FBA

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\object.ini

[infectedObject]

Type: Service

Name: Bonjour Service

Type: n/a (0x10)

Start: Auto (0x2)

ImagePath: "C:\Program Files\Bonjour\mDNSResponder.exe"

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\Program Files\Bonjour\mDNSResponder.exe

md5: CFD4C3352E29A8B729536648466E8DF5

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\object.ini

[infectedObject]

Type: Service

Name: Cdr4_xp

Type: Kernel driver (0x1)

Start: System (0x1)

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\WINDOWS\system32\drivers\Cdr4_xp.sys

md5: BF79E659C506674C0497CC9C61F1A165

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000\object.ini

[infectedObject]

Type: Service

Name: Cdralw2k

Type: Kernel driver (0x1)

Start: System (0x1)

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\WINDOWS\system32\drivers\Cdralw2k.sys

md5: 2C41CD49D82D5FD85C72D57B6CA25471

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\object.ini

[infectedObject]

Type: Service

Name: Pml Driver HPZ12

Type: n/a (0x10)

Start: Auto (0x2)

ImagePath: C:\WINDOWS\system32\HPZipm12.exe

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\WINDOWS\system32\HPZipm12.exe

md5: 2D091A99624FB9E7EEF0A86D872EC0C3

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\object.ini

[infectedObject]

Type: Service

Name: PrismXL

Type: n/a (0x110)

Start: Auto (0x2)

ImagePath: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

md5: 33D7285F12D934268A34206DFC4AD1B3

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\object.ini

[infectedObject]

Type: Service

Name: sp_rsdrv2

Type: Kernel driver (0x1)

Start: System (0x1)

ImagePath: \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

md5: 7B426B8E809EDF081D771EF429345528

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\object.ini

[infectedObject]

Type: Service

Name: SunkFilt

Type: Kernel driver (0x1)

Start: Demand (0x3)

ImagePath: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\WINDOWS\System32\Drivers\sunkfilt.sys

md5: 86CA1A5C15A5A98D5533945FB1120B05

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\object.ini

[infectedObject]

Type: Service

Name: WANMiniportService

Type: n/a (0x10)

Start: Auto (0x2)

ImagePath: "C:\WINDOWS\wanmpsvc.exe"

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\WINDOWS\wanmpsvc.exe

md5: EB9A99AB5D17B1727034FF191E6448D7

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\object.ini

[infectedObject]

Verdict: UnsignedFile.Multi.Generic

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\object.ini

[infectedObject]

Type: Service

Name: WLSetupSvc

Type: n/a (0x10)

Start: Demand (0x3)

ImagePath: "C:\Program Files\Windows Live\installer\WLSetupSvc.exe"

=== C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\tsk0000.ini

[infectedFile]

Type: Raw image

Src: C:\Program Files\Windows Live\installer\WLSetupSvc.exe

md5: 94A85E956A065E23E0010A6A7826243B

***** END SCAN Tue 08/21/2012 12:24:36.57 *****

Link to post
Share on other sites

Run TDSSQlook.exe again and choose Option B (Fix)

Notepad will open up

Copy and paste the text below into notepad (make sure Word Wrap is unchecked under Format!!!!)

Close notepad by clicking the X in the upper right hand corner > save changes

This will start TDSSQlook and replace the file (you won't see anything happening though)

Check to see if all the files have been replaced, MrC

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\tsk0000.dta" aspnet_state.exe

Copy "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\aspnet_state.exe"

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\tsk0000.dta" mDNSResponder.exe

COPY ""C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\mDNSResponder.exe"

C:\Program Files\Bonjour\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\tsk0000.dta" Cdr4_xp.sys

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\Cdr4_xp.sys"

C:\WINDOWS\system32\drivers\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000\tsk0000.dta" Cdralw2k.sys

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0003\svc0000\Cdralw2k.sys"

C:\WINDOWS\system32\drivers\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\tsk0000.dta" mDNSResponder.exe

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\mDNSResponder.exe"

C:\Program Files\Bonjour\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\tsk0000.dta" PRISMXL.SYS

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\PRISMXL.SYS"

C:\Program Files\Common Files\New Boundary\PrismXL\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\tsk0000.dta" sp_rsdrv2.sys

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\sp_rsdrv2.sys"

C:\WINDOWS\system32\drivers\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\tsk0000.dta" sunkfilt.sys

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\sunkfilt.sys"

C:\WINDOWS\System32\Drivers\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\tsk0000.dta" wanmpsvc.exe

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\wanmpsvc.exe"

C:\WINDOWS\

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\tsk0000.dta" WLSetupSvc.exe

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\WLSetupSvc.exe"

C:\Program Files\Windows Live\installer\

Link to post
Share on other sites

First enable hidden files:

http://www.howtogeek...-folders-in-xp/

Then...here's an example: (you'll have to do this for each one)

REN "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\tsk0000.dta" Cdr4_xp.sys

COPY "C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\Cdr4_xp.sys"

C:\WINDOWS\system32\drivers\

Check to see if Cdr4_xp.sys

C:\WINDOWS\system32\drivers\ <---is in this folder

MrC

Link to post
Share on other sites

Lost again! I followed the instructions to show the hidden files and folders, but I don't follow how to get into explorer, where I need to be to check each of those files you listed.

By the way, my computer is still working hard. I've restarted a couple of times since yesterday, and it's still running as it was. Sorry for not knowing more about my computer, but I don't get into this until something goes wrong, and don't remember what or where I was before in the process.

Thanks!

B

Link to post
Share on other sites

By the way, my computer is still working hard.

We did fix anything yet, I trying to correct all the files you deleted!

~~~~~~~~~~~~~~~~

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    aspnet_state.exe
    mDNSResponder.exe
    Cdr4_xp.sys
    mDNSResponder.exe
    PRISMXL.SYS
    sp_rsdrv2.sys
    sunkfilt.sys
    wanmpsvc.exe
    WLSetupSvc.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

How long should the Look scan take? I copied the text you posted, and pasted it in the field, but it's still searching, or at least there aren't any results as yet after an hour or two now.

Could it be that I have an outdated Look Exe program? I didn't re-download it because it was on my desktop from the last time I had a problem, a year or two ago, now.

Should I exit the scan, or what?

Thanks,

B

Link to post
Share on other sites

The one System Look box says this:

SystemLook 30.07.11 by jpshortstuff

Log created at 18:36 on 21/08/2012 by Owner

Administrator - Elevation successful

========== Filefind ==========

Searching for "aspnet_state.exe "

The other one says this:

:Filefind

aspnet_state.exe

mDNSResponder.exe

Cdr4_xp.sys

mDNSResponder.exe

PRISMXL.SYS

sp_rsdrv2.sys

sunkfilt.sys

wanmpsvc.exe

WLSetupSvc.exe

and the Searching box below is not highlighted, since I clicked on it, like the Exit in bold letters is.

??

Link to post
Share on other sites

Well, I thought that I was getting help here, Mr C! ; )

I've been trying to follow all your suggestions, and to show you what I've done, and the results I've gotten. If you don't know, then I'm afloat. I have no one else to turn to, so if that's it, then thanks for your help anyway, and be well.

Barry

Link to post
Share on other sites

When I was closing out of the two Look windows, I found this in a notepad that I hadn't seen until I did:

SystemLook 30.07.11 by jpshortstuff

Log created at 18:36 on 21/08/2012 by Owner

Administrator - Elevation successful

========== Filefind ==========

Searching for "aspnet_state.exe "

C:\My Backup -- 23-04-07 0706\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe --a--c- 32768 bytes [16:49 15/07/2004] [16:49 15/07/2004] E1A1206A4FB19B675E947B29CCD25FBA

C:\Program Files\MSN\MSNCoreFiles\aspnet_state.exe --a---- 32768 bytes [18:08 21/08/2012] [19:43 20/08/2012] E1A1206A4FB19B675E947B29CCD25FBA

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\aspnet_state.exe --a---- 32768 bytes [19:43 20/08/2012] [19:43 20/08/2012] E1A1206A4FB19B675E947B29CCD25FBA

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe --a---- 32768 bytes [16:49 15/07/2004] [16:49 15/07/2004] E1A1206A4FB19B675E947B29CCD25FBA

Searching for "mDNSResponder.exe "

C:\Program Files\Bonjour\mDNSResponder.exe --a---- 229376 bytes [19:17 24/07/2007] [19:17 24/07/2007] CFD4C3352E29A8B729536648466E8DF5

C:\Program Files\MSN\MSNCoreFiles\mDNSResponder.exe --a---- 73728 bytes [18:08 21/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\mDNSResponder.exe --a---- 229376 bytes [19:43 20/08/2012] [19:43 20/08/2012] CFD4C3352E29A8B729536648466E8DF5

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\mDNSResponder.exe --a---- 73728 bytes [19:43 20/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3

Searching for "Cdr4_xp.sys "

C:\Program Files\MSN\MSNCoreFiles\Cdr4_xp.sys --a---- 2432 bytes [18:08 21/08/2012] [19:43 20/08/2012] BF79E659C506674C0497CC9C61F1A165

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\Cdr4_xp.sys --a---- 2432 bytes [19:43 20/08/2012] [19:43 20/08/2012] BF79E659C506674C0497CC9C61F1A165

C:\WINDOWS\system32\drivers\cdr4_xp.sys ------- 2432 bytes [00:27 11/11/2004] [23:42 09/07/2008] BF79E659C506674C0497CC9C61F1A165

Searching for "mDNSResponder.exe "

and there it ended, blinking cursor after. Don't know if it was still searching or not.

Anyway, thanks for trying to help.

Link to post
Share on other sites

OK, great, and thanks Mr C for not giving up on me! I know it's trying for your expertise, but I do appreciate your help very much.

I did as you suggested, exited and restarted Look with those search parameters you gave. I have to go out for a bit, but will report the findings when I return.

B

Link to post
Share on other sites

OK, back again, here's the result of the Look search in Notepad:

SystemLook 30.07.11 by jpshortstuff

Log created at 20:04 on 21/08/2012 by Owner

Administrator - Elevation successful

========== Filefind ==========

Searching for "mDNSResponder.exe"

C:\Program Files\Bonjour\mDNSResponder.exe --a---- 229376 bytes [19:17 24/07/2007] [19:17 24/07/2007] CFD4C3352E29A8B729536648466E8DF5

C:\Program Files\MSN\MSNCoreFiles\mDNSResponder.exe --a---- 73728 bytes [18:08 21/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\mDNSResponder.exe --a---- 229376 bytes [19:43 20/08/2012] [19:43 20/08/2012] CFD4C3352E29A8B729536648466E8DF5

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\mDNSResponder.exe --a---- 73728 bytes [19:43 20/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3

Searching for "PRISMXL.SYS"

C:\My Backup -- 23-04-07 0706\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS --a--c- 172032 bytes [16:03 11/05/2005] [16:05 11/05/2005] 33D7285F12D934268A34206DFC4AD1B3

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS --a---- 172032 bytes [15:22 23/04/2007] [15:24 23/04/2007] 33D7285F12D934268A34206DFC4AD1B3

C:\Program Files\MSN\MSNCoreFiles\PRISMXL.SYS --a---- 172032 bytes [18:08 21/08/2012] [19:43 20/08/2012] 33D7285F12D934268A34206DFC4AD1B3

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\PRISMXL.SYS --a---- 172032 bytes [19:43 20/08/2012] [19:43 20/08/2012] 33D7285F12D934268A34206DFC4AD1B3

Searching for "sp_rsdrv2.sys"

C:\Program Files\MSN\MSNCoreFiles\sp_rsdrv2.sys --a---- 32768 bytes [18:08 21/08/2012] [19:43 20/08/2012] 7B426B8E809EDF081D771EF429345528

C:\Program Files\Spyware Terminator\Driver\sp_rsdrv2.sys --a---- 32768 bytes [16:24 21/06/2011] [16:24 21/06/2011] 7B426B8E809EDF081D771EF429345528

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\sp_rsdrv2.sys --a---- 32768 bytes [19:43 20/08/2012] [19:43 20/08/2012] 7B426B8E809EDF081D771EF429345528

C:\WINDOWS\system32\drivers\sp_rsdrv2.sys --a---- 32768 bytes [18:11 05/03/2012] [16:24 21/06/2011] 7B426B8E809EDF081D771EF429345528

Searching for "sunkfilt.sys"

C:\My Backup -- 23-04-07 0706\WINDOWS\system32\drivers\Sunkfilt.sys --a--c- 36804 bytes [00:41 16/11/2004] [00:41 16/11/2004] 86CA1A5C15A5A98D5533945FB1120B05

C:\Program Files\MSN\MSNCoreFiles\sunkfilt.sys --a---- 36804 bytes [18:08 21/08/2012] [19:43 20/08/2012] 86CA1A5C15A5A98D5533945FB1120B05

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\sunkfilt.sys --a---- 36804 bytes [19:43 20/08/2012] [19:43 20/08/2012] 86CA1A5C15A5A98D5533945FB1120B05

C:\WINDOWS\system32\drivers\Sunkfilt.sys --a---- 36804 bytes [00:41 16/11/2004] [00:41 16/11/2004] 86CA1A5C15A5A98D5533945FB1120B05

Searching for "wanmpsvc.exe"

C:\Program Files\Common Files\AOL\ACS\wanmpsvc.exe --a--c- 65536 bytes [15:37 23/04/2007] [17:29 27/08/2003] EB9A99AB5D17B1727034FF191E6448D7

C:\Program Files\MSN\MSNCoreFiles\wanmpsvc.exe --a---- 65536 bytes [18:08 21/08/2012] [19:43 20/08/2012] EB9A99AB5D17B1727034FF191E6448D7

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\wanmpsvc.exe --a---- 65536 bytes [19:43 20/08/2012] [19:43 20/08/2012] EB9A99AB5D17B1727034FF191E6448D7

C:\WINDOWS\wanmpsvc.exe --a---- 65536 bytes [10:19 25/04/2007] [17:29 27/08/2003] EB9A99AB5D17B1727034FF191E6448D7

Searching for "WLSetupSvc.exe "

C:\Program Files\MSN\MSNCoreFiles\WLSetupSvc.exe --a---- 266240 bytes [18:08 21/08/2012] [19:43 20/08/2012] 94A85E956A065E23E0010A6A7826243B

C:\Program Files\Windows Live\installer\WLSetupSvc.exe --a---- 266240 bytes [20:27 25/10/2007] [20:27 25/10/2007] 94A85E956A065E23E0010A6A7826243B

C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\WLSetupSvc.exe --a---- 266240 bytes [19:43 20/08/2012] [19:43 20/08/2012] 94A85E956A065E23E0010A6A7826243B

-= EOF =-

Link to post
Share on other sites

OK, well done........all the files are where they should be.

Next........

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

Let me know when you're done with this.

Gone for tonight, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.