Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

flea2402

35 Posts

2076

January 28th, 2008 18:00

Virtual Memory Loss

In the past, I've been able to leave my desktop computer on for weeks at a time with no problems. But recently I'll go back to the computer after a short while and it will say something like "not enough virtual memory left, may have to disallow access to some programs" and "error at svhost"and then the computer is extremely slow, and has trouble opening and closing programs. When I try to hit ctrl, alt, delete, it comes up for a fraction of a second and disappears so fast I can't see anything. Also I continually hear my External HDD like a program is accessing memory, but no programs are running. Also, when I right click on my C:Drive or my external HDD (E:) instead of "OPEN" it has a funny word with accents marks over the letters like this Îòêðûòü. Any help would be most appreciated. HJT Log below: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:07:50 PM, on 1/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\shovth.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: hpdj - HP - C:\DOCUME~1\Flea\LOCALS~1\Temp\hpdj.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 3554 bytes

bamajim

10.4K Posts

January 31st, 2008 17:00


flea2402

Making progress

Please download Combofix and save to your desktop:
  • Note: It is important that it is saved directly to your desktop
    Close any open browsers.
    Double click on combofix.exe and follow the prompts.
    When it's finished it will produce a log.
    Post the contents of the C:\ComboFix.txt into your next reply.
    Note: Do not mouseclick combofix's window whilst it's running.
    That may cause the program to freeze/hang.
















Microsoft MVP Windows-Security



"The world is what you make of it"





flea2402

35 Posts

January 31st, 2008 17:00

Ok, So still getting Îòêðûòü instead of open.
autorun files are still present
view Hidden files option under folder options still not staying permanent
But it seems to be running a bit faster

New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:55 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Flea\LOCALS~1\Temp\hpdj.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3814 bytes

flea2402

35 Posts

January 31st, 2008 18:00

Here is the combofix log:

ComboFix 08-02.01.1 - Flea 2008-01-31 12:33:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.262 [GMT -8:00]
Running from: C:\Documents and Settings\Flea\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.exe
C:\Autorun.inf
C:\.exe
C:\Autorun.inf
C:\WINDOWS\system32\1033\1033.exe
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\windows.exe
E:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-31 11:37 . 2007-12-19 12:16 89,088 ---h----- C:\WINDOWS\system32\drivers\drivers.exe
2008-01-31 11:29 . 2007-12-19 12:16 89,088 ---h----- C:\WINDOWS\system\system.exe
2008-01-31 10:52 . 2007-12-19 12:16 89,088 ---h----- C:\Documents and Settings\Flea\Flea.exe
2008-01-31 10:51 . 2007-12-19 12:16 89,088 ---hs---- C:\540C462D.exe
2008-01-30 16:39 . 2008-01-30 16:39 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-30 16:39 . 2008-01-30 16:39 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-24 10:46 . 2008-01-31 11:38 d-------- C:\WINDOWS\system32\NtmsData
2008-01-22 14:35 . 2008-01-22 14:35 d-------- C:\Documents and Settings\Flea\Application Data\Snapfish
2008-01-19 22:24 . 2008-01-19 22:24 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-19 22:24 . 2008-01-19 22:24 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-19 08:43 . 2008-01-19 08:43 d-------- C:\Program Files\Windows Media Connect 2
2008-01-19 08:42 . 2008-01-19 08:42 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-11 13:54 . 2008-01-11 13:54 d-------- C:\Documents and Settings\Flea\Application Data\ArcSoft
2008-01-08 16:56 . 2004-08-03 14:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 15:24 . 2008-01-08 16:53 d-------- C:\Documents and Settings\Flea\.housecall6.6
2008-01-08 15:05 . 2008-01-08 15:12 d-------- C:\Documents and Settings\Flea\Application Data\HouseCall 6.6
2008-01-08 14:58 . 2008-01-08 14:58 d-------- C:\Program Files\MSXML 4.0
2008-01-08 13:51 . 2008-01-08 15:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-08 11:44 . 2008-01-08 13:52 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 11:10 . 2008-01-08 11:10 d-------- C:\Program Files\Lavasoft
2008-01-08 11:10 . 2008-01-08 11:10 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 11:09 . 2008-01-08 11:09 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 10:17 . 2008-01-08 10:17 d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 18:23 --------- d-----w C:\Program Files\Symantec
2007-12-24 19:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 14:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^Flea^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Flea\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 14:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
--------- 2003-05-08 10:34 69632 C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-04-02 19:07 389120 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-10-23 18:51 233472 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 10:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2006-01-12 23:14 188416 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintServer Diagnostic]
--a------ 2004-11-24 16:09 266240 C:\Program Files\Print Server\PTP\PSDiagnostic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sis32]
C:\WINDOWS\system32\winsos.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
--a------ 2001-08-23 07:00 77891 C:\WINDOWS\SYSTEM32\USRmlnkA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winroot]
C:\WINDOWS\system32\winsn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 05:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\
\Shell\open\Command - E:\98BE14CF.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28b73968-be4f-11dc-b156-000d9dd608bd}]
\Shell\AutoRun\command - F:\
\Shell\open\Command - F:\50E09EB4.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{440e1102-2a6f-11dc-b13f-000d9dd608bd}]
\Shell\AutoRun\command - F:\
\Shell\open\Command - F:\3489BF0C.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 04:28:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 12:38:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-02-01 12:40:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 20:40:16

