1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

services.exe spiking to 100%

Discussion in 'Virus & Other Malware Removal' started by drandyreed, Jan 26, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. drandyreed

    drandyreed Thread Starter

    Joined:
    Jan 26, 2011
    Messages:
    5
    I am having the same issues as several others with services.exe cycling to a constant 100% CPU usage and choking out other programs from running but have not been able to eradicate it using other posts. I do not have any registry experience so I have been very wary of going in and changing things. My issue seems to be tied to my HP printer. I deinstalled the wireless printer and the services.exe stopped cycling but I can't go without a printer. When I reinstalled it came back. A previous post directed a poster to run hijack this which I show below for my system. As I type I have open task manager and 43 running process are tagged at 100% CPU usage right now. I can follow instruction fairly well so if anyone can help I would be grateful. This has been going on for almost a year and thinking about new computer? but cannot afford it now. THANKS!!!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:39:24 AM, on 1/26/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.206.201.8 avir-guardian.com
    O1 - Hosts: 91.206.201.8 www.avir-guardian.com
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKCU\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269361651265
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter hijack: text/html - {01001bf3-c7b4-435a-84e1-1b21d2c7cf14} - (no file)
    O20 - AppInit_DLLs: c:\windows\system32\rugesipe.dll c:\windows\system32\tiseviho.dll c:\windows\system32\vinelewe.dll devopaha.dll
    O21 - SSODL: zosunuyos - {f4c6f87c-ecff-459f-96be-82141231c05a} - (no file)
    O21 - SSODL: zuhoworoy - {d3089ce0-6866-4253-b940-552e16c76b6c} - (no file)
    O22 - SharedTaskScheduler: jugezatag - {f4c6f87c-ecff-459f-96be-82141231c05a} - (no file)
    O22 - SharedTaskScheduler: kupuhivus - {d3089ce0-6866-4253-b940-552e16c76b6c} - (no file)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

    --
    End of file - 8039 bytes
     
  2. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    Your computer is infected. Please click on Report and kindly ask to be moved to the Virus & Other Malware Removal forum. Be sure to provide the appropriate reports in that forum after reading THIS. From there, be patient. You should get an answer within the next 48 hours. Those guys are really busy!
     
  3. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Hiya and welcome to Tech Support Guy :)

    Download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.



    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.

    Please include the MBAM log and, SUPERAntiSpyware Scan Log and a fresh HijackThis log in your next reply

    eddie
     
  4. drandyreed

    drandyreed Thread Starter

    Joined:
    Jan 26, 2011
    Messages:
    5
    Thanks for offering to help- this has been going on for months and months and no one can fix it.

    I am providing all I can in order to help you help me:


    DDS (Ver_10-12-12.01) - NTFSx86
    Run by ANDY REED at 23:23:31.81 on Thu 01/27/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.54 [GMT -6:00]

    AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\svchost.exe -k HPService
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    c:\PROGRA~1\mcafee\msc\mcshell.exe
    C:\WINDOWS\system32\notepad.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Documents and Settings\ANDY REED\My Documents\Downloads\dds (1).pif

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.igoogle.com/
    uDefault_Page_URL = hxxp://www.dell4me.com/myway
    uSearch Bar = hxxp://www.google.com/ie
    mStart Page = hxxp://www.dell4me.com/myway
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
    uPolicies-system: EnableProfileQuota = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Trusted Zone: 0.0.0.0
    Trusted Zone: google.com
    Trusted Zone: google.com\mail
    Trusted Zone: google.com\www
    Trusted Zone: motive.com\pattta.att
    Trusted Zone: motive.com\patttbc.att
    DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269361651265
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxsrvc.dll
    AppInit_DLLs: c:\windows\system32\rugesipe.dll c:\windows\system32\tiseviho.dll c:\windows\system32\vinelewe.dll devopaha.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SSODL: zosunuyos - {f4c6f87c-ecff-459f-96be-82141231c05a} - No File
    SSODL: zuhoworoy - {d3089ce0-6866-4253-b940-552e16c76b6c} - No File
    STS: {f4c6f87c-ecff-459f-96be-82141231c05a} - No File
    STS: {d3089ce0-6866-4253-b940-552e16c76b6c} - No File
    LSA: Notification Packages = scecli kitotovu.dll nukizani.dll msrvicpu.dll scecli
    Hosts: 91.206.201.8 avir-guardian.com
    Hosts: 91.206.201.8 www.avir-guardian.com

