Jump to content

Services.exe


Recommended Posts

  • Replies 94
  • Created
  • Last Reply

Top Posters In This Topic

Once again, I am grateful for your help. Here are the requested logs.

DDS (Ver_09-09-29.01) - NTFSx86 NETWORK

Run by David Vinson at 23:25:25.67 on Sat 05/22/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.639 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\David Vinson\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidv~1\applic~1\mozilla\firefox\profiles\vic99eqj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - plugin: c:\documents and settings\david vinson\application data\move networks\plugins\npqmp071504000001.dll

FF - plugin: c:\documents and settings\david vinson\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 16000

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.max.tokenizing.time - 3000000

FF - user.js: content.maxtextrun - 4095

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 1000000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 1000000

FF - user.js: dom.disable_window_status_change - true

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 1000

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-17 11608]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-17 135336]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-17 267432]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-17 60936]

S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-11 30192]

S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2008-6-13 68954]

S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2010-05-20 09:45 <DIR> --d----- c:\windows\system32\drivers\N360

2010-05-19 00:18 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll

2010-05-19 00:18 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll

2010-05-19 00:18 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll

2010-05-19 00:18 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe

2010-05-19 00:18 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe

2010-05-19 00:17 99,865 a------- c:\windows\system32\dllcache\xlog.exe

2010-05-19 00:17 28,288 a------- c:\windows\system32\dllcache\xjis.nls

2010-05-19 00:17 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys

2010-05-19 00:17 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys

2010-05-19 00:17 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys

2010-05-19 00:17 8,192 a------- c:\windows\system32\dllcache\wshirda.dll

2010-05-19 00:15 11,775 a------- c:\windows\system32\dllcache\wadv05nt.sys

2010-05-19 00:14 26,112 a------- c:\windows\system32\dllcache\usbser.sys

2010-05-19 00:13 241,664 a------- c:\windows\system32\dllcache\tosdvd02.sys

2010-05-19 00:12 285,760 a------- c:\windows\system32\dllcache\stlnata.sys

2010-05-19 00:11 24,576 a------- c:\windows\system32\dllcache\smc8000n.sys

2010-05-19 00:10 386,560 a------- c:\windows\system32\dllcache\sgiul50.dll

2010-05-19 00:09 79,872 a------- c:\windows\system32\dllcache\rwia430.dll

2010-05-19 00:08 6,016 a------- c:\windows\system32\dllcache\qic157.sys

2010-05-19 00:07 105,984 a------- c:\windows\system32\dllcache\phdsext.ax

2010-05-19 00:06 54,528 a------- c:\windows\system32\dllcache\opl3sax.sys

2010-05-19 00:05 39,264 a------- c:\windows\system32\dllcache\neo20xx.sys

2010-05-19 00:04 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys

2010-05-19 00:04 22,016 a------- c:\windows\system32\dllcache\msircomm.sys

2010-05-19 00:04 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex

2010-05-19 00:04 98,304 a------- c:\windows\system32\dllcache\msir3jp.dll

2010-05-19 00:04 35,200 a------- c:\windows\system32\dllcache\msgame.sys

2010-05-19 00:04 6,016 a------- c:\windows\system32\dllcache\msfsio.sys

2010-05-19 00:04 6,528 a------- c:\windows\system32\dllcache\miniqic.sys

2010-05-19 00:04 34,304 a------- c:\windows\system32\dllcache\migisol.exe

2010-05-19 00:04 320,384 a------- c:\windows\system32\dllcache\mgaum.sys

2010-05-19 00:04 235,648 a------- c:\windows\system32\dllcache\mgaud.dll

2010-05-19 00:04 92,416 a------- c:\windows\system32\dllcache\mga.sys

2010-05-19 00:02 19,016 a------- c:\windows\system32\dllcache\ktc111.sys

2010-05-19 00:02 47,066 a------- c:\windows\system32\dllcache\ksc.nls

2010-05-19 00:02 37,376 a------- c:\windows\system32\dllcache\kousd.dll

2010-05-19 00:02 1,158,818 a------- c:\windows\system32\dllcache\korwbrkr.lex

2010-05-19 00:02 70,656 a------- c:\windows\system32\dllcache\korwbrkr.dll

2010-05-19 00:02 253,952 a------- c:\windows\system32\dllcache\kdsusd.dll

2010-05-19 00:02 48,640 a------- c:\windows\system32\dllcache\kdsui.dll

2010-05-19 00:02 5,632 a------- c:\windows\system32\dllcache\kbdusa.dll

2010-05-19 00:02 7,680 a------- c:\windows\system32\dllcache\kbdnecnt.dll

2010-05-19 00:02 9,216 a------- c:\windows\system32\dllcache\kbdnecat.dll

2010-05-19 00:02 7,168 a------- c:\windows\system32\dllcache\kbdnec95.dll

2010-05-19 00:02 8,192 a------- c:\windows\system32\dllcache\kbdkor.dll

2010-05-19 00:02 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll

2010-05-19 00:00 311,359 a------- c:\windows\system32\dllcache\imepadsv.exe

2010-05-18 23:59 488,383 a------- c:\windows\system32\dllcache\hsf_v124.sys

2010-05-18 23:58 8,576 a------- c:\windows\system32\dllcache\hidgame.sys

2010-05-18 23:57 71,680 a------- c:\windows\system32\dllcache\fnfilter.dll

2010-05-18 23:56 37,120 a------- c:\windows\system32\dllcache\es1370mp.sys

2010-05-18 23:55 334,208 a------- c:\windows\system32\dllcache\ds1wdm.sys

2010-05-18 23:54 21,606 a------- c:\windows\system32\dllcache\digiisdn.sys

2010-05-18 23:53 27,136 a------- c:\windows\system32\dllcache\cyzcoins.dll

2010-05-18 23:52 20,736 a------- c:\windows\system32\dllcache\cmbp0wdm.sys

2010-05-18 23:52 248,064 a------- c:\windows\system32\dllcache\cl546xm.sys

2010-05-18 23:52 170,880 a------- c:\windows\system32\dllcache\cl546x.dll

2010-05-18 23:52 111,232 a------- c:\windows\system32\dllcache\cl5465.dll

2010-05-18 23:52 45,696 a------- c:\windows\system32\dllcache\cirrus.sys

2010-05-18 23:52 91,264 a------- c:\windows\system32\dllcache\cirrus.dll

2010-05-18 23:52 272,640 a------- c:\windows\system32\dllcache\cinemclc.sys

2010-05-18 23:52 980,034 a------- c:\windows\system32\dllcache\cicap.sys

2010-05-18 23:50 13,824 a------- c:\windows\system32\dllcache\bulltlp3.sys

2010-05-18 23:16 66,082 a------- c:\windows\system32\dllcache\c_20297.nls

2010-05-18 23:15 12,160 a------- c:\windows\system32\dllcache\brfiltlo.sys

2010-05-18 23:14 37,376 a------- c:\windows\system32\dllcache\atievxx.exe

2010-05-18 23:13 553,984 a------- c:\windows\system32\dllcache\adm8820.sys

2010-05-18 23:12 7,168 a------- c:\windows\system32\dllcache\wamregps.dll

2010-05-18 23:12 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll

2010-05-17 19:55 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Avira

2010-05-17 18:58 60,936 a------- c:\windows\system32\drivers\avgntflt.sys

2010-05-17 18:58 <DIR> --d----- c:\program files\Avira

2010-05-17 18:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2010-05-17 18:49 69,632 a------- c:\windows\system32\javacpl.cpl

2010-05-13 16:01 <DIR> --d----- c:\documents and settings\david vinson\DoctorWeb

2010-05-09 20:01 <DIR> a-dshr-- C:\cmdcons

2010-05-09 19:30 256,512 a------- c:\windows\PEV.exe

2010-05-09 19:30 161,792 a------- c:\windows\SWREG.exe

2010-05-09 19:30 98,816 a------- c:\windows\sed.exe

2010-05-09 19:30 77,312 a------- c:\windows\MBR.exe

2010-05-09 19:26 <DIR> --d----- C:\Combo-Fix

2010-05-06 22:22 <DIR> --d----- c:\program files\Trend Micro

2010-05-05 21:40 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Malwarebytes

2010-05-05 21:40 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-05 21:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-05 21:40 20,952 a------- c:\windows\system32\drivers\mbam.sys

2010-05-05 21:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2010-05-02 23:03 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Tific

2010-05-02 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

2010-05-02 22:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton

2010-04-29 10:37 <DIR> --d----- c:\program files\iPod

2010-04-29 10:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-29 10:21 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2010-04-16 08:33 3,003,680 a------- c:\windows\system32\usbaaplrc.dll

2010-04-16 08:33 41,472 a------- c:\windows\system32\drivers\usbaapl.sys

2010-04-08 13:20 107,808 a------- c:\windows\system32\dns-sd.exe

2010-04-08 13:20 91,424 a------- c:\windows\system32\dnssd.dll

2010-04-03 01:03 96,272 a---h--- c:\windows\system32\mlfcache.dat

2010-03-10 02:15 420,352 a------- c:\windows\system32\vbscript.dll

2010-03-10 02:15 420,352 a------- c:\windows\system32\dllcache\vbscript.dll

2010-02-25 11:54 11,070,976 -------- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 09:11 455,680 a------- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-24 05:54 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe

2008-03-14 16:07 32 -c---r-- c:\documents and settings\all users\hash.dat

2006-01-04 18:30 774,144 -c------ c:\program files\RngInterstitial.dll

2008-09-27 20:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

============= FINISH: 23:26:41.43 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 6/30/2004 7:34:54 PM

System Uptime: 5/22/2010 11:51:58 AM (12 hours ago)

Motherboard: Dell Computer Corp. | | 0W2562

Processor: Intel

Link to post
Share on other sites

Step 1

Please manually delete the following folders:

c:\windows\system32\drivers\N360

c:\docume~1\alluse~1\applic~1\NortonInstaller

c:\docume~1\alluse~1\applic~1\Norton

Step 2

Please add in exclusions of Avira the following things:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Link to post
Share on other sites

Here is the portion of the help that deals with these exclusions

Configuration :: Scanner :: Scan

Exceptions

File objects to be omitted for the scanner

The list in this window contains files and paths that should not be included by the Scanner in the scan for viruses or unwanted programs.

Please enter as few exceptions as possible here and really only files that, for whatever reason, should not be included in a normal scan. We recommend that you always scan these files for viruses or unwanted programs before they are included in this list!

Note

The entries on the list must not result in more than 6000 characters in total.

Warning

These files are not included in a scan!

Note

The files included in this list are entered in the report file. Please check the report file from time to time for unscanned files, as perhaps the reason you excluded a file here no longer exists. In this case you should remove the name of this file from this list again.

Input box

In this input box you can enter the name of the file object that is not included in the on-demand scan. No file object is entered as the default setting.

The button opens a window in which you can select the required file or the required path.

When you have entered a file name with its complete path, only this file is not scanned for infection. If you have entered a file name without a path, all files with this name (irrespective of the path or drive) are not scanned.

Add

With this button, you can add the file object entered in the input box to the display window.

But when I open Avira in safe mode, I can't find an input or an add button. When I open Avira in normal mode, everything freezes up as soon as I try to open any window. Is there some aspect of adding exclusions that I am overlooking? I can not figure it out.

Thanks, I will keep looking,

gaughin

Link to post
Share on other sites

Hello Gaughin,

I will be helping you going forward.

Yes, Expert mode in Avira is advised. And as you see, to get to Avira's Exception list.

View > Scanner

You Click Scanner > Click + Scan > Exception.

Yes, do a full scan with Avira, and next

do an antirootkit search

If your Avira AntiVir is not running in an open window already, do a RIGHT-Click on the AntiVir icon in systray. Select Start AntiVir. After the main windows is open, click on "Local protection" icon.

Press (select) the Scanner button. A list of predefined scans will be shown on the right.

Click the + sign at Rootkit search

Checkmark to select the C drive and all other drives, shown for your system.

Next, press the magnifying glass on the toolbar to start the search.

Make sure to not run any other apps while this is scanning. (No email usage or internet browsing, especially).

When it completes the scan, the results will be displayed. Save those and post back with details.

Should you ever need to view a report (later on), press Overview button, then select reports.

A list displays at right. Click the one desired. Double click it to fetch the report.

P.S. The user manual in PDF format is located at http://www.free-av.com/en/documentation/index.html

Let me know what Avira finds.

P.S.S. ONLY use the ADDReply button t_reply.gif when starting a reply. Your topic was shock full of re-quotes and was extremely long to review !!

Link to post
Share on other sites

What were the results? I do not see a log/report.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

This is to flush your Windows Automatic Updates download folder.

From main Windows Start menu, select RUN, type in

CMD

<Enter-key>

type in

net stop wuauserv

<Enter-key>

Use Windows Explorer. Go to C:\Windows\System32

If you have a sub-folder called * Catroot2 * (not Catroot) rename the

folder to CR2OLD. Or delete everything in that folder. Just make sure you do the right one.

Still in Windows Explorer.

Your Windows folder is C:\Windows.

Look at this folder

C:\Windows\SoftwareDistribution\Download <<<--- this folder

If you find files in there, delete them. That folder is where files are stored from Windows Updates downloads.

Step 4

Next: with any of your open programs closed (those that you started)

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Tell me, How is your system now ?

Link to post
Share on other sites

Sorry, forgot to paste it in!

Avira AntiVir Personal

Report file date: Sunday, May 23, 2010 16:01

Scanning for 1990003 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Safe mode with network

Username : David Vinson

Computer name : VINSON1

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03

VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 16:29:03

VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 16:29:03

VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 16:29:03

VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 16:29:03

VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 16:29:03

VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 16:29:03

VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 16:29:03

VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 16:29:03

VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 20:43:21

VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 20:24:21

VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 22:41:40

VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 14:25:53

VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 14:39:58

VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 18:01:24

VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 15:24:56

VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 12:04:23

VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 14:23:02

VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 22:47:50

VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 00:11:22

VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 22:53:48

VBASE025.VDF : 7.10.5.254 187904 Bytes 3/30/2010 18:56:47

VBASE026.VDF : 7.10.6.18 130560 Bytes 4/1/2010 10:56:20

VBASE027.VDF : 7.10.6.34 136192 Bytes 4/6/2010 14:43:55

VBASE028.VDF : 7.10.6.44 232448 Bytes 4/7/2010 14:59:22

VBASE029.VDF : 7.10.6.60 124416 Bytes 4/12/2010 17:43:17

VBASE030.VDF : 7.10.6.61 2048 Bytes 4/12/2010 17:43:17

VBASE031.VDF : 7.10.6.62 17408 Bytes 4/12/2010 17:43:17

Engineversion : 8.2.1.210

AEVDF.DLL : 8.1.1.3 106868 Bytes 2/13/2010 17:16:21

AESCRIPT.DLL : 8.1.3.24 1282425 Bytes 4/1/2010 21:05:26

AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 23:38:41

AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 16:09:47

AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 16:09:47

AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 17:34:51

AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 16:09:46

AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/26/2010 23:43:13

AEHELP.DLL : 8.1.11.3 242039 Bytes 4/1/2010 21:05:25

AEGEN.DLL : 8.1.3.6 373108 Bytes 4/1/2010 21:05:25

AEEMU.DLL : 8.1.1.0 393587 Bytes 11/10/2009 14:04:22

AECORE.DLL : 8.1.13.1 188790 Bytes 4/1/2010 21:05:25

AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2009 17:15:06

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:

Jobname.............................: Scan for Rootkits and active malware

Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\rootkit.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: high

Skipped files.......................: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe, C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe, C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe,

Start of the scan: Sunday, May 23, 2010 16:01

Starting search for hidden objects.

The driver could not be initialized.

The scan of running processes will be started

Scan process 'avscan.exe' - '59' Module(s) have been scanned

Scan process 'avcenter.exe' - '93' Module(s) have been scanned

Scan process 'firefox.exe' - '74' Module(s) have been scanned

Scan process 'Explorer.EXE' - '82' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'svchost.exe' - '106' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '48' Module(s) have been scanned

Scan process 'lsass.exe' - '48' Module(s) have been scanned

Scan process 'services.exe' - '27' Module(s) have been scanned

Scan process 'winlogon.exe' - '62' Module(s) have been scanned

Scan process 'csrss.exe' - '12' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting to scan executable files (registry).

The registry was scanned ( '1175' files ).

Starting the file scan:

Begin scan in 'C:'

C:\Documents and Settings\David Vinson\My Documents\Old computer data files\My Pictures\cabinet maker, jacob lawr

[0] Archive type: MacBinary

--> cabinet maker, jacob lawr.rsrc

[WARNING] The file could not be read!

[WARNING] The file could not be read!

C:\Documents and Settings\David Vinson\My Documents\Old computer data files\My Pictures\Poppy, O'Keefe

[0] Archive type: MacBinary

--> Poppy, O'Keefe.rsrc

[WARNING] The file could not be read!

[WARNING] The file could not be read!

C:\Program Files\Musicnotes\uninstsc.exe

[DETECTION] Contains HEUR/Malware suspicious code

Beginning disinfection:

C:\Program Files\Musicnotes\uninstsc.exe

[DETECTION] Contains HEUR/Malware suspicious code

[NOTE] The detection was classified as suspicious.

[NOTE] The file was moved to the quarantine directory under the name '4ef8609b.qua'.

End of the scan: Sunday, May 23, 2010 20:09

Used time: 3:56:32 Hour(s)

The scan has been done completely.

25760 Scanned directories

555496 Files were scanned

0 Viruses and/or unwanted programs were found

1 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

555495 Files not concerned

6278 Archives were scanned

4 Warnings

1 Notes

I will try your next procedure when Lost is over.

gaughin

Link to post
Share on other sites

I completed all 4 steps in safe mode. Should I try to run them in normal mode?

There seems to be no significant change. Available CPU is still consistently 0-3%. If I am in normal mode, I can open office documents, for instance, but then can not work in the files; everything freezes up. iTunes will open, but then is non-responsive, and in fact, seems to lock up the entire computer.

Should I try the 4 steps in normal mode, or does that matter? It seemed like the CMD gave me some sort of error message.

Thanks

gaughin

Link to post
Share on other sites

Unless I specifically guide you to use Safe Mode, I mean for the steps to be run in Normal mode.

If you have run # 1, 2, # 4 one time, there's no need to run those again.

Step 3 needs to be run in Normal mode. If that is totaly impossible, then in "Safe Mode with Networking".

If there is "some sort of error", I need for you to report all details.

Link to post
Share on other sites

OK, I went to normal mode. I was able to get the command mode to load. The computer reported back that the automatic service was successfully stopped.

Still in normal mode, I attempted to re-check the folders C:\Windows\System32\Catroot2 and C:\Windows\SoftwareDistribution\Download

The flashlight/search icon ran continuously for about 15 minutes without ever displaying any folders.

I switched to Safe Mode with Networking. I could access the folders from there. I re-named C:\Windows\System32\Catroot2 to C:\Windows\System32\CR3OLD (since I had previously created CR2OLD). C:\Windows\SoftwareDistribution\Download remained empty. I still have approximately 0-5% available CPU with services.exe consistently taking 90% or more of the CPU.

Thanks for your continued help.

gaughin

Link to post
Share on other sites

OK. The flushing of the Windows Automatic Updates is only a one-time thing. I will not be asking you to do again.

And I'm sure you have completed TFC temp file cleaner.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.

As a one-time try, see about downloading (and saving) and then installing StartUpLite by MalwareBytes

http://www.malwarebytes.org/startuplite.php

Install it, restart system, and get me a status update.

Be very aware, that since we have not been able to see residual malware, that we are very quickly reaching the end-of-the road in this sub-forum. I will help you remove the tools used. But as far as malware hunting, we are at an end.

This system appears to be haunted, and you'd likely be a)safer long term, & b: quicker to resolve by

c) saving your files & documents to offline media, and then doing a HD wipe/reformat and fresh install of Windows.

Link to post
Share on other sites

It seems marginally better, but it's definitely not right.

I really appreciate the people who participate in this site. Even though my case is not successful, it was great of you guys to take this much time with me. I would ask 2 final questions.

1) I have read bits and pieces about Windows "repair". Is this worth trying?

2) If not, can you point me to good instructions about how to re-format the hard drive and re-install Windows from scratch? There are so many options that it's hard for a tech-challenged guy like me to know which one to use as a map.

Thanks again for your time

gaughin

Link to post
Share on other sites

At this time, let's remove Combo-Fix.exe

We have to remove Combofix and all its associated folders.

By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run. Then type in
    Combo-Fix /uninstall


    and press OK

De-install Spybot (if still present). That version you had is outdated.

Next:

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Notes on Windows XP Repair:

A Windows XP repair install is "iffy" in that there can be no guarantee that it will really result in a fix of your issues.

I would urge a full offline backup of the system before you even start it. Having the backup would serve as a means of possibly reverting it in case things did not work out.

Following is the Repair Install scenario.

Only if you have a "full" XP CD ----

The object of this exercise is to do an in-place upgrade or an in-place installation for purposes of "repair".

It needs to go to the same partition as before , and the same directory as before.

Usually for example XP is on C drive and is on folder/directory \Windows or \WINNT.

Configure your computer to start from the CD-ROM drive. You do that from the pc BIOS setup screen. You specify CDROM as the first drive to boot from.

Insert your Windows XP CD into your CD-ROM drive, and then restart your pc.

When the "Press any key to boot from CD" message is displayed on your

screen, press a key to boot pc from the XP CD.

When you see the following message displayed on the Welcome to Setup screen,

press ENTER:

To setup Windows XP now, press ENTER.

At this point an option to press R to enter the Recovery Console is displayed. Do NOT select this option.

On the Windows XP Licensing Agreement screen, press F8 function key to agree to it.

Make sure that your current installation of Windows XP (in your case, the one you wish to repair) is selected in the box, and then press the R key to repair XP.

Follow the instructions on the screen.

NOTE: You may refer to this article for more details

http://www.michaelstevenstech.com/XPrepairinstall.htm

Clean Install of Windows XP

How to do a clean (new) Windows Install:

Before you start, make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP & AumHa VSOP

Also Clean Install Windows by Michael Stevens, MS-MVP

I would urge you to follow the directions very carefully.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus before you copy or open them for use.

NOTE: If XP CD is from a pc manufacturer, and they bundled an AV like McAfee or Norton/Symantec trial versions or any other AV, immediately de-install those, since they will be outdated & of no use. Install your antivirus immediately after.

Review these articles for general security reference

4 steps to protect your computer

http://www.microsoft.com/security/pypc.aspx

Miekiemoes' How to prevent Malware

Always backup your system on a regular basis

Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

We are finished here. Best regards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.