bamajim

10.4K Posts

January 31st, 2008 19:00


flea4202

1. Open NotePad (not wordpad). Copy and paste the following into Notepad


File::
C:\WINDOWS\system32\drivers\drivers.exe
C:\WINDOWS\system\system.exe
C:\Documents and Settings\Flea\Flea.exe
C:\540C462D.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sis32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winroot]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28b73968-be4f-11dc-b156-000d9dd608bd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{440e1102-2a6f-11dc-b13f-000d9dd608bd}]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image
  • You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply



Microsoft MVP Windows-Security



"The world is what you make of it"

flea2402

35 Posts

January 31st, 2008 19:00

Here is the new Combofix Log:

ComboFix 08-02.01.1 - Flea 2008-01-31 13:24:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.291 [GMT -8:00]
Running from: C:\Documents and Settings\Flea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Flea\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\540C462D.exe
C:\Documents and Settings\Flea\Flea.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system32\drivers\drivers.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\540C462D.exe
C:\Documents and Settings\Flea\Flea.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system32\drivers\drivers.exe
E:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 16:39 . 2008-01-30 16:39 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-30 16:39 . 2008-01-30 16:39 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-24 10:46 . 2008-01-31 11:38 d-------- C:\WINDOWS\system32\NtmsData
2008-01-22 14:35 . 2008-01-22 14:35 d-------- C:\Documents and Settings\Flea\Application Data\Snapfish
2008-01-19 22:24 . 2008-01-19 22:24 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-19 22:24 . 2008-01-19 22:24 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-19 08:43 . 2008-01-19 08:43 d-------- C:\Program Files\Windows Media Connect 2
2008-01-19 08:42 . 2008-01-19 08:42 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-11 13:54 . 2008-01-11 13:54 d-------- C:\Documents and Settings\Flea\Application Data\ArcSoft
2008-01-08 16:56 . 2004-08-03 14:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 15:24 . 2008-01-08 16:53 d-------- C:\Documents and Settings\Flea\.housecall6.6
2008-01-08 15:05 . 2008-01-08 15:12 d-------- C:\Documents and Settings\Flea\Application Data\HouseCall 6.6
2008-01-08 14:58 . 2008-01-08 14:58 d-------- C:\Program Files\MSXML 4.0
2008-01-08 13:51 . 2008-01-08 15:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-08 11:44 . 2008-01-08 13:52 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 11:10 . 2008-01-08 11:10 d-------- C:\Program Files\Lavasoft
2008-01-08 11:10 . 2008-01-08 11:10 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 11:09 . 2008-01-08 11:09 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 10:17 . 2008-01-08 10:17 d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 18:23 --------- d-----w C:\Program Files\Symantec
2007-12-24 19:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 14:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^Flea^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Flea\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 14:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
--------- 2003-05-08 10:34 69632 C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-04-02 19:07 389120 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-10-23 18:51 233472 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 10:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2006-01-12 23:14 188416 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintServer Diagnostic]
--a------ 2004-11-24 16:09 266240 C:\Program Files\Print Server\PTP\PSDiagnostic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
--a------ 2001-08-23 07:00 77891 C:\WINDOWS\SYSTEM32\USRmlnkA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 05:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 04:28:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 13:31:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-02-01 13:32:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 21:32:22
ComboFix2.txt 2008-02-01 20:40:25

bamajim

10.4K Posts

January 31st, 2008 20:00

flea2402
 
Excellent
 
Post a fresh Hijackthis log.
 
And give me an update on how the PC is doing. Make sure you check the functions. I.e. double clicking C:\ , Hidden files and folders and such. Since the 3 worms may have done some damage to the Reg.
 
Remember too hold off on using USB storage devices untill the next step
 



Microsoft MVP Windows-Security



"The world is what you make of it"





Message Edited by bamajim on 01-31-2008 04:24 PM

flea2402

35 Posts

January 31st, 2008 20:00

I see open! and i can double click on C: drive. That's Great! The folder options seem to be sticking... and I can see the task manager!
Looks like svchost.exe is still running in processes 4 times over though.

Here is a fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:33 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Flea\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3734 bytes

bamajim

10.4K Posts

January 31st, 2008 21:00


flea2402

I don't see any signs of a working Anti Virus program on this PC.

Go HERE and download AVG free

Yes it free and does a good job.

Download it, install it, allow it to update, and run a full scan on your PC. Let it fix what it finds.

When done post one more fresh Hijackthis log so I can see that it installed properly

















Microsoft MVP Windows-Security



"The world is what you make of it"





flea2402

35 Posts

January 31st, 2008 21:00

Ok, thanks for the recommendation on AVG, I installed it and here is the fresh HJT LOG: by the way, it found a threat called flashplayertrust.ext when right I opened firefox.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:36 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Flea\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4479 bytes

flea2402

35 Posts

January 31st, 2008 21:00

No, haven't gotten any warnings on the other pc... I did run the ewido scan on that computer today though just to see, and it just found some tracking cookies but otherwise clean. That computer is running great.
I think all we have left on this computer is to make sure the usb drive i had plugged into this computer is ok before i plug it back in and anything else you think is pertinent.

bamajim

10.4K Posts

January 31st, 2008 21:00

flea2402
 
Looks like svchost.exe is still running in processes 4 times over though.
 
That's normal, and the number will increase depending on how many explorer widows you have open.
 
Are you still getting the services warning on the other PC?
 



Microsoft MVP Windows-Security



"The world is what you make of it"



bamajim

10.4K Posts

February 1st, 2008 11:00


flea2402

That's great news.

Here's the step to clean up the USB devices

1. Go HERE and download the Flash_Disinfector tool by sUBs
  • Save it to your Desktop
    Double Click to run the tool
    Follow the promts
    Have any USB memory items ready if prompted to attach them



Reply with the results












 

Microsoft MVP Windows-Security

 


"The world is what you make of it"


flea2402

35 Posts

February 1st, 2008 14:00

I'm not sure that is the right tool for the drive I have, it's not a flash drive, rather a USB external 500 gig HDD. I ran the program and it said it was finished in about 2 seconds, I'm thinking it most likely didn't find a flash drive and stopped looking?? I went ahead and manually deleted the autorun.inf restarted and it doesn't seem to be coming back, so thats good. Is there something I should look for on the drive that would let me know if it worked?

bamajim

10.4K Posts

February 1st, 2008 14:00

flea2402

 

I think I would run a Kaspersky online with it hooked up. Kaspersky will scan extended databases.

 




 

Microsoft MVP Windows-Security

 


"The world is what you make of it"


flea2402

35 Posts

February 1st, 2008 21:00

Looks like the E drive is looking good. When running Kaspersky, the AVG picks up a lot as the files are accessed which lets me "heal" them. Below is a fresh kaspersky log.
-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Friday, February 01, 2008 3:37:29 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update:  1/02/2008
 Kaspersky Anti-Virus database records: 545737
-------------------------------------------------------------------------------

Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

Scan Statistics:
    Total number of scanned objects: 78069
    Number of viruses found: 2
    Number of infected objects: 13
    Number of suspicious objects: 0
    Duration of the scan process: 01:01:20

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck    Object is locked    skipped
C:\Documents and Settings\Flea\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\Flea\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat    Object is locked    skipped
C:\Documents and Settings\Flea\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG    Object is locked    skipped
C:\Documents and Settings\Flea\Local Settings\History\History.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\Flea\Local Settings\History\History.IE5\MSHist012008020120080202\index.dat    Object is locked    skipped
C:\Documents and Settings\Flea\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\Flea\NTUSER.DAT    Object is locked    skipped
C:\Documents and Settings\Flea\ntuser.dat.LOG    Object is locked    skipped
C:\Documents and Settings\LocalService\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\NTUSER.DAT    Object is locked    skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG    Object is locked    skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat    Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG    Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT    Object is locked    skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG    Object is locked    skipped
C:\Drivers\Deskjet 4160 Driver\Deskjet 4160 Driver.exe    Object is locked    skipped
C:\Drivers\Drivers.exe    Object is locked    skipped
C:\Drivers\Network Adapter Drivers\win_xp_2k3_64\win_xp_2k3_64.exe    Object is locked    skipped
C:\QooBox\Quarantine\C\Documents and Settings\Flea\Flea.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\C\WINDOWS\system\system.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\1033\1033.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\drivers.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\shovth.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\system32.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winsn.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winsos.exe.vir    Infected: Trojan-Downloader.Win32.Small.gye    skipped
C:\QooBox\Quarantine\C\WINDOWS\WINDOWS.exe.vir    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\catchme2008-02-01_123852.89.zip/.exe    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\catchme2008-02-01_123852.89.zip    ZIP: infected - 1    skipped
C:\QooBox\Quarantine\catchme2008-02-01_133104.51.zip/540C462D.exe    Infected: Trojan-PSW.Win32.QQPass.aom    skipped
C:\QooBox\Quarantine\catchme2008-02-01_133104.51.zip    ZIP: infected - 1    skipped
C:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
C:\System Volume Information\_restore{B4B69828-97EA-45E7-BC0B-E4C18BB06203}\RP230\change.log    Object is locked    skipped
C:\WINDOWS\Debug\PASSWD.LOG    Object is locked    skipped
C:\WINDOWS\SchedLgU.Txt    Object is locked    skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log    Object is locked    skipped
C:\WINDOWS\Sti_Trace.log    Object is locked    skipped
C:\WINDOWS\system32\config\AppEvent.Evt    Object is locked    skipped
C:\WINDOWS\system32\config\default    Object is locked    skipped
C:\WINDOWS\system32\config\default.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\SAM    Object is locked    skipped
C:\WINDOWS\system32\config\SAM.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\SecEvent.Evt    Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY    Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\software    Object is locked    skipped
C:\WINDOWS\system32\config\software.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\SysEvent.Evt    Object is locked    skipped
C:\WINDOWS\system32\config\system    Object is locked    skipped
C:\WINDOWS\system32\config\system.LOG    Object is locked    skipped
C:\WINDOWS\system32\h323log.txt    Object is locked    skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP    Object is locked    skipped
C:\WINDOWS\wiadebug.log    Object is locked    skipped
C:\WINDOWS\wiaservc.log    Object is locked    skipped
C:\WINDOWS\WindowsUpdate.log    Object is locked    skipped
E:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped

Scan process completed.

Was this post helpful?

View All

No Events found!

Top