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 386840]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-9 93320]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-9 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-9 144704]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-9 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-9 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-9 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-9 40552]
    S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
    S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys --> c:\windows\system32\drivers\archlp.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-9 34248]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2006-9-14 99200]
    S4 WDefend;WDefend;c:\windows\svohost.exe --> c:\windows\svohost.exe [?]

    =============== Created Last 30 ================

    2011-01-28 05:11:58 -------- d--h--w- c:\windows\PIF
    2011-01-26 13:38:20 -------- d-----w- c:\program files\Trend Micro
    2011-01-07 19:58:51 -------- d-----r- c:\program files\Skype

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec
    2009-07-21 16:16:42 1008640 --sha-w- c:\windows\system32\kugokigu.exe

    ============= FINISH: 23:26:26.99 ===============
    //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:57:55 PM, on 1/31/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.206.201.8 avir-guardian.com
    O1 - Hosts: 91.206.201.8 www.avir-guardian.com
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKCU\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269361651265
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter hijack: text/html - {01001bf3-c7b4-435a-84e1-1b21d2c7cf14} - (no file)
    O20 - AppInit_DLLs: c:\windows\system32\rugesipe.dll c:\windows\system32\tiseviho.dll c:\windows\system32\vinelewe.dll devopaha.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O21 - SSODL: zosunuyos - {f4c6f87c-ecff-459f-96be-82141231c05a} - (no file)
    O21 - SSODL: zuhoworoy - {d3089ce0-6866-4253-b940-552e16c76b6c} - (no file)
    O22 - SharedTaskScheduler: jugezatag - {f4c6f87c-ecff-459f-96be-82141231c05a} - (no file)
    O22 - SharedTaskScheduler: kupuhivus - {d3089ce0-6866-4253-b940-552e16c76b6c} - (no file)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

    --
    End of file - 8385 bytes
    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5637

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    1/29/2011 10:36:19 PM
    mbam-log-2011-01-29 (22-36-19).txt

    Scan type: Quick scan
    Objects scanned: 154136
    Time elapsed: 15 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 1
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDefend (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\WINDOWS\system32\config\systemprofile\start menu\Programs\windows police pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

    Files Infected:
    c:\WINDOWS\system32\kugokigu.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\dinizuha.dll (Trojan.Vundo.N) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\vuyohasu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    c:\WINDOWS\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
     

    Attached Files:

  5. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Hopefully we'll get it all nice and clean for you :)

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Remember to re-enable the protection again afterwards before connecting to the Internet.
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    eddie
     
  6. drandyreed

    drandyreed Thread Starter

    Joined:
    Jan 26, 2011
    Messages:
    5
    ComboFix 11-02-15.02 - ANDY REED 02/15/2011 22:36:05.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.207 [GMT -6:00]
    Running from: c:\documents and settings\ANDY REED\Desktop\username123.exe
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\ANDY REED\Local Settings\Application Data\{3AC0ED70-2577-4D1E-BB4A-F028FB22395E}
    c:\documents and settings\ANDY REED\Local Settings\Application Data\{3AC0ED70-2577-4D1E-BB4A-F028FB22395E}\chrome.manifest
    c:\documents and settings\ANDY REED\Local Settings\Application Data\{3AC0ED70-2577-4D1E-BB4A-F028FB22395E}\chrome\content\overlay.xul
    c:\documents and settings\ANDY REED\Local Settings\Application Data\{3AC0ED70-2577-4D1E-BB4A-F028FB22395E}\install.rdf
    c:\documents and settings\ANDY REED\My Documents\DPE.DUS
    c:\documents and settings\ANDY REED\My Documents\Program Files\StorageSync\StrgSync.exe
    c:\program files\StorageSync\StrgSync.exe

    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-16 to 2011-02-16 )))))))))))))))))))))))))))))))
    .

    2011-02-16 04:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2011-01-30 04:52 . 2011-01-30 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-01-30 04:52 . 2011-01-30 04:52 -------- d-----w- c:\documents and settings\ANDY REED\Application Data\SUPERAntiSpyware.com
    2011-01-30 04:49 . 2011-01-30 04:53 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-30 04:08 . 2011-01-30 04:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-28 05:11 . 2011-01-28 05:11 -------- d--h--w- c:\windows\PIF
    2011-01-26 13:38 . 2011-01-26 13:38 -------- d-----w- c:\program files\Trend Micro
    2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-10-07 15:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-21 00:09 . 2010-04-26 12:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 00:08 . 2010-04-26 12:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-20 22:15 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 22:15 . 2004-08-10 17:51 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-12-20 22:15 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-12-20 17:26 . 2008-10-07 15:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 15:30 . 2004-08-10 17:51 369664 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-10-07 15:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-10-07 15:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38 . 2008-10-07 15:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-10-07 15:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-11-18 18:12 . 2004-08-10 18:02 81920 ----a-w- c:\windows\system32\isign32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATT-SST_McciTrayApp]
    2009-10-22 06:23 1577984 ----a-w- c:\program files\ATT-SST\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
    2010-03-11 04:09 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2007-08-22 21:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-07-21 20:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
    2009-10-29 12:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
    2009-07-08 03:02 1176808 ----a-w- c:\progra~1\McAfee\MHN\McENUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-19 03:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2011-01-03 21:44 15028104 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-05-05 13:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WDefend"=2 (0x2)
    "SprintRcAppSvc"=3 (0x3)
    "RoxWatch9"=2 (0x2)
    "RoxMediaDB9"=3 (0x3)
    "RoxLiveShare9"=2 (0x2)
    "Roxio Upnp Server 9"=2 (0x2)
    "Roxio UPnP Renderer 9"=3 (0x3)
    "iPod Service"=3 (0x3)
    "IDriverT"=3 (0x3)
    "DSBrokerService"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    "ACDaemon"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "HelpCenter4.1"=c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/9/2009 8:20 AM 93320]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys --> c:\windows\system32\drivers\archlp.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 7:08 AM 136176]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [9/14/2006 3:45 PM 99200]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-16 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 13:05]

    2011-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 13:07]

    2011-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 13:07]

    2011-02-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-09 18:22]

    2011-02-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-09 18:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.igoogle.com/
    mStart Page = hxxp://www.dell4me.com/myway
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: 0.0.0.0
    Trusted Zone: google.com
    Trusted Zone: google.com\mail
    Trusted Zone: google.com\www
    Trusted Zone: motive.com\pattta.att
    Trusted Zone: motive.com\patttbc.att
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-StrgSync.exe - c:\program files\StorageSync\StrgSync.exe
    SharedTaskScheduler-{f4c6f87c-ecff-459f-96be-82141231c05a} - (no file)
    SharedTaskScheduler-{d3089ce0-6866-4253-b940-552e16c76b6c} - (no file)
    SSODL-zosunuyos-{f4c6f87c-ecff-459f-96be-82141231c05a} - (no file)
    SSODL-zuhoworoy-{d3089ce0-6866-4253-b940-552e16c76b6c} - (no file)
    MSConfigStartUp-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - e:\malwarebytes' anti-malware\mbam.exe
    MSConfigStartUp-StrgSync - c:\documents and settings\ANDY REED\My Documents\Program Files\StorageSync\StrgSync.exe
    MSConfigStartUp-Xjofawebewa - c:\windows\udayizajovanile.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-15 22:57
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(736)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    - - - - - - - > 'explorer.exe'(2588)
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\windows\System32\snmp.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-15 23:10:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-16 05:10

    Pre-Run: 2,416,898,048 bytes free
    Post-Run: 2,308,161,536 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - D77C00BF5E03329A05B21C901FA9CD0D
     
  7. drandyreed

    drandyreed Thread Starter

    Joined:
    Jan 26, 2011
    Messages:
    5
    here is a screen shot from last April showing issue - maybe this may help explain
     

    Attached Files:

  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Thanks for the screenshot :)

    Just out of curiosity, do you use profile quota's on your system, as in as an Admin do you set the size of other user accounts, so they can't exceed the limits?


