Jump to content

Svchost malware ?


Recommended Posts

For the past couple of weeks i've been noticing high CPU usage that is coming from the SVCHOST.exe process. When the CPU usage is high there is also unexplained network traffic. I've run scans with Microsoft Security Essentials and Malwarebytes. I have caught and (supposedly) removed some trojans, but nothing seems to stop the high CPU and unexplained network traffic.

I read the article "I'm infected - What do I do now?" by Malwarebytes. I followed the instructions and prepared the files attached to this post.

I could really use some help on getting rid of whatever I've got.

The instructions said to post the text from the file DDS.txt (see below) and attach some other files. Here goes...

Thanks in advance for any help you can provide,

John Kerwin, Sarasota, FL

=============================================attach.zipmbam-log-2011-09-14 (12-16-25).txtprotection-log-2011-09-14.txtmbam-log-2011-09-13 (19-41-17).txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 17:34:34 on 2011-09-14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.627 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

svchost.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\My Book\WD Backup\uBBMonitor.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Logitech\QuickCam10\COCIManager.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.google.com/ie

uStart Page = hxxp://www.google.com/ig?referrer=ign

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=4L-dffkFTJ6oOPPdVaoiViK0PWw

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] "c:\windows\ehome\ehtray.exe"

mRun: [CHotkey] "mHotkey.exe"

mRun: [showwnd] "showwnd.exe"

mRun: [readericon] "c:\program files\digital media reader\readericon45G.exe"

mRun: [Recguard] "%WINDIR%\SMINST\RECGUARD.EXE"

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect

mRun: [WD Button Manager] "WDBtnMgr.exe"

mRun: [RegisterDropHandler] "c:\progra~1\textbr~1.0\bin\REGIST~1.EXE"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [AlwaysReady Power Message APP] "ARPWRMSG.EXE"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunServices: [RegisterDropHandler] "c:\progra~1\textbr~1.0\bin\REGIST~1.EXE"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08d9 -f video -m logitech -d 10.5.1.2023

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: intuit.com\ttlc

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://24.111.67.210:88/SysCamInst.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279928819890

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1 68.238.112.12

TCP: Interfaces\{52D270FC-43EC-4C80-B0B7-ED31E7F1F0E1} : DhcpNameServer = 192.168.1.1 68.238.112.12

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKslc268a3f6;MpKslc268a3f6;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5f2f021-0e70-4db4-9a36-eea2e2fcfd60}\MpKslc268a3f6.sys [2011-9-14 28752]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-13 366152]

R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-13 22216]

S1 MpKsl1b9f9f65;MpKsl1b9f9f65;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\mpksl1b9f9f65.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\MpKsl1b9f9f65.sys [?]

S1 MpKsl911dceae;MpKsl911dceae;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{66f25797-2e66-49f5-9e2b-69c0d7fac3e8}\mpksl911dceae.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{66f25797-2e66-49f5-9e2b-69c0d7fac3e8}\MpKsl911dceae.sys [?]

S1 MpKslbea4d5d1;MpKslbea4d5d1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6bb848bf-402f-4cec-b50f-dd25605e18b5}\mpkslbea4d5d1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6bb848bf-402f-4cec-b50f-dd25605e18b5}\MpKslbea4d5d1.sys [?]

S1 MpKsld6dfdc38;MpKsld6dfdc38;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\mpksld6dfdc38.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\MpKsld6dfdc38.sys [?]

S2 gupdate1c9c4df932e6654;Google Update Service (gupdate1c9c4df932e6654);c:\program files\google\update\GoogleUpdate.exe [2009-4-24 133104]

S2 McDetect.exe;McAfee WSC Integration; [x]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-24 133104]

S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; [x]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [2006-12-25 15104]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-12-26 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-12-26 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-12-26 121576]

.

=============== Created Last 30 ================

.

2011-09-14 09:43:36 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5f2f021-0e70-4db4-9a36-eea2e2fcfd60}\MpKslc268a3f6.sys

2011-09-13 23:10:06 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-10 13:31:19 -------- d-----w- c:\documents and settings\owner.gateway\local settings\application data\AOL

2011-09-10 07:46:31 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e5f2f021-0e70-4db4-9a36-eea2e2fcfd60}\mpengine.dll

2011-09-09 01:27:20 -------- d-----w- c:\program files\WinPcap

2011-09-09 01:26:02 500712 ----a-w- c:\windows\system32\SKWHOIS.OCX

2011-09-05 16:57:07 -------- d-----w- c:\documents and settings\owner.gateway\application data\RegistryCleanerFree

2011-09-05 16:57:07 -------- d-----w- c:\documents and settings\all users\application data\RegistryCleanerFree

2011-09-05 13:34:56 -------- d-----w- C:\f2cb1b17c53ad087ad51e8

2011-09-05 13:11:58 -------- d-----w- c:\documents and settings\owner.gateway\application data\DriverCure

2011-09-05 13:11:57 -------- d-----w- c:\documents and settings\owner.gateway\application data\ParetoLogic

2011-09-05 13:11:41 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic

2011-09-03 12:43:29 -------- d-----w- c:\program files\VS Revo Group

2011-09-03 12:42:07 -------- d-----w- c:\documents and settings\owner.gateway\application data\GetRightToGo

2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 20:18:28 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-09-02 20:18:28 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-31 21:56:16 -------- d-----w- c:\program files\Microsoft IntelliType Pro

2011-08-16 21:14:12 -------- d-sh--w- c:\documents and settings\owner.gateway\local settings\application data\.#

.

==================== Find3M ====================

.

2011-09-10 07:55:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-19 09:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-19 06:40:05 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 17:36:35.76 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwabytes.

I do not think this is malware related, but let's check for malware first.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

First - I am very grateful for your help! John

I updated MBAM and ran it. The log is attached.

I downloaded ComboFix and followed the instructions. It took 43 minutes to run. The log is attached.

I am still getting notification that MBAM is blocking potentially malicious websites.

I ran DDS again and am pasting it results directly below, but attaching the "attach 20110918.zip" that came with it. (I renamed attached.zip so I could keep multiple copies.)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 16:21:16 on 2011-09-18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.974 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\mHotkey.exe

C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\My Book\WD Backup\uBBMonitor.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Logitech\QuickCam10\COCIManager.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig?referrer=ign

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=4L-dffkFTJ6oOPPdVaoiViK0PWw

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

mRun: [ehTray] "c:\windows\ehome\ehtray.exe"

mRun: [CHotkey] "mHotkey.exe"

mRun: [showwnd] "showwnd.exe"

mRun: [readericon] "c:\program files\digital media reader\readericon45G.exe"

mRun: [Recguard] "%WINDIR%\SMINST\RECGUARD.EXE"

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect

mRun: [WD Button Manager] "WDBtnMgr.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [AlwaysReady Power Message APP] "ARPWRMSG.EXE"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08d9 -f video -m logitech -d 10.5.1.2023

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: intuit.com\ttlc

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://24.111.67.210:88/SysCamInst.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279928819890

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1 68.238.112.12

TCP: Interfaces\{52D270FC-43EC-4C80-B0B7-ED31E7F1F0E1} : DhcpNameServer = 192.168.1.1 68.238.112.12

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-13 366152]

R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-13 22216]

S1 MpKsl1b9f9f65;MpKsl1b9f9f65;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\mpksl1b9f9f65.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\MpKsl1b9f9f65.sys [?]

S1 MpKsl549af8a6;MpKsl549af8a6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15e02ba9-8b44-42c8-8ce5-439601475b1d}\mpksl549af8a6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15e02ba9-8b44-42c8-8ce5-439601475b1d}\MpKsl549af8a6.sys [?]

S1 MpKsl911dceae;MpKsl911dceae;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{66f25797-2e66-49f5-9e2b-69c0d7fac3e8}\mpksl911dceae.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{66f25797-2e66-49f5-9e2b-69c0d7fac3e8}\MpKsl911dceae.sys [?]

S1 MpKslbea4d5d1;MpKslbea4d5d1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6bb848bf-402f-4cec-b50f-dd25605e18b5}\mpkslbea4d5d1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6bb848bf-402f-4cec-b50f-dd25605e18b5}\MpKslbea4d5d1.sys [?]

S1 MpKsld6dfdc38;MpKsld6dfdc38;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\mpksld6dfdc38.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee721cbf-d7e7-4c6d-8c0e-80decc8fe120}\MpKsld6dfdc38.sys [?]

S2 gupdate1c9c4df932e6654;Google Update Service (gupdate1c9c4df932e6654);c:\program files\google\update\GoogleUpdate.exe [2009-4-24 133104]

S2 McDetect.exe;McAfee WSC Integration; [x]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-24 133104]

S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; [x]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [2006-12-25 15104]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-12-26 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-12-26 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-12-26 121576]

.

=============== Created Last 30 ================

.

2011-09-18 19:37:38 -------- d-sha-r- C:\cmdcons

2011-09-18 19:34:22 98816 ----a-w- c:\windows\sed.exe

2011-09-18 19:34:22 518144 ----a-w- c:\windows\SWREG.exe

2011-09-18 19:34:22 256000 ----a-w- c:\windows\PEV.exe

2011-09-18 19:34:22 208896 ----a-w- c:\windows\MBR.exe

2011-09-17 21:40:56 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15e02ba9-8b44-42c8-8ce5-439601475b1d}\mpengine.dll

2011-09-13 23:10:06 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-10 13:31:19 -------- d-----w- c:\documents and settings\owner.gateway\local settings\application data\AOL

2011-09-09 01:27:20 -------- d-----w- c:\program files\WinPcap

2011-09-09 01:26:02 500712 ----a-w- c:\windows\system32\SKWHOIS.OCX

2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-09-05 16:57:07 -------- d-----w- c:\documents and settings\owner.gateway\application data\RegistryCleanerFree

2011-09-05 16:57:07 -------- d-----w- c:\documents and settings\all users\application data\RegistryCleanerFree

2011-09-05 13:34:56 -------- d-----w- C:\f2cb1b17c53ad087ad51e8

2011-09-05 13:11:58 -------- d-----w- c:\documents and settings\owner.gateway\application data\DriverCure

2011-09-05 13:11:57 -------- d-----w- c:\documents and settings\owner.gateway\application data\ParetoLogic

2011-09-05 13:11:41 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic

2011-09-03 12:43:29 -------- d-----w- c:\program files\VS Revo Group

2011-09-03 12:42:07 -------- d-----w- c:\documents and settings\owner.gateway\application data\GetRightToGo

2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 20:18:28 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-09-02 20:18:28 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-31 21:56:16 -------- d-----w- c:\program files\Microsoft IntelliType Pro

.

==================== Find3M ====================

.

2011-09-10 07:55:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-19 09:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-19 06:40:05 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 16:21:45.78 ===============

mbam-log-2011-09-18 (15-26-40).txt

ComboFix log 20110918.txt

attach 20110918.zip

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Chris

Welcome back. I'd almost given up. My Mbam trial is already about to expire.

Problems still abound.

SVCHOST runs away with my machine(100% CPU).

Malwarebytes keeps trying to block outgoing traffic to malicous sites.

MSE just now found something else and wants me to reboot. (can't tell what it is till I reboot)

Since I started talking with you I've had 22 detections and removals. In some cases repeats of things like Trojan:JS/BlacoleRef.c, Trojandownloader: java/openconnection.oi, and multiple variants of JS/Blacole (.f.a.g.k)

Something keeps turning my windows firewall off and I can't restart unless I reboot.

I tried turning off Java script, but that didn't seem to do it.

Any help you can offer will be greatly apprecaited.

John

I've run ESET multiple times.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0a728d2ed1ffe643b9f2b7986c5a5f58

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-23 10:20:50

# local_time=2011-09-23 06:20:50 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 28734258 28734258 0 0

# compatibility_mode=5891 16776533 42 87 0 12740715 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=228780

# found=2

# cleaned=2

# scan_time=7004

C:\Documents and Settings\Owner.Gateway\My Documents\Downloads\RegistryCleanerFreeSetup.exe a variant of Win32/Adware.RealRegistryCleaner application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Owner.Gateway\My Documents\My Downloads\Setup_FreeFlvConverterN.exe Win32/Adware.Toolbar.Dealio application (deleted - quarantined) 00000000000000000000000000000000 C

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0a728d2ed1ffe643b9f2b7986c5a5f58

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-24 12:06:26

# local_time=2011-09-23 08:06:26 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 28741676 28741676 0 0

# compatibility_mode=5891 16776533 42 87 0 12748133 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=232624

# found=0

# cleaned=0

# scan_time=5923

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0a728d2ed1ffe643b9f2b7986c5a5f58

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-09-24 04:35:03

# local_time=2011-09-24 12:35:03 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 28793183 28793183 0 0

# compatibility_mode=5891 16776533 42 87 0 12799640 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=235042

# found=2

# cleaned=2

# scan_time=13732

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\36\364826e4-39e73154 a variant of Java/Agent.DO trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Owner.Gateway\My Documents\My Downloads\Adobe Premiere Pro 7.0 (With Key).ISO multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0a728d2ed1ffe643b9f2b7986c5a5f58

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-24 10:58:42

# local_time=2011-09-24 06:58:42 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 28820957 28820957 0 0

# compatibility_mode=5891 16776533 42 87 0 12827414 0 0

# compatibility_mode=8192 67108863 100 0 488 488 0 0

# scanned=247834

# found=0

# cleaned=0

# scan_time=8978

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0a728d2ed1ffe643b9f2b7986c5a5f58

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-25 02:04:11

# local_time=2011-09-24 10:04:11 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 28832200 28832200 0 0

# compatibility_mode=5891 16776533 42 87 0 12838657 0 0

# compatibility_mode=8192 67108863 100 0 11731 11731 0 0

# scanned=251631

# found=0

# cleaned=0

# scan_time=8863

======================== Here is Checkup.txt ==============

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Microsoft Security Essentials

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 27

Java 6 Update 13

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.0.32.18

Adobe Reader X (10.1.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Microsoft Security Essentials msseces.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

=================================

Link to post
Share on other sites

  • Staff

Hi,

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Grab a fresh copy of ComboFix, run it, and post its log (don't attach it; use multiple posts if necessary).

Link to post
Share on other sites

Chris,

Thanks for your help.

I ran ATF-Cleaner and removed everything except history and cookies. I think it was 463MB deleted.

I got a new copy of ComboFix and ran it. Log is pasted below.

I turned my anti-virus back on after ComboFix.(MSE and Mbam)

I ran a Mbam quick scan and posted it's (negative)results at the end of this post.

SVCHOST.exe is beginning to act up as I write this. One instance(of 14)of SVChost.exe now has about 70% of my CPU and MEM Usage at 552,000K.

John

==========================

ComboFix 11-09-28.04 - Owner 09/28/2011 18:12:10.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1319 [GMT -4:00]

Running from: c:\documents and settings\Owner.Gateway\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner.Gateway\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Owner.Gateway\Local Settings\Application Data\ApplicationHistory\ehExtHost.exe.fa7bea74.ini

c:\documents and settings\Owner.Gateway\Local Settings\Application Data\ApplicationHistory\ehExtHost.exe.fa7bea74.ini.inuse

c:\documents and settings\Owner.Gateway\Local Settings\Application Data\ApplicationHistory\ehshell.exe.a87fcbb.ini

c:\windows\system32\d3d9caps.dat

.

.

((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))

.

.

2011-09-28 21:55 . 2011-09-28 21:55 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{36B98945-35F0-40EF-9AEF-81216B8E247C}\MpKsl5af43f8a.sys

2011-09-28 21:55 . 2011-09-28 21:55 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{36B98945-35F0-40EF-9AEF-81216B8E247C}\offreg.dll

2011-09-28 10:12 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{36B98945-35F0-40EF-9AEF-81216B8E247C}\mpengine.dll

2011-09-26 23:10 . 2011-09-26 23:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-25 21:08 . 2011-09-25 21:08 -------- d-----w- c:\windows\system32\Adobe

2011-09-23 20:20 . 2011-09-23 20:20 -------- d-----w- c:\program files\ESET

2011-09-20 01:18 . 2011-09-20 01:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple

2011-09-13 23:10 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-11 17:35 . 2011-09-11 17:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2011-09-10 13:31 . 2011-09-10 13:31 -------- d-----w- c:\documents and settings\Owner.Gateway\Local Settings\Application Data\AOL

2011-09-09 12:28 . 2011-09-09 12:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2011-09-09 12:28 . 2011-09-09 12:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-09-09 01:27 . 2011-09-09 01:27 -------- d-----w- c:\program files\WinPcap

2011-09-09 01:26 . 2007-08-04 21:11 500712 ----a-w- c:\windows\system32\SKWHOIS.OCX

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

2011-09-05 16:57 . 2011-09-05 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\RegistryCleanerFree

2011-09-05 16:57 . 2011-09-05 16:57 -------- d-----w- c:\documents and settings\Owner.Gateway\Application Data\RegistryCleanerFree

2011-09-05 13:34 . 2011-09-05 13:35 -------- d-----w- C:\f2cb1b17c53ad087ad51e8

2011-09-05 13:11 . 2011-09-05 13:11 -------- d-----w- c:\documents and settings\Owner.Gateway\Application Data\DriverCure

2011-09-05 13:11 . 2011-09-05 13:11 -------- d-----w- c:\documents and settings\Owner.Gateway\Application Data\ParetoLogic

2011-09-05 13:11 . 2011-09-05 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2011-09-05 00:50 . 2011-09-05 00:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer

2011-09-04 11:18 . 2011-09-04 11:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-09-03 12:43 . 2011-09-03 12:43 -------- d-----w- c:\program files\VS Revo Group

2011-09-03 12:42 . 2011-09-05 17:18 -------- d-----w- c:\documents and settings\Owner.Gateway\Application Data\GetRightToGo

2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 20:18 . 2011-09-02 20:18 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-31 21:56 . 2011-09-02 20:40 -------- d-----w- c:\program files\Microsoft IntelliType Pro

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-12 23:14 . 2010-10-16 12:40 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-03 10:17 . 2006-06-17 09:23 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-19 09:05 . 2010-04-16 12:30 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-19 06:40 . 2010-04-16 12:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-15 13:29 . 2006-06-17 09:23 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-13 03:39 . 2011-08-10 01:35 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll

2011-07-08 14:02 . 2006-06-17 09:23 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"CHotkey"="mHotkey.exe" [2004-12-09 550912]

"showwnd"="showwnd.exe" [2003-09-19 36864]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"nwiz"="nwiz.exe" [2009-01-15 1657376]

"WD Button Manager"="WDBtnMgr.exe" [2010-06-20 339968]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]

"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7393280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 435736]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2006-12-25 98304]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]

"BluetoothAuthenticationAgent"="rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

"InstantAccess"="c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" /h

"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe"

"ledpointer"="CNYHKey.exe"

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=

"c:\\Documents and Settings\\Owner.Gateway\\My Documents\\My Downloads\\PC Games - Microsoft Combat Flight Simulator\\COMBATFS.EXE"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]

R1 MpKsl5af43f8a;MpKsl5af43f8a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{36B98945-35F0-40EF-9AEF-81216B8E247C}\MpKsl5af43f8a.sys [9/28/2011 5:55 PM 28752]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/13/2011 7:10 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/13/2011 7:10 PM 22216]

S1 MpKsl1b9f9f65;MpKsl1b9f9f65;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE721CBF-D7E7-4C6D-8C0E-80DECC8FE120}\MpKsl1b9f9f65.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE721CBF-D7E7-4C6D-8C0E-80DECC8FE120}\MpKsl1b9f9f65.sys [?]

S1 MpKsl549af8a6;MpKsl549af8a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{15E02BA9-8B44-42C8-8CE5-439601475B1D}\MpKsl549af8a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{15E02BA9-8B44-42C8-8CE5-439601475B1D}\MpKsl549af8a6.sys [?]

S1 MpKsl911dceae;MpKsl911dceae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66F25797-2E66-49F5-9E2B-69C0D7FAC3E8}\MpKsl911dceae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66F25797-2E66-49F5-9E2B-69C0D7FAC3E8}\MpKsl911dceae.sys [?]

S1 MpKslbea4d5d1;MpKslbea4d5d1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB848BF-402F-4CEC-B50F-DD25605E18B5}\MpKslbea4d5d1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB848BF-402F-4CEC-B50F-DD25605E18B5}\MpKslbea4d5d1.sys [?]

S1 MpKsld6dfdc38;MpKsld6dfdc38;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE721CBF-D7E7-4C6D-8C0E-80DECC8FE120}\MpKsld6dfdc38.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE721CBF-D7E7-4C6D-8C0E-80DECC8FE120}\MpKsld6dfdc38.sys [?]

S2 gupdate1c9c4df932e6654;Google Update Service (gupdate1c9c4df932e6654);c:\program files\Google\Update\GoogleUpdate.exe [4/24/2009 9:21 AM 133104]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/24/2009 9:21 AM 133104]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]

S3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [12/25/2006 9:09 PM 15104]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [12/26/2010 5:31 PM 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [12/26/2010 5:31 PM 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [12/26/2010 5:31 PM 121576]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL5AF43F8A

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

.

2011-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 13:21]

.

2011-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 13:21]

.

2007-01-03 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

.

2011-09-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?referrer=ign

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=4L-dffkFTJ6oOPPdVaoiViK0PWw

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://24.111.67.210:88/SysCamInst.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-28 18:25

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1727FC36-5D3D-4896-9DEE-AFE8A6A530BF}\Version*Version]

"Version"=hex:ac,6b,4e,f9,2e,07,46,fc,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,

30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:55,61,9f,37,65,88,11,1a,58,a6,9a,6e,51,6b,41,23,6c,ac,11,58,a6,

3e,8b,ee,83,40,1c,77,75,93,1e,a3,84,5b,03,7c,5f,b1,f3,5f,91,a1,42,d8,dd,36,\

.

Completion time: 2011-09-28 18:31:19

ComboFix-quarantined-files.txt 2011-09-28 22:31

ComboFix2.txt 2011-09-18 20:16

.

Pre-Run: 51,853,185,024 bytes free

Post-Run: 51,819,622,400 bytes free

.

- - End Of File - - A9CD932D009F1EEAE6303DE3FE376982

=====================

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7814

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/28/2011 6:52:04 PM

mbam-log-2011-09-28 (18-52-04).txt

Scan type: Quick scan

Objects scanned: 221226

Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

Link to post
Share on other sites

Chris,

I already had Process Explorer, but didn't appreciate what I could do with it.

I waited for the "signature" of my problem to appear... (runaway CPU associated with svchost.exe process)

I snapped several screenshots of the threads associated with svchost.exe. One of those screenshots is attached. I picked a handful of the high CPU threads to grab the stack information for those threads. I'm not sure what it all means, but I put the stack information in a notepad file and have pasted it below in hopes that you will recognize something.

Stack information for threads using High CPU in SVCHOST.exe

Thread 7964

ntkrnlpa.exe!HalPrivateDispatchTable+0x26

ntkrnlpa.exe!RtlAnsiCharToUnicodeChar+0x3e

ntdll.dll!KiFastSystemCallRet

ntdll.dll!RtlGUIDFromString+0x283

ntdll.dll!RtlGUIDFromString+0x2c1

ntdll.dll!RtlGUIDFromString+0x383

ntdll.dll!RtlGUIDFromString+0x35a

kernel32.dll!GetModuleFileNameA+0x1ba

Thread 4120

ntkrnlpa.exe+0x6ea1b

ntkrnlpa.exe!MmIsDriverVerifying+0xb9a

ntkrnlpa.exe!MmIsDriverVerifying+0x147c

ntkrnlpa.exe!NtWriteFile+0x6c85

ntkrnlpa.exe!KeSynchronizeExecution+0x2bc

ntdll.dll!KiFastSystemCallRet

kernel32.dll!GetModuleFileNameA+0x1ba

Thread 5760

ntkrnlpa.exe!NtBuildNumber+0x33

ntkrnlpa.exe!MmIsDriverVerifying+0xb9a

ntkrnlpa.exe!MmIsDriverVerifying+0x147c

ntkrnlpa.exe!NtWriteFile+0x6c85

ntkrnlpa.exe!KeSynchronizeExecution+0x2bc

ntdll.dll!KiFastSystemCallRet

kernel32.dll!GetModuleFileNameA+0x1ba

Thread 1528

ntkrnlpa.exe!HalPrivateDispatchTable+0x26

ntkrnlpa.exe!RtlAnsiCharToUnicodeChar+0x3e

ntdll.dll!KiFastSystemCallRet

kernel32.dll!GetModuleFileNameA+0x1ba

By the way, since I last posted with you, MSE says it found and removed Exploit:Java/CVE-2010-08040.EW twice in Back to Back full scans.

Subsequently, I downloaded PCTools AV free and ran a full scan. It claims to have found and removed Rootkit: TDSS.V2

Nothing seems to REALLY get rid of whatever I have.

Thanks again for your help.

John

post-94284-0-91028500-1317688436.jpg

Link to post
Share on other sites

  • Staff

Hi,

Click Start --> Run, and type in msconfig.exe

Click the Startup tab, then click Disable all...

Click OK.

Restart your computer and use it normally for a bit, and let me know if the problem persists. If not, that means one or more of your items running on startup are to blame. If the problem still persists, we will attempt other avenues of troubleshooting.

Let me know how it goes.

-screen317

Link to post
Share on other sites

Chris,

I did 5 things before doing the "disable all" using Msconfig.

1) Using MSE, I detected and removed 2 occurances of Exploit:Java/CVE-2010-0840.MR and .P found in C:\Windows\Temp

2) I manually removed all c:\Windows\Temp\Jar_cache** files

3) I installed Windows update KB2570947

4) I installed Windows update KB2616676 V-2

5) Using MSE, I detected and removed Esploit:Java/CVE-2010-0840.MS

I then ran MSconfig and disabled all startup programs and rebooted.

I then ran my PC normally for almost 4 hours without the seeing signature of the svchost problem I've had for over a month.

I then ran MSconfig again and ENABLED all the startup programs and rebooted.

I then ran my PC normally for 3-1/2 hours WITHOUT seeing the signature of the svchost problem.

For whatever reason the problems seems like it just dissappeared! My thought is that one of the 5 things I did prior to using msconfig got rid of the problem. The most likely one being update KB2570947 which was a fix for a problem somewhat similar to the one I had.

Any thoughts on what I should do next?

John

Link to post
Share on other sites

  • Staff

Great news John! Looks like that Windows Update fixed the issue.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

ClearJavaCache::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Chris,

I tried to paste the Combofix and DDS log (but NOT the attach.txt log), but it made the post too long. I zipped up the combofix and DDS logs. The ZIP is attached to this post.

It's been almost 4 days now without any indication of the problem I had. You've been great sticking this out with me.... Thank you.

If you don't see any problems with the logs, do we call it "clean"? In the beginning of this I remember using something called "defogger" to disable something, and instructions not to re-enable till told do do so. Let me know what to do about that.

Thank you again. Here are the logs.

John

Combofix and dds.zip

Link to post
Share on other sites

  • Staff

Hi,

Things are looking good!

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java™ 6 Update 27

Java™ 6 Update 13

Adobe Flash Player 10.0.32.18

Restart your computer.

Get the latest version of Java and Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

Chris,

I did the cleanup tasks as instructed and have run the machine for a couple of hours looking for issues to report.

I have NOT seen any indication of my runaway svchost.exe process or Java exploit infections since I reported apparent success in my post on 10/9/2011.

I have been running the PC for about 15 hours each day since 10/9 and have had no issues at all. Daily full scans using MSE have produced nothing since the last detection and removal of Java/CVE-2010-0840.MS at 6:25PM on 10/8/2011.

What's next?

John

Link to post
Share on other sites

  • Staff

Great news!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.