suspicious process running

[john1726]

I found a suspicious process running that can not be stopped. it is 562369446:1508670174.exe

I can not give you the malwarebytes log file because the program terminates before finishing just like all my anti virus programs. I have attached the zip file.

This is the dds.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Run by John at 15:00:48 on 2011-10-02

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1503 [GMT -4:00]

.

AV: AVG Anti-Virus 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\562369446:1508670174.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

D:\Program Files\SUPERAntiSpyware\SASCORE.EXE

D:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

D:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\snmp.exe

D:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\ctfmon.exe

.

============== Pseudo HJT Report ===============

.

mWindow Title = Windows Internet Explorer provided by Comcast

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File

TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File

TB: {338B4DFE-2E2C-4338-9E41-E176D497299E} - No File

TB: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [HijackThis startup scan] d:\program files\trendmicro\hijackthis\HijackThis.exe /startupscan

uRun: [DoubleMySpeed Registry Cleaner] "c:\program files\cyberdefender\registry cleaner\CDregclean.exe"

mRun: [soundMan] SOUNDMAN.EXE

uPolicies-explorer: NoResolveTrack = 1 (0x1)

mPolicies-explorer: NoResolveTrack = 1 (0x1)

IE: Crawler Search

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

Trusted Zone: acura.com

Trusted Zone: ahm-ownerlink.com

Trusted Zone: ahmdealer.com

Trusted Zone: honda.com

Trusted Zone: xmradio.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 167.206.245.130 167.206.245.129

TCP: Interfaces\{BE920253-97EE-44E3-B9A4-3A2A568A4E9F} : DhcpNameServer = 167.206.245.130 167.206.245.129

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = scecli yorupota.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\98zm6ans.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2882843&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://google.com/

FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\98zm6ans.default\extensions\{49e47062-e81f-4758-892a-2373f9e0db3b}\components\RadioWMPCore.dll

FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\98zm6ans.default\extensions\{49e47062-e81f-4758-892a-2373f9e0db3b}\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\98zm6ans.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\98zm6ans.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll

FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll

FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\documents and settings\john\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\98zm6ans.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll

FF - plugin: c:\documents and settings\john\local settings\application data\google\update\1.3.21.71\npGoogleUpdate3.dll

FF - plugin: c:\documents and settings\john\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrlui.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll

FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: d:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: d:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll

FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll

FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll

FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll

FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll

FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll

FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

FF - plugin: d:\program files\videolan\vlc\npvlc.dll

.

---- FIREFOX POLICIES ----

FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=

FF - user.js: keyword.enabled - 1

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-1 64512]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67664]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-7-12 142592]

R2 !SASCORE;SAS Core Service;d:\program files\superantispyware\SASCORE.EXE [2010-7-1 116608]

R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;d:\program files\abbyy finereader 9.0\NetworkLicenseServer.exe [2007-11-2 566560]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]

R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [2009-7-12 28672]

S0 mwrbkjrw;mwrbkjrw;c:\windows\system32\drivers\mwrbkjrw.sys [2010-6-9 0]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-1 5265248]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]

S3 ALI5261;ALi Based Ethernet NT Driver;c:\windows\system32\drivers\ALI5261.SYS [2009-7-12 27678]

S3 AsAudioDevice_349;AsAudioDevice_349;c:\windows\system32\drivers\AsAudioDevice_349.sys [2010-4-27 16640]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-14 135664]

S3 hxctlflt;hxctlflt;c:\windows\system32\drivers\hxctlflt.sys [2011-7-23 99968]

S3 PAC7311;VGA USB Camera;c:\windows\system32\drivers\PA707UCM.SYS [2010-9-19 530304]

S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-14 135664]

.

=============== Created Last 30 ================

.

2011-10-02 13:07:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-02 13:07:55 -------- d-----w- c:\documents and settings\john\application data\Malwarebytes

2011-10-02 13:07:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-10-02 13:07:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-01 15:23:24 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-10-01 15:22:36 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-10-01 12:08:19 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan

2011-09-30 15:34:06 -------- d--h--w- C:\$AVG

2011-09-30 15:32:26 -------- d-----w- c:\documents and settings\john\application data\AVG2012

2011-09-30 15:31:54 -------- d--h--w- c:\documents and settings\all users\application data\Common Files

2011-09-30 15:31:21 -------- d-----w- c:\windows\system32\drivers\AVG

2011-09-30 15:31:21 -------- d-----w- c:\documents and settings\all users\application data\AVG2012

2011-09-30 15:30:54 -------- d-----w- c:\program files\AVG

2011-09-30 15:28:51 -------- d-----w- c:\documents and settings\all users\application data\MFAData

2011-09-29 15:24:21 -------- d-----w- c:\documents and settings\john\application data\CyberDefender

2011-09-29 15:24:12 -------- d-----w- c:\program files\CyberDefender

2011-09-19 02:37:09 200704 ----a-w- c:\windows\system32\vbalExpBar6.ocx

2011-09-19 02:37:09 15360 ----a-w- c:\windows\system32\inetfr.DLL

2011-09-19 02:37:08 484352 ----a-w- c:\windows\system32\lame_enc.dll

2011-09-19 02:37:08 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL

2011-09-19 02:37:08 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL

2011-09-19 02:37:08 119568 ----a-w- c:\windows\system32\VB6FR.DLL

2011-09-19 02:37:08 -------- d-----w- c:\program files\Free Easy CD DVD Burner

2011-09-19 02:37:08 -------- d-----w- c:\documents and settings\john\application data\FreeBurner

2011-09-05 17:35:16 -------- d-----w- c:\program files\MetaStream

2011-09-05 12:51:37 19569 ----a-w- c:\windows\003217_.tmp

.

==================== Find3M ====================

.

2011-09-26 00:47:21 60416 ----a-w- c:\windows\ALCFDRTM.VER

2011-07-11 05:14:38 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2011-07-11 05:14:30 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

2011-07-11 05:14:28 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys

2011-07-11 05:14:28 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

2011-07-11 05:14:26 134608 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys

2011-07-11 05:13:46 229840 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2011-07-11 05:13:42 32464 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2011-07-07 15:11:05 75136 ----a-w- c:\windows\system32\PnkBstrA.exe

.

============= FINISH: 15:01:08.15 ===============

Attach.zip

[screen317]

Hi and welcome to Malwarebytes.

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!