    Firstly, can you do this for me:


    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Also, post a fresh HijackThis log.
     

    Attached Files:

  9. drandyreed

    drandyreed Thread Starter

    Joined:
    Jan 26, 2011
    Messages:
    5
    ComboFix 11-02-17.01 - ANDY REED 02/18/2011 0:32.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.173 [GMT -6:00]
    Running from: c:\documents and settings\ANDY REED\Desktop\username123.exe
    Command switches used :: c:\documents and settings\ANDY REED\Desktop\CFScript.txt
    AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active

    .

    ((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
    .

    2011-02-18 00:10 . 2011-02-18 00:10 -------- d-----w- c:\program files\EA Games
    2011-02-16 04:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2011-02-16 04:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2011-01-30 04:52 . 2011-01-30 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-01-30 04:52 . 2011-01-30 04:52 -------- d-----w- c:\documents and settings\ANDY REED\Application Data\SUPERAntiSpyware.com
    2011-01-30 04:49 . 2011-01-30 04:53 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-01-30 04:08 . 2011-01-30 04:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-28 05:11 . 2011-01-28 05:11 -------- d--h--w- c:\windows\PIF
    2011-01-26 13:38 . 2011-01-26 13:38 -------- d-----w- c:\program files\Trend Micro
    2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-10-07 15:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-21 00:09 . 2010-04-26 12:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 00:08 . 2010-04-26 12:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-20 22:15 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 22:15 . 2004-08-10 17:51 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-12-20 22:15 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-12-20 17:26 . 2008-10-07 15:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 15:30 . 2004-08-10 17:51 369664 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-10-07 15:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-10-07 15:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38 . 2008-10-07 15:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-10-07 15:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATT-SST_McciTrayApp]
    2009-10-22 06:23 1577984 ----a-w- c:\program files\ATT-SST\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
    2010-03-11 04:09 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2007-08-22 21:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-07-21 20:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
    2009-10-29 12:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
    2009-07-08 03:02 1176808 ----a-w- c:\progra~1\McAfee\MHN\McENUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-19 03:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2011-01-03 21:44 15028104 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-05-05 13:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WDefend"=2 (0x2)
    "SprintRcAppSvc"=3 (0x3)
    "RoxWatch9"=2 (0x2)
    "RoxMediaDB9"=3 (0x3)
    "RoxLiveShare9"=2 (0x2)
    "Roxio Upnp Server 9"=2 (0x2)
    "Roxio UPnP Renderer 9"=3 (0x3)
    "iPod Service"=3 (0x3)
    "IDriverT"=3 (0x3)
    "DSBrokerService"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    "ACDaemon"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "HelpCenter4.1"=c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys --> c:\windows\system32\drivers\archlp.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 7:08 AM 136176]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [9/14/2006 3:45 PM 99200]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-17 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 13:05]

    2011-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 13:07]

    2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 13:07]

    2011-02-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-09 18:22]

    2011-02-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-09 18:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.igoogle.com/
    mStart Page = hxxp://www.dell4me.com/myway
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: 0.0.0.0
    Trusted Zone: google.com
    Trusted Zone: google.com\mail
    Trusted Zone: google.com\www
    Trusted Zone: motive.com\pattta.att
    Trusted Zone: motive.com\patttbc.att
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-18 00:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(596)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    Completion time: 2011-02-18 00:58:50
    ComboFix-quarantined-files.txt 2011-02-18 06:58
    ComboFix2.txt 2011-02-16 05:10

    Pre-Run: 3,162,300,416 bytes free
    Post-Run: 3,264,180,224 bytes free

    - - End Of File - - 685585109B090DF812340A82D6A2698D

    AND HERE IS THE HIJACK THIS LOG FILE------------------------->>>>>>>>>>>>>>>>>


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:52:09 AM, on 2/18/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\QuickTime\QuickTimePlayer.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269361651265
    O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

    --
    End of file - 7494 bytes

    THANKS!!
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.
    Post the contents of GMER.txt in your next reply.

    eddie
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/977086

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice