1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Constant alerts. Slowed internet. Possible Virus

Discussion in 'Virus & Other Malware Removal' started by roko11, May 3, 2010.

Thread Status:
Not open for further replies.
  1. roko11

    roko11 Thread Starter

    Joined:
    May 3, 2010
    Messages:
    2
    Hi,

    I've got SOPHOS Anti-virus on my desktop system (Win XP SP3 2.6Ghz, 2gig Ram) and have been getting things the following messages of items that are quarantined:

    - HIPS/ProcMod-005 with the file wisecustomcalla11.exe
    - Sus/UnkPack-C with a system file A0142023.EXE

    Sophos a few weeks ago detected the W32/Silly-F Win32 worm. I used Sophos to clean it and it hasn't detected it since but my system is running extremely slowly. The internet frequently cuts out despite my laptop running on the internet on the same network without any problems. Other times the loading time on the browser is just extremely slow. I have used SPYBOT Search and Destroy and Adware to scan for any problems. Nothing seems to have helped.

    I have also noted in TASK MANAGER that SH4SER~1.EXE has started running in the last week.

    The results from a DDS scan are pasted below and the ATTACH.txt and ARK.TXT are in the uploaded folder. I do have a WIN XP boot disk for SP1. I downloaded HIJACK THIS but under your advice on the forums have not used it.



    DDS (Ver_10-03-17.01) - NTFSx86

    Run by Phil at 16:18:08.25 on 30/04/2010

    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_19

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1578 [GMT 1:00]



    AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}



    ============== Running Processes ===============



    C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE

    C:\WINDOWS\system32\svchost -k DcomLaunch

    svchost.exe

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    C:\WINDOWS\Explorer.EXE

    svchost.exe

    svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

    C:\Program Files\Java\jre6\bin\jqs.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

    C:\WINDOWS\system32\atwtusb.exe

    C:\WINDOWS\system32\atwtusb.exe

    C:\Program Files\Common Files\Java\Java Update\jusched.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\WINDOWS\system32\WTMKM.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Launchy\Launchy.exe

    C:\Documents and Settings\Phil\Application Data\Dropbox\bin\Dropbox.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Documents and Settings\Phil\Desktop\pc scan\dds.scr



    ============== Pseudo HJT Report ===============



    uStart Page = hxxp://www.google.com/

    uInternet Settings,ProxyOverride = *.local

    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

    BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll

    BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll

    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

    BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies inc\notebook software\NotebookPlugin.dll

    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

    mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

    mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime

    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

    mRun: [MacrokeyManager] WTMKM.exe

    mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe

    dRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

    dRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

    dRunOnce: [KeyScrambler] c:\program files\keyscrambler\getting_started.html

    StartupFolder: c:\docume~1\phil\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\phil\application data\dropbox\bin\Dropbox.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe

    uPolicies-explorer: NoSMHelp = 1 (0x1)

    uPolicies-explorer: NoSMMyPictures = 1 (0x1)

    uPolicies-explorer: StartMenuLogoff = 1 (0x1)

    uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

    mPolicies-explorer: HideRunAsVerb = 1 (0x1)

    dPolicies-explorer: NoSMHelp = 1 (0x1)

    dPolicies-explorer: NoSMMyPictures = 1 (0x1)

    dPolicies-explorer: StartMenuLogoff = 1 (0x1)

    dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

    IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll

    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

    IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

    DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

    AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL



    ================= FIREFOX ===================



    FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\n7rwsz82.default\

    FF - component: c:\documents and settings\phil\application data\mozilla\firefox\profiles\n7rwsz82.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll

    FF - component: c:\documents and settings\phil\application data\mozilla\firefox\profiles\n7rwsz82.default\extensions\[email protected]\components\KeyScramblerIE.dll

    FF - component: c:\documents and settings\phil\application data\mozilla\firefox\profiles\n7rwsz82.default\extensions\[email protected]\platform\winnt_x86-msvc\components\WeaveCrypto.dll

    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}



    ---- FIREFOX POLICIES ----

    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);



    ============= SERVICES / DRIVERS ===============



    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-10-9 40560]

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-18 64288]

    R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-8-23 110848]

    R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-8-23 38528]

    R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-8-23 172032]

    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-3-24 323992]

    R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]

    R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-7-26 114024]

    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]

    S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-29 80936]

    S2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-8-23 98304]

    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]

    S3 SMART Web Server;SMART Web Server;c:\program files\smart technologies inc\smart board software\WebServer.exe [2007-11-2 767240]

    S3 STSService;STSService;"c:\program files\soundtaxi media suite\stsservice.exe" --> c:\program files\soundtaxi media suite\STSService.exe [?]

    S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-8-23 14976]



    =============== Created Last 30 ================



    2010-04-21 17:05:32 0 d-----w- c:\windows\SxsCaPendDel

    2010-04-20 21:23:46 0 d-----w- c:\program files\Click-N-Type

    2010-04-20 18:20:17 0 d-----w- c:\program files\Podium Demo

    2010-04-18 18:17:09 0 d-----w- C:\sh4ldr

    2010-04-18 18:17:09 0 d-----w- c:\program files\Enigma Software Group

    2010-04-18 18:16:28 0 d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP

    2010-04-18 18:16:25 0 d-----w- c:\program files\common files\Wise Installation Wizard

    2010-04-18 15:28:23 15880 ----a-w- c:\windows\system32\lsdelete.exe

    2010-04-18 11:13:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

    2010-04-18 10:32:07 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

    2010-04-18 10:30:43 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

    2010-04-18 10:30:20 0 d-----w- c:\program files\Lavasoft

    2010-04-18 09:48:40 0 d-----w- c:\program files\Hijack This

    2010-04-17 20:55:10 0 d--h--w- c:\windows\PIF

    2010-04-16 10:20:58 0 d-----w- c:\program files\Power Presenter RE

    2010-04-15 15:38:20 595616 ----a-w- c:\windows\system32\SnippingTool.exe

    2010-04-15 15:38:20 320672 ----a-w- c:\windows\system32\StikyNot.exe

    2010-04-15 15:38:20 1367414 ------r- c:\windows\system32\help.pdf

    2010-04-15 15:38:17 1060864 ----a-w- c:\windows\system32\mfc71.dll

    2010-04-15 15:38:16 593 ----a-w- c:\windows\system32\MKProfile.ini

    2010-04-15 15:38:16 2121728 ----a-w- c:\windows\system32\BCGCBPRO730.dll

    2010-04-15 15:38:16 13254 ----a-w- c:\windows\system32\Vista.ini

    2010-04-15 15:38:16 12948 ----a-w- c:\windows\system32\XP_2000.ini

    2010-04-15 15:38:15 0 d---a-w- c:\windows\calib_da

    2010-04-15 15:38:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Tablet

    2010-04-09 21:27:13 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

    2010-04-09 21:27:13 107368 ----a-w- c:\windows\system32\GEARAspi.dll

    2010-04-09 21:26:24 0 d-----w- c:\program files\iPod

    2010-04-09 21:26:20 0 d-----w- c:\program files\iTunes

    2010-04-09 21:26:20 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

    2010-04-06 11:59:15 0 d-----w- c:\program files\LeKuSoft

    2010-04-05 13:46:12 0 d-----w- c:\docume~1\phil\applic~1\Astro Gemini Software

    2010-04-05 13:46:11 0 d-----w- c:\program files\Astro Gemini Software



    ==================== Find3M ====================



    2010-03-19 17:05:50 4874240 ------w- c:\windows\system32\dllcache\wmp.dll

    2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

    2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll

    2010-03-09 11:09:18 430080 ------w- c:\windows\system32\vbscript.dll

    2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll

    2010-03-09 03:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll

    2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll

    2010-02-26 05:43:57 667136 ------w- c:\windows\system32\dllcache\wininet.dll

    2010-02-26 05:43:57 627712 ------w- c:\windows\system32\dllcache\urlmon.dll

    2010-02-26 05:43:55 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll

    2010-02-26 05:43:54 81920 ------w- c:\windows\system32\ieencode.dll

    2010-02-26 05:43:54 81920 ------w- c:\windows\system32\dllcache\ieencode.dll

    2010-02-26 05:43:54 251904 ------w- c:\windows\system32\dllcache\iepeers.dll

    2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys

    2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

    2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe

    2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

    2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

    2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe

    2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

    2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
     
  2. roko11

    roko11 Thread Starter

    Joined:
    May 3, 2010
    Messages:
    2
    attached file
     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/920829

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice