Unsolved
This post is more than 5 years old
5 Posts
0
1430
Random Pop Ups and running VERY slow
Hello!
I am getting random pop ups and my computer is very slow, to the point where it freezes and I have to shut it down becuase it will not do anything. I read the "read this" log and I am attaching he hijack this log. I have norton and when I scan it says there is no problems, so I dont know what is wrong!
Thanks for your help!!
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:29:37 PM, on 7/8/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MSN & Bing
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Constant Guard Protection Suite (COM) - {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\Program Files\Constant Guard Protection Suite\NativeBHO.dll
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Constant Guard.lnk = C:\Program Files\Constant Guard Protection Suite\IDVault.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/MyFunCardsInitialSetup1.0.1.1.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} (AOL Newport Editor Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/v2.15/cab/aolpPlugins.10.6.0.8.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CGPS Service (IDVaultSvc) - White Sky, Inc. - C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 10446 bytes
kevinf80_1d0ac6
1.1K Posts
0
July 11th, 2011 16:00
Hi....
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE
Please proceed as follows :-
Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-
Link 1
Link 2
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.
*EXTRA NOTES*
Post the log in next reply please...
Kevin
joseph tavares
5 Posts
0
July 11th, 2011 22:00
Hi Kevin,
Thank you so much for helping me with this! I have downloaded and ran Combo Fix... It did delete somethings and did a log... Here it is! Again thank you so much!
Joe
ComboFix 11-07-11.04 - Joseph Tavares 07/11/2011 21:11:42.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.359 [GMT -7:00]
Running from: c:\documents and settings\Joseph Tavares\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\SeekmoSA
c:\documents and settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat
c:\documents and settings\All Users\Application Data\SeekmoSA\SeekmoSA_gdf.dat
c:\documents and settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat
c:\documents and settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht
c:\documents and settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat
c:\documents and settings\All Users\Application Data\SeekmoSA\SeekmoSAEULA.mht
c:\documents and settings\All Users\Start Menu\Programs\Seekmo
c:\documents and settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk
c:\documents and settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk
c:\documents and settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk
c:\documents and settings\Joseph Tavares\Application Data\Seekmo
c:\documents and settings\Joseph Tavares\Local Settings\Application Data\{48E13D2D-7593-4824-8824-B5011AFB9705}
c:\documents and settings\Joseph Tavares\Local Settings\Application Data\{48E13D2D-7593-4824-8824-B5011AFB9705}\chrome.manifest
c:\documents and settings\Joseph Tavares\Local Settings\Application Data\{48E13D2D-7593-4824-8824-B5011AFB9705}\chrome\content\_cfg.js
c:\documents and settings\Joseph Tavares\Local Settings\Application Data\{48E13D2D-7593-4824-8824-B5011AFB9705}\chrome\content\overlay.xul
c:\documents and settings\Joseph Tavares\Local Settings\Application Data\{48E13D2D-7593-4824-8824-B5011AFB9705}\install.rdf
c:\documents and settings\Joseph Tavares\WINDOWS
c:\documents and settings\LocalService\Application Data\Seekmo
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\17B5CB7E.urr
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\twain.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 04:04 . 2011-07-12 04:05 -------- d-----w- C:\32788R22FWJFW
2011-07-09 05:27 . 2011-07-09 05:27 388096 ----a-r- c:\documents and settings\Joseph Tavares\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-09 05:27 . 2011-07-09 05:27 -------- d-----w- c:\program files\Trend Micro
2011-07-09 00:43 . 2011-07-09 00:43 -------- d-----w- c:\documents and settings\Joseph Tavares\Local Settings\Application Data\FixItCenter
2011-07-09 00:36 . 2011-07-09 00:36 -------- d-----w- c:\windows\MATS
2011-07-09 00:36 . 2011-07-09 00:36 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-07-09 00:34 . 2011-07-09 00:34 -------- d-----w- c:\documents and settings\Joseph Tavares\Application Data\ElevatedDiagnostics
2011-07-08 23:59 . 2011-07-08 23:59 -------- d-----w- c:\windows\Performance
2011-07-08 23:58 . 2011-07-08 23:58 -------- d-----w- c:\documents and settings\Joseph Tavares\Local Settings\Application Data\Microsoft Corporation
2011-07-08 23:58 . 2011-07-08 23:58 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-07-06 15:33 . 2011-07-06 15:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 15:03 . 2011-07-06 18:12 -------- d-----w- c:\documents and settings\Joseph Tavares\Local Settings\Application Data\NPE
2011-07-01 15:41 . 2011-07-01 15:41 -------- d-----w- c:\windows\system32\winrm
2011-07-01 15:41 . 2011-07-01 15:42 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-07-01 15:41 . 2011-07-01 15:41 -------- d-----w- c:\documents and settings\Joseph Tavares\Application Data\Windows Desktop Search
2011-07-01 15:40 . 2011-07-02 07:57 -------- d-----w- c:\program files\Windows Desktop Search
2011-07-01 15:40 . 2011-07-01 15:40 -------- d-----w- c:\windows\system32\GroupPolicy
2011-07-01 15:37 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2011-07-01 15:37 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2011-07-01 15:37 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2011-07-01 08:42 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smimsgif.dll
2011-07-01 08:42 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smierrsy.dll
2011-07-01 08:42 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\smimsgif.dll
2011-07-01 08:42 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\smierrsy.dll
2011-07-01 08:42 . 2004-08-04 10:00 15872 ----a-w- c:\windows\system32\wbem\snmp\smierrsm.dll
2011-07-01 08:42 . 2004-08-04 10:00 15872 ----a-w- c:\windows\system32\dllcache\smierrsm.dll
2011-07-01 08:42 . 2004-08-04 10:00 10240 ----a-w- c:\windows\system32\wbem\snmpstup.dll
2011-07-01 08:42 . 2004-08-04 10:00 10240 ----a-w- c:\windows\system32\dllcache\snmpstup.dll
2011-07-01 08:37 . 2011-07-01 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-06-27 20:27 . 2011-07-04 07:25 -------- d-----w- c:\documents and settings\Joseph Tavares\Local Settings\Application Data\Conduit
2011-06-27 06:29 . 2011-06-27 06:29 -------- d-----w- c:\documents and settings\Joseph Tavares\Local Settings\Application Data\Dell
2011-06-27 05:47 . 2011-06-27 05:47 -------- d-----w- c:\documents and settings\Joseph Tavares\Application Data\Uniblue
2011-06-27 05:47 . 2011-06-27 05:47 -------- d-----w- c:\program files\Uniblue
2011-06-27 05:47 . 2011-06-27 05:47 -------- d-----w- c:\documents and settings\Joseph Tavares\Local Settings\Application Data\PackageAware
2011-06-16 04:40 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-03 00:11 . 2011-06-02 23:04 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-03 00:11 . 2011-06-02 23:04 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-02 15:31 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2006-05-11 11:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 17:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 17:51 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B84CDBE7-1B46-494B-A188-01D4C52DEB61}]
2011-06-02 19:07 99912 ----a-w- c:\program files\Constant Guard Protection Suite\NativeBHO.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-11 98304]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Constant Guard.lnk - c:\program files\Constant Guard Protection Suite\IDVault.exe [2011-6-14 3231816]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-11 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [6/2/2011 5:11 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [6/2/2011 5:11 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110701.001\BHDrvx86.sys [7/5/2011 1:00 PM 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [6/2/2011 5:11 PM 136312]
R2 IDVaultSvc;CGPS Service;c:\program files\Constant Guard Protection Suite\IDVaultSvc.exe [6/14/2011 12:24 PM 60488]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [6/2/2011 5:11 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/3/2011 9:53 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110708.032\IDSXpx86.sys [7/8/2011 8:24 PM 355256]
R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S1 MpKsl7c64d9fa;MpKsl7c64d9fa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{31A346DE-A14C-4D65-B765-168701664CB8}\MpKsl7c64d9fa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{31A346DE-A14C-4D65-B765-168701664CB8}\MpKsl7c64d9fa.sys [?]
S1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys --> c:\windows\system32\drivers\papycpu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2011 8:34 AM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 10:51 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 05:09]
.
2011-07-12 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 05:09]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-06 15:34]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-06 15:34]
.
2011-07-11 c:\windows\Tasks\User_Feed_Synchronization-{01F6BAB1-137E-4B93-81D5-086313018064}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-AOL Toolbar 5.0 - c:\program files\AOL\AOL Toolbar 5.0\uninstall.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe
AddRemove-CodecsDivX - c:\program files\DivXCodecs\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-11 21:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(600)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\msiexec.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\System32\snmp.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-07-11 21:41:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-12 04:41
.
Pre-Run: 43,046,273,024 bytes free
Post-Run: 43,849,052,160 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0AFA3AE68E47BE838A025A1A03690AEA
kevinf80_1d0ac6
1.1K Posts
0
July 12th, 2011 03:00
Hiya Joe,
Continue as follows please :-
Step 1
We need to upload a file to Jotti
1. Click HERE to get to Jotti's site.
2. At the top of the Jotti window, use the Browse button to locate the following file on your system:
c:\windows\system32\drivers\papycpu.sys
3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.
4. Please provide me with the results of the analysis.
Upload same File to Virustotal
Please visit Virustotal
Step 2
Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Step 3
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.
Also be aware this scan can take between one and several hours to complete depending on the size of your system.
ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".
Step 4
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Kevin
joseph tavares
5 Posts
0
July 12th, 2011 20:00
Hi Kevin,
I attempted all the steps, I am not sure if this all worked or not but below are the copies of the logs. Please let me know if I am missing something. So far the computer is still running very slow and freezing. Again, i appreciate all your help with this!!!
Joe
Jotti's malware scan
Filename: log.txt
Status: Acquiring previous results...
--------------------------------------------------------------------------------
Additional info
File size: 18658 bytes
Filetype: ASCII English text, with very long lines, with CRLF line terminators
MD5: 8f20e3419f992f8131ce3a6cfedad6ce
SHA1: 054e3eaa9b4f41bc9c08a40d36e17eb5ddfd4e44
Scanners
No result available No result available
No result available No result available
No result available No result available
No result available No result available
No result available No result available
No result available No result available
No result available No result available
No result available No result available
No result available No result available
No result available No result available
File name:
log.txt
Submission date:
2011-07-12 18:00:42 (UTC)
Current status:
finished
Result:
0 /43 (0.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus
Version
Last Update
Result
AhnLab-V3
2011.07.13.00
2011.07.12
-
AntiVir
7.11.11.93
2011.07.12
-
Antiy-AVL
2.0.3.7
2011.07.12
-
Avast
4.8.1351.0
2011.07.12
-
Avast5
5.0.677.0
2011.07.12
-
AVG
10.0.0.1190
2011.07.12
-
BitDefender
7.2
2011.07.12
-
CAT-QuickHeal
11.00
2011.07.11
-
ClamAV
0.97.0.0
2011.07.12
-
Commtouch
5.3.2.6
2011.07.12
-
Comodo
9362
2011.07.12
-
DrWeb
5.0.2.03300
2011.07.12
-
Emsisoft
5.1.0.8
2011.07.12
-
eSafe
7.0.17.0
2011.07.12
-
eTrust-Vet
36.1.8439
2011.07.12
-
F-Prot
4.6.2.117
2011.07.12
-
F-Secure
9.0.16440.0
2011.07.12
-
Fortinet
4.2.257.0
2011.07.12
-
GData
22
2011.07.12
-
Ikarus
T3.1.1.104.0
2011.07.12
-
Jiangmin
13.0.900
2011.07.12
-
K7AntiVirus
9.108.4894
2011.07.11
-
Kaspersky
9.0.0.837
2011.07.12
-
McAfee
5.400.0.1158
2011.07.12
-
McAfee-GW-Edition
2010.1D
2011.07.12
-
Microsoft
1.7000
2011.07.12
-
NOD32
6288
2011.07.12
-
Norman
6.07.10
2011.07.12
-
nProtect
2011-07-12.03
2011.07.12
-
Panda
10.0.3.5
2011.07.12
-
PCTools
8.0.0.5
2011.07.12
-
Prevx
3.0
2011.07.12
-
Rising
23.66.00.03
2011.07.11
-
Sophos
4.67.0
2011.07.12
-
SUPERAntiSpyware
4.40.0.1006
2011.07.12
-
Symantec
20111.1.0.186
2011.07.12
-
TheHacker
6.7.0.1.253
2011.07.12
-
TrendMicro
9.200.0.1012
2011.07.12
-
TrendMicro-HouseCall
9.200.0.1012
2011.07.12
-
VBA32
3.12.16.4
2011.07.12
-
VIPRE
9843
2011.07.12
-
ViRobot
2011.7.12.4564
2011.07.12
-
VirusBuster
14.0.121.0
2011.07.12
-
Additional information
Show all
MD5 : 8f20e3419f992f8131ce3a6cfedad6ce
SHA1 : 054e3eaa9b4f41bc9c08a40d36e17eb5ddfd4e44
SHA256: 7429dc88d2720ea97afab8411709a9318c620b07b3025573356ad115275732a2
VT Community
Information Registry enforcer 2011-07-12 14:09:25 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 14:09:25 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 14:09:24 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 14:09:21 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 14:09:18 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2011-07-12 14:09:18 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 14:09:00 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2011-07-12 14:09:00 Inspecting WinSock registry (LSP Chain)
Block/Extraction NT Service enforcer 2011-07-12 14:08:49 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 14:08:48 Disabled service: messenger -
Information General 2011-07-12 14:08:41 Completed system scan.
Block/Extraction NT Service enforcer 2011-07-12 14:00:36 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 14:00:36 Disabled service: messenger -
Information General 2011-07-12 13:58:37 Started system scan.
Block/Extraction NT Service enforcer 2011-07-12 13:58:37 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:58:34 Disabled service: messenger -
Information Registry enforcer 2011-07-12 13:58:17 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:58:13 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:58:07 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:58:07 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction NT Service enforcer 2011-07-12 13:57:58 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:57:58 Disabled service: messenger -
Information Registry enforcer 2011-07-12 13:57:57 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:57:55 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information General 2011-07-12 13:57:48 Completed system scan.
Information General 2011-07-12 13:56:51 Started system scan.
Information Internet ExplorerSiteguard 2011-07-12 13:55:37 Inspecting registered Internet Explorer toolbars
Block/Extraction NT Service enforcer 2011-07-12 13:55:19 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:55:16 Disabled service: messenger -
Information Registry enforcer 2011-07-12 13:55:16 Inspecting registered Explorer bars
Information Registry enforcer 2011-07-12 13:55:16 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2011-07-12 13:54:56 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:54:54 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction NT Service enforcer 2011-07-12 13:54:41 Disabled service: messenger -
Information Process enforcer 2011-07-12 13:54:39 Starting process watcher
Block/Extraction NT Service enforcer 2011-07-12 13:49:59 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:49:55 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:48:58 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:48:58 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:47:24 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:47:24 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:47:18 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:47:18 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:47:02 Disabled service: messenger -
Block/Extraction NT Service enforcer 2011-07-12 13:47:02 Disabled service: messenger -
Information Registry enforcer 2011-07-12 13:46:50 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:46:49 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction NT Service enforcer 2011-07-12 13:46:37 Removed service: catchme - catchme
Information Registry enforcer 2011-07-12 13:46:36 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:46:36 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction Registry enforcer 2011-07-12 13:46:29 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Services\catchme
Block/Extraction Registry enforcer 2011-07-12 13:46:18 Deleted registry value DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2011-07-12 13:46:18 Detected malicious registry entry DisableRegistryTools in hklm\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2011-07-12 13:46:10 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
Block/Extraction Registry enforcer 2011-07-12 13:46:08 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon
Information Registry enforcer 2011-07-12 13:46:05 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2011-07-12 13:46:04 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information General 2011-07-12 13:45:52 Request to update definitions completed successfully.
Information General 2011-07-12 13:43:31 Anti-Spyware Incremental definition update 5.0.91.78 successfully applied.
Block/Extraction NT Service enforcer 2011-07-12 13:42:46 Removed driver: c:\combofix\catchme.sys
Information Internet ExplorerSiteguard 2011-07-12 13:42:15 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2011-07-12 13:42:15 Inspecting registered Explorer bars
Information Registry enforcer 2011-07-12 13:42:15 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2011-07-12 13:42:14 Starting process watcher
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk.vir LNK/URL.B trojan
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1867\A0072290.lnk LNK/URL.B trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1867\A0072294.dll Win32/Toolbar.Zugo application
Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````
kevinf80_1d0ac6
1.1K Posts
0
July 13th, 2011 02:00
Hiya Joe,
Did you upload the correct file for analysis, the Jotti log is indicating this file :-
Filename: log.txt
You should have uploaded c:\windows\system32\drivers\papycpu.sys
OK just leave that for now, if there are still issues we need a deeper scan to see if we`ve missed something....
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
Temporarily disable Security
Do not use your computer for anything else during the scan.
Click the image to enlarge it
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
joseph tavares
5 Posts
0
July 20th, 2011 20:00
Hi Kevin,
I apologize I havent gotten back to you on this... I think I did everything right. I am not very good at the computer and this is a lot for me! Thank you for your understanding!
Here is the log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-17 19:04:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-75JHC0 rev.06.01C06
Running: gmer.exe; Driver: C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\pxtdypow.sys
---- System - GMER 1.0.15 ----
SSDT 83578610 ZwAlertResumeThread
SSDT 8357C170 ZwAlertThread
SSDT 8365CA08 ZwAllocateVirtualMemory
SSDT 8355E4F0 ZwAssignProcessToJobObject
SSDT 838B84B0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEE1E6710]
SSDT 838B2710 ZwCreateMutant
SSDT 83449880 ZwCreateSymbolicLinkObject
SSDT 83894C20 ZwCreateThread
SSDT 835630D8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEE1E6990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEE1E6EF0]
SSDT 83832C88 ZwDuplicateObject
SSDT 83816138 ZwFreeVirtualMemory
SSDT 83578460 ZwImpersonateAnonymousToken
SSDT 83578538 ZwImpersonateThread
SSDT 8353FA18 ZwLoadDriver
SSDT 8383F6F0 ZwMapViewOfSection
SSDT 83574E90 ZwOpenEvent
SSDT 838A53B0 ZwOpenProcess
SSDT 83590E08 ZwOpenProcessToken
SSDT 83569350 ZwOpenSection
SSDT 8364AC10 ZwOpenThread
SSDT 8343B970 ZwProtectVirtualMemory
SSDT 8357E0D8 ZwResumeThread
SSDT 8343B140 ZwSetContextThread
SSDT 83511910 ZwSetInformationProcess
SSDT 83563350 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEE1E7140]
SSDT 8356A990 ZwSuspendProcess
SSDT 83580BF0 ZwSuspendThread
SSDT 83588E08 ZwTerminateProcess
SSDT 83596EC8 ZwTerminateThread
SSDT 83587578 ZwUnmapViewOfSection
SSDT 83611EC8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 7C 804E26E8 6 Bytes [10, 86, 57, 83, 70, C1] {ADC [ESI-0x3e8f7ca9], AL}
.text ntoskrnl.exe!_abnormal_termination + 83 804E26EF 1 Byte [83]
.text ntoskrnl.exe!_abnormal_termination + 1B8 804E2824 2 Bytes [38, 85]
.text ntoskrnl.exe!_abnormal_termination + 1BB 804E2827 1 Byte [83]
.text ntoskrnl.exe!_abnormal_termination + 214 804E2880 2 Bytes [90, 4E] {NOP ; DEC ESI}
.text ...
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF64E0F80]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[2016] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device EBF51D20
AttachedDevice szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
---- EOF - GMER 1.0.15 ----
kevinf80_1d0ac6
1.1K Posts
0
July 21st, 2011 03:00
Continue as follows :-
Step 1
Download TFC to your desktop, from either of the following links
Link 1
Link 2
Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important
Step 2
Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Let me see the log from Malwarebytes in your reply, also give update on any issues or concerns...
Kevin
joseph tavares
5 Posts
0
July 23rd, 2011 22:00
Hi Kevin,
I went through the steps...The computer is running a little faster...I have attached the log. Can i remove any of the downloads from prior?
Thanks for your help!!
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7232
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/22/2011 1:03:58 PM
mbam-log-2011-07-22 (13-03-57).txt
Scan type: Quick scan
Objects scanned: 158081
Time elapsed: 17 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{4A40E8FC-C7E4-4F57-9FA4-85DD77402897} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9EE2330AE5F4470CAC801BAAC83818C9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products\568267ACFC5644DAB06F058006DDBAE3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\SeekmoSA_df.exe (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\Seekmo@Seekmo.com (Adware.SeekMo) -> Value: Seekmo@Seekmo.com -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\all users\application data\55983434 (Rogue.Multiple) -> Quarantined and deleted successfully.
kevinf80_1d0ac6
1.1K Posts
0
July 24th, 2011 16:00
Hello Joseph,
Before we clean up I need to see the log from an online AV scan, if this comes back clean we can remove the tools we have installed/used....
As follows please:
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.
Also be aware this scan can take between one and several hours to complete depending on the size of your system.
ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".
Kevin