View Full Version : Spybot Scan Crashing with Blue Screen
Hi - I think my PC has some really bad Trojans and possibly other viruses ... I ran MBAM in Safemode which seems to have cleaned up some ... But, it comes up with "str.sys" to delete on reboot and the reboot is taking forever which forces me to power down. It some times takes couple attempts to boot up. I ran the scans a few times and it still shows "str.sys".
Also, if I try to run Spybot - few minutes into the scan it is crashing the system with a Blue Screen and reboots automatically.
I was able to run it in Safemode, but, it still can't remove "str.sys" and possibly others.
Here is my HJT Log ... Please Help !!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:20 PM, on 05/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-18 Startup: postmsg.rtf (User 'SYSTEM')
O4 - .DEFAULT Startup: postmsg.rtf (User 'Default user')
O4 - .DEFAULT User Startup: postmsg.rtf (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.accessabc.com
O15 - Trusted Zone: http://www.acessabc.com
O15 - Trusted Zone: http://tax.cch.com
O15 - Trusted Zone: http://irs.ustreas.gov
O15 - Trusted Zone: http://www.irs.ustreas.gov
O15 - Trusted Zone: http://www.acessabc.com (HKLM)
O15 - Trusted Zone: http://tax.cch.com (HKLM)
O15 - Trusted Zone: http://irs.ustreas.gov (HKLM)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10195 bytes
pskelley
2009-05-29, 14:43
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
Since TeaTimer is not disabled as instructed, I must assume you missed the "Before you Post" instructions. Please read and follow them before you proceed.
If you still want help, please provide:
1) The log from the MBAM run.
2) A new HJT log with TeaTimer disabled.
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
4) Any error message you receive word for word and any comments you think will help.
Thanks
Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 2
05/26/2009 08:28:28 PM
mbam-log-2009-05-26 (20-28-28).txt
Scan type: Full Scan (C:\|)
Objects scanned: 124268
Time elapsed: 9 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 5.1.2600 Service Pack 2
05/28/2009 12:51:20 AM
mbam-log-2009-05-28 (00-51-20).txt
Scan type: Full Scan (C:\|)
Objects scanned: 127339
Time elapsed: 13 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:07 PM, on 05/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-18 Startup: postmsg.rtf (User 'SYSTEM')
O4 - .DEFAULT Startup: postmsg.rtf (User 'Default user')
O4 - .DEFAULT User Startup: postmsg.rtf (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.accessabc.com
O15 - Trusted Zone: http://www.acessabc.com
O15 - Trusted Zone: http://tax.cch.com
O15 - Trusted Zone: http://irs.ustreas.gov
O15 - Trusted Zone: http://www.irs.ustreas.gov
O15 - Trusted Zone: http://www.acessabc.com (HKLM)
O15 - Trusted Zone: http://tax.cch.com (HKLM)
O15 - Trusted Zone: http://irs.ustreas.gov (HKLM)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10125 bytes
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Agere Systems HDA Modem
Attachmate EXTRA! X-treme 8
Broadcom NetXtreme Ethernet Controller
CA Unicenter Output Management Document Viewer
Compatibility Pack for the 2007 Office system
HijackThis 2.0.2
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912436)
Hotfix for Windows XP (KB915326)
Hotfix for Windows XP (KB935448)
HP ev2200 Driver Package
HP Mobile Data Protection System
hp OpenView service desk 4.5 client
HP ProtectTools Security Manager 2.00 C3
HP Quick Launch Buttons 6.00 D2
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo DVD Check
InterVideo WinDVD
Interwise Participant
Java 2 Runtime Environment Standard Edition v1.3.1_01
Java Web Start
Lotus Notes 6.5.4
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
mGina
mHelp
Microsoft Data Access Components KB870669
Microsoft Office Communicator 2005
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft Silverlight
Microsoft Word Supplemental Macros
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
SnagIt 7
Soft Data Fax Modem with SmartCP
SoundMAX
Spybot - Search & Destroy
SwiftView Viewer
TBS WMP Plug-in
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VPN Client
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885453
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
- After MBAM Scan, it found STR.SYS Drvier to 'Delete on Reboot'. But, was unable to delete it on Reboot.
- If I run Spybot in 'Advanced Mode' on a Normal Startup - after about 5 minutes, it pops up with a blue screen and reboots the system (The blue screen pops up just for less than a second)
- Both, tools run just fine in the safe mode and also delete STR.SYS in safemode ('Delete on Reboot' - Safe mode both times). Then when I scan again after 'Normal Startup', STR.SYS is back again.
pskelley
2009-05-30, 11:51
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Flash Player 9 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Reader 8 <<< outof date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
Java 2 Runtime Environment Standard Edition v1.3.1_01
This is a VERY, VERY old version of Java, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
http://raproducts.org/ <<< will help if you have trouble uninstalling that old Java program.
Thanks for the detailed feedback.
2) A new HJT log with TeaTimer disabled.
TeaTimer is not disabled as instructed? Please do this before you proceed!
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
**if you can not disable TeaTimer, uninstall Spybot S&D completely in Add Remove programs.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:05:32 PM, on 05/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-18 Startup: postmsg.rtf (User 'SYSTEM')
O4 - .DEFAULT Startup: postmsg.rtf (User 'Default user')
O4 - .DEFAULT User Startup: postmsg.rtf (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.accessabc.com
O15 - Trusted Zone: http://www.acessabc.com
O15 - Trusted Zone: http://tax.cch.com
O15 - Trusted Zone: http://irs.ustreas.gov
O15 - Trusted Zone: http://www.irs.ustreas.gov
O15 - Trusted Zone: http://www.acessabc.com (HKLM)
O15 - Trusted Zone: http://tax.cch.com (HKLM)
O15 - Trusted Zone: http://irs.ustreas.gov (HKLM)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9700 bytes
I tried to run ComboFix and when it tried to re-boot the system, I could not go any further than the Logon Screen. After several attempts (hard re-boot), I had to go in safe mode, which finished and produced the ComboFix Log. Then, I am able to do normal bootup.
I have seen this logon Issue a few times where it just seems to sit and do nothing for a looooong time.
ComboFix Log:
ComboFix 09-05-30.06 - xxxxxx 05/31/2009 13:28.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2007.1541 [GMT -5:00]
Running from: c:\documents and settings\xxxxxx\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\str.sys
----- BITS: Possible infected sites -----
hxxp://SDEPSMS002:80
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.
2009-05-28 03:09 . 2009-05-28 03:09 -------- d-----w- c:\program files\Trend Micro
2009-05-27 02:27 . 2009-05-27 02:27 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-21 02:16 . 2009-05-21 02:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-21 01:35 . 2009-05-21 01:35 -------- d-----w- c:\documents and settings\xxxxxx\Application Data\Malwarebytes
2009-05-21 01:35 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 01:35 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 01:35 . 2009-05-27 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-21 01:35 . 2009-05-21 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-20 03:08 . 2009-05-20 03:09 -------- d-----w- c:\temp\deleteme
2009-05-18 17:43 . 2009-05-18 17:43 60672 ----a-w- c:\windows\system32\drivers\ewftfh.sys
2009-05-14 17:05 . 2009-05-18 17:43 -------- d-----w- C:\Quarantine
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 02:18 . 2008-12-09 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 21:47 . 2008-12-20 00:57 75128 ----a-w- c:\documents and settings\xxxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-24 03:05 . 2009-04-24 03:05 -------- d-----w- c:\program files\ClearCache
.
((((((((((((((((((((((((((((( SnapShot@2009-05-27_05.29.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-28 05:30 . 2009-05-31 19:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-18 17:43 . 2009-05-27 05:28 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-10-28 15:15 . 2009-05-31 19:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-10-28 15:15 . 2009-05-27 05:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-10-28 15:15 . 2009-05-31 19:06 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-10-28 15:15 . 2009-05-27 05:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-19 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-19 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-19 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-07-17 136512]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88203]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-12-19 16062464]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 3897040]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]
c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]
c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-2-11 1421328]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-2-11 192512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^xxxxxx^Start Menu^Programs^Startup^postmsg.rtf]
path=c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\postmsg.rtf
backup=c:\windows\pss\postmsg.rtfStartup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"sysldtray"=c:\windows\ld08.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"463:TCP"= 463:TCP:Systems Management Microagent
"963:TCP"= 963:TCP:Systems Management Microagent
"5901:TCP"= 5901:TCP:Systems Management Microagent
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [01/15/2007 08:59 PM 35968]
S0 npkqxv;npkqxv;c:\windows\system32\drivers\edrumhhh.sys --> c:\windows\system32\drivers\edrumhhh.sys [?]
S2 pxqpkrzz;pxqpkrzz;c:\windows\system32\drivers\ewftfh.sys [05/18/2009 12:43 PM 60672]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [01/16/2007 06:45 PM 87936]
S3 OracleClientCache80;OracleClientCache80;c:\orant\BIN\ONRSD80.EXE [08/23/2001 01:47 PM 95744]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [09/12/2007 09:29 AM 47616]
S4 MA;TriActive MicroAgent;c:\program files\TriActive\MicroAgent\bin\ma.exe [02/14/2009 01:08 PM 1368064]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
2009-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2644624329-1907448460-3805301937-9166.job
- c:\documents and settings\xxxxxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-18 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: accessabc.com\www
Trusted Zone: acessabc.com\www
Trusted Zone: cch.com\tax
Trusted Zone: ustreas.gov\irs
Trusted Zone: ustreas.gov\www.irs
Trusted Zone: acessabc.com\www
Trusted Zone: cch.com\tax
Trusted Zone: ustreas.gov\irs
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 14:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1248)
c:\windows\system32\IWPDGINA.DLL
c:\program files\Intel\Wireless\Bin\SsoGnENU.dll
.
Completion time: 2009-05-31 14:27 - machine was rebooted
Pre-Run: 69,078,298,624 bytes free
Post-Run: 69,004,193,792 bytes free
172
pskelley
2009-05-31, 22:31
Thanks for the feedback, not a problem to run combofix in safe mode.
I need some information before we proceed. Please make sure you can view all files and folders:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
Now use this scanner to scan each file below: http://virusscan.jotti.org/
If that site should be busy, here are two alternates.
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
Here are the files to scan in RED
c:\windows\ld08.exe
c:\windows\system32\drivers\ewftfh.sys
c:\windows\system32\drivers\edrumhhh.sys
Post the results of those scans.
Thanks
I could NOT perform the scan thru any of the sites you provided, because the files are not in the listed windows folders, to choose from.
So, I tried a Windows Search and found one of those 3 files ...
C:\Qoobox\Quarantine\C\Windows\System32\Drivers\edrumhhh.sys.vir
pskelley
2009-06-01, 15:26
Let's be sure, follow these directions carefully
Open notepad and copy/paste the text in the codebox below into it:
Driver::
ewftfh
edrumhhh
File::
c:\windows\ld08.exe
c:\windows\system32\drivers\ewftfh.sys
c:\windows\system32\drivers\edrumhhh.sys
c:\temp\deleteme
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Please tell me how the computer is running, any malware issues?
Thanks
ComboFix 09-05-31.06 - xxxxxx 06/01/2009 22:37.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2007.1495 [GMT -5:00]
Running from: c:\documents and settings\xxxxxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\xxxxxx\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FILE ::
"c:\temp\deleteme"
"c:\windows\ld08.exe"
"c:\windows\system32\drivers\edrumhhh.sys"
"c:\windows\system32\drivers\ewftfh.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\ewftfh.sys
c:\windows\system32\drivers\str.sys
----- BITS: Possible infected sites -----
hxxp://SDEPSMS002:80
.
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.
2009-05-28 03:09 . 2009-05-28 03:09 -------- d-----w- c:\program files\Trend Micro
2009-05-27 02:27 . 2009-05-27 02:27 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-21 02:16 . 2009-05-21 02:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-21 01:35 . 2009-05-21 01:35 -------- d-----w- c:\documents and settings\xxxxxx\Application Data\Malwarebytes
2009-05-21 01:35 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 01:35 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 01:35 . 2009-05-27 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-21 01:35 . 2009-05-21 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-20 03:08 . 2009-05-20 03:09 -------- d-----w- c:\temp\deleteme
2009-05-14 17:05 . 2009-05-18 17:43 -------- d-----w- C:\Quarantine
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 02:18 . 2008-12-09 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 21:47 . 2008-12-20 00:57 75128 ----a-w- c:\documents and settings\xxxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-24 03:05 . 2009-04-24 03:05 -------- d-----w- c:\program files\ClearCache
.
((((((((((((((((((((((((((((( SnapShot@2009-05-27_05.29.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-02 03:42 . 2009-06-02 03:42 16384 c:\windows\temp\Perflib_Perfdata_318.dat
- 2009-05-18 17:43 . 2009-05-27 05:28 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-31 19:38 . 2009-05-31 19:38 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-10-28 15:15 . 2009-05-27 05:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-10-28 15:15 . 2009-05-31 19:38 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-10-28 15:15 . 2009-05-27 05:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-10-28 15:15 . 2009-05-31 19:38 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-01 02:21 . 2006-11-07 07:50 236328 c:\windows\system32\CCM\Cache\SVE00006.24.System\UpdateWUSCatalog.exe
+ 2009-06-01 02:22 . 2006-11-07 07:50 166856 c:\windows\system32\CCM\Cache\SVE00006.24.System\syncxml.exe
+ 2009-06-01 02:21 . 2006-11-07 07:50 203560 c:\windows\system32\CCM\Cache\SVE00006.24.System\SmsWusHandler.exe
+ 2009-06-01 02:21 . 2006-11-07 07:50 355112 c:\windows\system32\CCM\Cache\SVE00006.24.System\ScanWrapper.exe
+ 2009-06-01 02:21 . 2006-11-07 07:50 207656 c:\windows\system32\CCM\Cache\SVE00006.24.System\ScanHlpr.dll
+ 2009-06-01 02:21 . 2006-11-07 07:50 154408 c:\windows\system32\CCM\Cache\SVE00006.24.System\PatchDownloader.dll
+ 2009-06-01 02:21 . 2006-11-07 07:50 310056 c:\windows\system32\CCM\Cache\SVE00006.24.System\advertisement.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-19 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-19 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-19 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-07-17 136512]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88203]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-12-19 16062464]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 3897040]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]
c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]
c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\
postmsg.rtf [2007-9-12 7153]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-2-11 1421328]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-2-11 192512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^xxxxxx^Start Menu^Programs^Startup^postmsg.rtf]
path=c:\documents and settings\xxxxxx\Start Menu\Programs\Startup\postmsg.rtf
backup=c:\windows\pss\postmsg.rtfStartup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"sysldtray"=c:\windows\ld08.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"463:TCP"= 463:TCP:Systems Management Microagent
"963:TCP"= 963:TCP:Systems Management Microagent
"5901:TCP"= 5901:TCP:Systems Management Microagent
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [01/15/2007 08:59 PM 35968]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [09/12/2007 09:29 AM 47616]
S0 npkqxv;npkqxv;c:\windows\system32\drivers\edrumhhh.sys --> c:\windows\system32\drivers\edrumhhh.sys [?]
S2 pxqpkrzz;pxqpkrzz;\??\c:\windows\system32\drivers\ewftfh.sys --> c:\windows\system32\drivers\ewftfh.sys [?]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [01/16/2007 06:45 PM 87936]
S3 OracleClientCache80;OracleClientCache80;c:\orant\BIN\ONRSD80.EXE [08/23/2001 01:47 PM 95744]
S4 MA;TriActive MicroAgent;c:\program files\TriActive\MicroAgent\bin\ma.exe [02/14/2009 01:08 PM 1368064]
.
Contents of the 'Scheduled Tasks' folder
2009-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2644624329-1907448460-3805301937-9166.job
- c:\documents and settings\xxxxxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-18 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: accessabc.com\www
Trusted Zone: acessabc.com\www
Trusted Zone: cch.com\tax
Trusted Zone: ustreas.gov\irs
Trusted Zone: ustreas.gov\www.irs
Trusted Zone: acessabc.com\www
Trusted Zone: cch.com\tax
Trusted Zone: ustreas.gov\irs
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 22:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1396)
c:\windows\system32\IWPDGINA.DLL
c:\program files\Intel\Wireless\Bin\SsoGnENU.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nslsvice.exe
c:\windows\system32\nsl.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\scardsvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
.
**************************************************************************
.
Completion time: 2009-06-02 22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 03:45
Pre-Run: 69,038,387,200 bytes free
Post-Run: 68,961,103,872 bytes free
209
The Good News is that, Combofix reboot this time was successful in the Normal Mode.
Just to be sure, I re-booted the system again and ran MBAM ... It was clean ... No more STR.SYS ... Heyyyy !!! Thank You so much ...
I am also running Spybot to make sure, the virus that was causing the scan to Crash my system, is completely gone ...
MBAM Log:
Malwarebytes' Anti-Malware 1.37
Database version: 2211
Windows 5.1.2600 Service Pack 2
06/01/2009 11:23:11 PM
mbam-log-2009-06-01 (23-23-11).txt
Scan type: Full Scan (C:\|)
Objects scanned: 129650
Time elapsed: 15 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
After running Combofix, wmiprvse.exe is running at high CPU - 50%. The only way I can stop it is by ending it in Taskmanager ... Please help me fix whatever is causing this ...
Spybot Scan finished successfully and was Clean ... Yuppee !!! Thanks Again !!!
Please let me know if you see anything else in the Log ...
How can I verify that the system is clean?
Also, please suggest, how can I stay protected ...
pskelley
2009-06-02, 13:24
Thanks for the feedback, here is the Google for wmiprvse.exe
http://www.tech-faq.com/wmiprvse.shtml
http://www.google.com/search?hl=en&q=wmiprvse.exe+&btnG=Google+Search&aq=f&oq=&aqi=
Windows Management Instrumentation <<< what do you use this for
http://www.google.com/search?hl=en&q=Windows+Management+Instrumentation+&btnG=Google+Search&aq=f&oq=&aqi=
See if we can wrap up like this.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
(since you just got a clean scan, you can skip this one if you wish)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)
Update McAfee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
:thanks:
I have Uninstalled Combofix and Cleared the System Restore points, as suggested.
At this point everything appears to be running fine ...
The links regarding "wmiprvse.exe" provided some information regarding the process. But, if you could shed some light as to what could possibly be causing this high CPU usage and any recommendations to resolve it, that would be greatly appreciated ...
Thanks a lot for your patience and all the help. It is greatly appreciated ...
pskelley
2009-06-03, 12:59
http://kadaitcha.cx/high_cpu.html
http://www.google.com/search?hl=en&q=how+to+troubleshoot+high+cpu+usage&btnG=Search&aq=f&oq=&aqi=
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://www.bleepingcomputer.com/forums/index.php?showtopic=87058&st=0&p=487112&#entry487112
http://www.microsoft.com/atwork/getstarted/speed.mspx