Jump to content
J.C.

smss.exe and svchost.exe on System Volume Information even after reinstalling XP from Acer Recovery Partition

Recommended Posts

Hi guys, i really need help with my AOA150 netbook!

I got infected from a usb flash drive, it installed the autorun.inf and other .cmd and .exe files in to the ACER(C:) and PQSERVICE partitions! So rebooted using a usb live linux distro and deleted those file from C: and PQSERVICE, rebooted again, and then XP asked me for a password which i had never set, so i couldnt log in... i decided to use the ALT+F10 shortcut on rebooting and had my system recovered from "factory settings" the eRecovery app formatted the C: partition and reinstalled XP home, so everything was fine... until i logged in again (in the recently new installed xp) and found out that i still had viruses located in SYSTEM VOLUMEN INFORMATION folder!!!

What can i do? Are the viruses still on the recovery partition so every time i reinstall from factory setting these viruses are copied to my new installation?

Help please

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Can you run MBAM? If so, update it, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Share this post


Link to post
Share on other sites
Hi and welcome to Malwarebytes.

Can you run MBAM? If so, update it, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Hi, thanks for your time, here are my MBAM and DDS logs.

I also want to be very specifc on this: even when i have reinstalled XP from the recovery partition, when i log in for the first time to windows, theres a folder named "_restore{d5fffa500b1b}" which has been created and contains "smss.exe" and "svchost.exe" files on it and its located on the System Volume Information folder. Why is that?

MBAM

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4110

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/18/2010 4:44:27 PM

mbam-log-2010-05-18 (16-44-27).txt

Scan type: Quick scan

Objects scanned: 120854

Time elapsed: 12 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

DDS

DDS (Ver_10-03-17.01) - NTFSx86

Run by Perez at 16:45:24.85 on Tue 05/18/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.504 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

Executable.exe 4

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\system32\igfxext.exe

C:\DOCUME~1\Perez\LOCALS~1\Temp\RtkBtMnt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Perez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\documents and settings\all users\application data\partner\partner.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LaunchApp] Alaunch

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt

mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-17 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-17 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-17 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-5-17 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-17 308064]

R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-5-17 24064]

S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2010-5-17 96856]

S3 Partner Service;Partner Service;c:\documents and settings\all users\application data\partner\partner.exe [2010-5-17 110576]

=============== Created Last 30 ================

2010-05-18 22:44:59 54016 ----a-w- c:\windows\system32\drivers\tnrym.sys

2010-05-18 17:28:09 0 d-----w- c:\windows\system32\XPSViewer

2010-05-18 17:27:08 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-05-18 17:27:08 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-05-18 17:27:08 117760 ------w- c:\windows\system32\prntvpt.dll

2010-05-18 17:27:07 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-05-18 17:27:07 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-05-18 17:27:07 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-05-18 17:27:07 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-05-18 17:27:06 0 d-----w- C:\18c83ea38e4aed1e31

2010-05-18 07:41:12 0 d-sh--w- c:\documents and settings\perez\PrivacIE

2010-05-18 07:39:37 0 d-sh--w- c:\documents and settings\perez\IETldCache

2010-05-18 07:26:56 0 d-----w- c:\program files\MSXML 4.0

2010-05-18 07:22:42 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-05-18 07:22:42 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-05-18 07:22:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-18 07:22:42 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-05-18 07:22:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-05-18 07:22:41 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-05-18 07:22:37 0 d-----w- c:\windows\ie8updates

2010-05-18 07:22:32 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-05-18 07:20:22 0 dc-h--w- c:\windows\ie8

2010-05-18 06:12:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-05-18 06:12:20 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-05-18 06:09:56 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-05-18 05:47:10 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-05-18 05:47:09 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-05-18 05:47:07 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-05-18 05:30:54 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-05-18 05:22:41 0 d-----w- c:\windows\system32\PreInstall

2010-05-18 05:06:12 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-18 05:06:12 215920 ----a-w- c:\windows\system32\muweb.dll

2010-05-18 05:06:12 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-05-18 04:55:00 0 d-----w- c:\windows\system32\SoftwareDistribution

2010-05-18 04:42:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-18 04:42:15 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-18 04:42:10 0 d-----w- c:\windows\system32\drivers\Avg

2010-05-18 04:41:21 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-18 04:37:34 0 d-----w- c:\program files\AVG

2010-05-18 04:37:04 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-05-18 02:35:34 0 d-----w- c:\docume~1\perez\applic~1\Malwarebytes

2010-05-18 02:35:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 02:35:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-18 02:35:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-18 02:35:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 23:30:42 730 ----a-w- c:\windows\system32\setup.iss

2010-05-17 23:30:42 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE

2010-05-17 23:30:42 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe

2010-05-17 23:30:42 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe

2010-05-17 23:30:42 16384 ----a-w- c:\windows\system32\ClearEvent.exe

2010-05-17 23:30:42 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll

2010-05-17 23:29:14 125 ----a-w- c:\windows\xUninstall.bat

2010-05-17 23:29:13 96856 ----a-w- c:\windows\system32\drivers\jmcr.sys

2010-05-17 23:29:13 110080 ----a-w- c:\windows\system32\JmCrIcon.dll

2010-05-17 23:29:13 0 d-----w- c:\windows\JMCR_DIR

2010-05-17 23:27:32 222382 ----a-w- c:\windows\Acer Crystal Eye webcam.ico

2010-05-17 23:27:32 0 d-----w- c:\program files\common files\CrystalEye

2010-05-17 23:26:58 4342912 ----a-w- c:\windows\system32\acer.exe

2010-05-17 23:26:56 83554304 ----a-w- c:\windows\system32\acer.scr

2010-05-17 23:26:48 0 d-----w- c:\program files\Acer Incorporated

2010-05-17 23:26:47 0 d-----w- c:\windows\ACER

2010-05-17 23:25:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Partner

2010-05-17 23:25:03 83 ----a-w- c:\windows\QtZgAcer.UNI

2010-05-17 23:25:02 0 d-----w- c:\program files\Launch Manager

2010-05-17 23:18:24 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2010-05-17 23:18:21 16384 ----a-w- c:\windows\system32\ipsink.ax

2010-05-17 23:18:21 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2010-05-17 23:18:20 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2010-05-17 23:18:12 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2010-05-17 23:18:04 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2010-05-17 23:18:00 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2010-05-17 23:17:57 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2010-05-17 23:13:41 8192 ----a-w- c:\windows\REGLOCS.OLD

2010-05-17 23:13:33 91136 ----a-w- c:\windows\kswdmcap.ax

2010-05-17 23:13:33 61952 ----a-w- c:\windows\kstvtune.ax

2010-05-17 23:13:33 28672 ----a-w- c:\windows\vidcap.ax

2010-05-17 23:13:33 0 d-----w- c:\windows\WebCam

2010-05-17 23:13:32 53760 ----a-w- c:\windows\vfwwdm32.dll

2010-05-17 23:13:32 43008 ----a-w- c:\windows\ksxbar.ax

2010-05-17 23:06:43 0 d---a-w- c:\windows\AcerStore

==================== Find3M ====================

2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2008-08-15 17:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 16:46:04.39 ===============

Attach.txt

Share this post


Link to post
Share on other sites
I also want to be very specifc on this: even when i have reinstalled XP from the recovery partition, when i log in for the first time to windows, theres a folder named "_restore{d5fffa500b1b}" which has been created and contains "smss.exe" and "svchost.exe" files on it and its located on the System Volume Information folder. Why is that?
Probably infected another partition which wasn't rewritten when XP was reinstalled.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Share this post


Link to post
Share on other sites
Probably infected another partition which wasn't rewritten when XP was reinstalled.

My only hard disk has 2 partitions C:/ and PQSERVICE which is the recovery partition and is also hidden, so what can i do if the recovery partition is infected? Since every time i reinstall windows from that partition it will also copy the virus over and over again?

Heres the log file, and again thanks for your time!

ComboFix

ComboFix 10-05-17.01 - Perez 05/18/2010 21:33:43.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.584 [GMT -6:00]

Running from: c:\documents and settings\Perez\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))

.

2010-05-18 23:24 . 2010-05-18 23:24 -------- d-sh--w- c:\documents and settings\Perez\IECompatCache

2010-05-18 17:28 . 2010-05-18 17:28 -------- d-----w- c:\windows\system32\XPSViewer

2010-05-18 17:28 . 2010-05-18 17:28 -------- d-----w- c:\program files\MSBuild

2010-05-18 17:27 . 2010-05-18 17:27 -------- d-----w- c:\program files\Reference Assemblies

2010-05-18 17:27 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-05-18 17:27 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-05-18 17:27 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-05-18 17:27 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-05-18 17:27 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-05-18 17:27 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-05-18 17:27 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-05-18 17:27 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-05-18 17:27 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-05-18 17:27 . 2010-05-18 17:27 -------- d-----w- C:\18c83ea38e4aed1e31

2010-05-18 07:42 . 2010-05-18 07:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-05-18 07:41 . 2010-05-18 07:41 -------- d-sh--w- c:\documents and settings\Perez\PrivacIE

2010-05-18 07:39 . 2010-05-18 07:39 -------- d-sh--w- c:\documents and settings\Perez\IETldCache

2010-05-18 07:26 . 2010-05-18 07:26 -------- d-----w- c:\program files\MSXML 4.0

2010-05-18 07:22 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-05-18 07:22 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-05-18 07:22 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-05-18 07:22 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-18 07:22 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-05-18 07:22 . 2010-02-25 17:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-05-18 07:22 . 2010-05-18 07:22 -------- d-----w- c:\windows\ie8updates

2010-05-18 07:22 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-05-18 07:20 . 2010-05-18 07:22 -------- dc-h--w- c:\windows\ie8

2010-05-18 06:12 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-05-18 06:12 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-05-18 06:09 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-05-18 05:47 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-05-18 05:47 . 2010-02-17 15:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-05-18 05:47 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-05-18 05:30 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-05-18 05:06 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-18 05:06 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-05-18 04:42 . 2010-05-18 04:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-18 04:42 . 2010-05-18 04:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-18 04:42 . 2010-05-18 04:42 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-18 04:42 . 2010-05-19 03:23 -------- d-----w- c:\windows\system32\drivers\Avg

2010-05-18 04:41 . 2010-05-18 04:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-18 04:37 . 2010-05-18 04:37 -------- d-----w- c:\program files\AVG

2010-05-18 04:37 . 2010-05-18 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-18 02:35 . 2010-05-18 02:35 -------- d-----w- c:\documents and settings\Perez\Application Data\Malwarebytes

2010-05-18 02:35 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-18 02:35 . 2010-05-18 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-18 02:35 . 2010-05-18 02:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 02:35 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-17 23:38 . 2010-05-17 23:38 60592 ----a-w- c:\documents and settings\Perez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-17 23:33 . 2010-05-17 23:33 -------- d-----w- c:\documents and settings\Perez\Local Settings\Application Data\Google

2010-05-17 23:30 . 2007-04-13 17:51 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE

2010-05-17 23:30 . 2006-03-30 19:06 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe

2010-05-17 23:30 . 2006-03-23 18:02 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe

2010-05-17 23:30 . 2005-12-09 15:12 16384 ----a-w- c:\windows\system32\ClearEvent.exe

2010-05-17 23:30 . 2004-11-03 15:06 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll

2010-05-17 23:29 . 2010-05-17 23:29 125 ----a-w- c:\windows\xUninstall.bat

2010-05-17 23:29 . 2010-05-17 23:29 -------- d-----w- c:\windows\JMCR_DIR

2010-05-17 23:29 . 2008-07-08 01:16 96856 ----a-w- c:\windows\system32\drivers\jmcr.sys

2010-05-17 23:29 . 2008-05-14 10:53 110080 ----a-w- c:\windows\system32\JmCrIcon.dll

2010-05-17 23:27 . 2010-05-17 23:27 -------- d-----w- c:\program files\Common Files\CrystalEye

2010-05-17 23:26 . 2008-06-13 23:43 4342912 ----a-w- c:\windows\system32\acer.exe

2010-05-17 23:26 . 2007-04-19 19:41 83554304 ----a-w- c:\windows\system32\acer.scr

2010-05-17 23:26 . 2010-05-17 23:26 -------- d-----w- c:\program files\Acer Incorporated

2010-05-17 23:26 . 2010-05-17 23:27 -------- d-----w- c:\windows\ACER

2010-05-17 23:25 . 2010-05-17 23:25 110576 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.exe

2010-05-17 23:25 . 2010-05-17 23:25 157168 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.dll

2010-05-17 23:25 . 2010-05-17 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Partner

2010-05-17 23:25 . 2010-05-18 03:48 -------- d-----w- c:\program files\Google

2010-05-17 23:25 . 2010-05-17 23:25 -------- d-----w- c:\program files\Launch Manager

2010-05-17 23:18 . 2008-04-14 06:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2010-05-17 23:18 . 2008-04-15 03:00 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2010-05-17 23:18 . 2008-04-15 03:00 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2010-05-17 23:18 . 2008-04-14 06:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2010-05-17 23:18 . 2008-04-14 06:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2010-05-17 23:18 . 2010-05-17 23:01 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield

2010-05-17 23:18 . 2008-04-14 06:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2010-05-17 23:17 . 2008-04-14 06:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2010-05-17 23:16 . 2008-08-15 18:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor

2010-05-17 23:13 . 2010-05-17 23:13 -------- d-----w- c:\windows\WebCam

2010-05-17 23:13 . 2008-04-14 11:42 53760 ----a-w- c:\windows\vfwwdm32.dll

2010-05-17 23:06 . 2010-05-17 23:06 -------- d---a-w- c:\windows\AcerStore

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-18 07:35 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-18 07:28 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works

2010-05-17 23:29 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-17 23:06 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat

2010-05-17 23:06 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat

2010-05-17 23:03 . 2008-08-15 17:59 -------- d-----w- c:\program files\Realtek

2010-05-17 23:03 . 2008-08-15 18:15 -------- d-----w- c:\program files\Microsoft.NET

2010-05-17 23:03 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant

2010-05-17 23:02 . 2008-08-15 17:37 -------- d-----w- c:\program files\microsoft frontpage

2010-05-17 23:02 . 2008-08-15 18:12 -------- d-----w- c:\program files\InterVideo

2010-05-17 23:02 . 2008-08-15 17:41 -------- d-----w- c:\program files\Intel

2010-05-17 23:02 . 2008-08-15 18:12 -------- d-----w- c:\program files\Common Files\InterVideo

2010-05-17 23:02 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-05-17 23:02 . 2008-08-15 17:58 -------- d-----w- c:\program files\Common Files\InstallShield

2010-05-17 23:02 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-17 23:02 . 2008-08-15 18:00 -------- d-----w- c:\program files\Atheros

2010-05-17 23:01 . 2010-05-17 23:19 -------- d-----w- c:\documents and settings\Perez\Application Data\InstallShield

2010-05-17 23:01 . 2008-08-15 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros

2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll

2010-02-25 06:24 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2008-04-15 03:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]

2010-05-17 23:25 157168 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"M3000Mnt"="M3000Rmv.dll " [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]

"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-05-17 24064]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-05-18 04:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/17/2010 10:42 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/17/2010 10:41 PM 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/17/2010 10:40 PM 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/17/2010 10:39 PM 308064]

R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 10:01 AM 254976]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/17/2010 5:25 PM 24064]

S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [5/17/2010 5:29 PM 96856]

S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [5/17/2010 5:25 PM 110576]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3740)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\system volume information\_restore{d5fffa500b1b}\smss.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\igfxext.exe

c:\docume~1\Perez\LOCALS~1\Temp\RtkBtMnt.exe

.

**************************************************************************

.

Completion time: 2010-05-18 21:42:13 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-19 03:42

Pre-Run: 144,117,424,128 bytes free

Post-Run: 144,212,455,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2641F1C78A7B30DFF13B2C6A0B49F795

Share this post


Link to post
Share on other sites

Hi,

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your Desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your Desktop.

    [*]Check esetAcceptTerms.png

    [*]Click the esetStart.png button.

    [*]Accept any security warnings from your browser.

    [*]Check esetScanArchives.png

    [*]Push the Start button.

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, push esetListThreats.png

    [*]Push esetExport.png, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    [*]Push the esetBack.png button.

    [*]Push esetFinish.png

Share this post


Link to post
Share on other sites

I really apreciate your help but i already solved this.

This is what i did

  1. Created a third partition with the exact size of PQSERVICE (4997MB)
  2. Copied PQSERVICE partition into the new partition
  3. Formatted PQSERVICE partition
  4. Copied the files again into PQSERVICE partition from the temporary created partition and deleted this one
  5. Resized C:/ partition
  6. Repaired MBR from Acer original file stored on PQSERVICE
  7. Reinstalled from eRecovery

Now everything is runnig just fine!

Share this post


Link to post
Share on other sites

Very interesting.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Restart your computer and let me know if any issues remain.

-screen317

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.