Smitfraud-c.generic

{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} (SkypeIEPluginBHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: SkypeIEPluginBHO
CLSID name: Skype Browser Helper
Path: C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\
Long name: skypeieplugin.dll
Short name: SKYPEI~1.DLL
Date (created): 10/10/2011 11:09:16 AM
Date (last access): 10/31/2011 2:29:58 PM
Date (last write): 10/10/2011 11:09:16 AM
Filesize: 3834016
Attributes: archive
MD5: BAD6A333613786540454044D8CD94524
CRC32: B3E6F0D3
Version: 5.6.0.8442

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 10/18/2011 7:05:34 PM
Date (last access): 11/9/2011 12:58:20 AM
Date (last write): 10/18/2011 7:05:34 PM
Filesize: 42272
Attributes: archive
MD5: DC365B6E595683F67BC21A203432E336
CRC32: ADEC3F07
Version: 6.0.290.11



--- ActiveX list ---
{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Installer: C:\Windows\Downloaded Program Files\ieawsdc.inf
Codebase: http://office.microsoft.com/sites/production/ieawsdc32.cab
description:
classification: Legitimate
known filename: IEAWSDC.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\PROGRA~2\MICROS~1\Office12\
Long name: IEAWSDC.DLL
Short name:
Date (created): 7/20/2010 5:04:42 PM
Date (last access): 7/20/2010 5:04:42 PM
Date (last write): 7/20/2010 5:04:42 PM
Filesize: 189952
Attributes: archive
MD5: C27136C396819E961147CC82E3588FFB
CRC32: 3C148808
Version: 14.0.5506.0

{036F8A56-0BC8-4607-8F98-D3231E6FF5ED} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\CentraUpdaterAx.inf
Codebase: http://cloud1.saba.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

{0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class)
DPF name:
CLSID name: asusTek_sysctrl Class
Installer: C:\Windows\Downloaded Program Files\asusTek_sys_ctrl.inf
Codebase: http://support.asus.com/select/asusTek_sys_ctrl3.cab
description:
classification: Legitimate
known filename: ASUSTE~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\Windows\Downloaded Program Files\
Long name: asusTek_sys_ctrl.dll
Short name: ASUSTE~1.DLL
Date (created): 12/21/2009 4:41:42 PM
Date (last access): 12/21/2009 4:41:42 PM
Date (last write): 12/21/2009 4:41:42 PM
Filesize: 139776
Attributes: archive
MD5: 9149E19DB451DF6C7735942DC71451C8
CRC32: 64EAF46F
Version: 3.0.0.1

{7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)
DPF name:
CLSID name: OnlineScanner Control
Installer: C:\Windows\Downloaded Program Files\OnlineScanner.inf
Codebase: http://download.eset.com/special/eos/OnlineScanner.cab
Path: C:\PROGRA~2\ESET\ESETON~1\
Long name: OnlineScanner.ocx
Short name: ONLINE~1.OCX
Date (created): 3/12/2013 12:00:18 AM
Date (last access): 3/12/2013 12:00:18 AM
Date (last write): 2/7/2013 12:35:42 PM
Filesize: 3101344
Attributes: archive
MD5: 1C82BFA19154D658E62743B98216A3A6
CRC32: 388F1908
Version: 1.0.0.6920

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_29
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 2/1/2011 4:14:52 PM
Date (last access): 10/3/2011 7:11:30 AM
Date (last write): 10/3/2011 6:06:06 AM
Filesize: 108320
Attributes: archive
MD5: F4AE1B6811B4E7B3F9B5C7F0FE76BBFC
CRC32: 0F37B160
Version: 6.0.290.11

{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_29
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 2/1/2011 4:14:52 PM
Date (last access): 10/3/2011 7:11:30 AM
Date (last write): 10/3/2011 6:06:06 AM
Filesize: 108320
Attributes: archive
MD5: F4AE1B6811B4E7B3F9B5C7F0FE76BBFC
CRC32: 0F37B160
Version: 6.0.290.11

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_29
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: npjpi160_29.dll
Short name: NPJPI1~1.DLL
Date (created): 10/3/2011 3:37:54 AM
Date (last access): 10/3/2011 7:11:40 AM
Date (last write): 10/3/2011 6:06:12 AM
Filesize: 141088
Attributes: archive
MD5: A8F3D654E83D928FBBD4714D2D54AB39
CRC32: A1FB5317
Version: 6.0.290.11

{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} ()
DPF name:
CLSID name:
Installer: C:\ProgramData\webex\ieatgpc.inf
Codebase:
description:
classification: Legitimate
known filename: ieatgpc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\ProgramData\webex\
Long name: ieatgpc.dll
Short name:
Date (created): 10/28/2011 6:32:44 AM
Date (last access): 12/9/2011 4:25:12 PM
Date (last write): 10/28/2011 6:32:44 AM
Filesize: 302904
Attributes: archive
MD5: C0CF56A4A837F43CF08ABA9985BE7AD4
CRC32: E8C35BF0
Version: 2.1.0.2

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\gp.inf
Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab



--- Process list ---
PID: 0 ( 0) [System]
PID: 2080 (1344) C:\Users\Mairead\AppData\Local\Akamai\netsession_win.exe
size: 4480768
MD5: AAB979089E192ACC0FE1E3C018F8B591
PID: 3048 (1344) C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
size: 97680
MD5: 32C26797AB646074A2BB562F9D10ADB5
PID: 2620 (2080) C:\Users\Mairead\AppData\Local\Akamai\netsession_win.exe
size: 4480768
MD5: AAB979089E192ACC0FE1E3C018F8B591
PID: 1368 (2284) C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
size: 375000
MD5: BEE1B9329506308987E9DBB38D7BD477
PID: 892 (2284) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
size: 946352
MD5: 3CB07566302BCEEB898DE270A0BEC175
PID: 2504 (2284) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
size: 205336
MD5: A2418D3C557C0A0C634DA713A8AC3789
PID: 4812 (2504) C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
size: 265240
MD5: 550B8CB98A8FA1D7A1A7371055A38DDA
PID: 4848 ( 700) C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
size: 680984
MD5: 902054D6B4292329F9594FFF24EE02DB
PID: 3988 (1344) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 757296
MD5: DDE5A0DFAF7C6370FB36402D7A746ED3
PID: 4732 (3988) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 757296
MD5: DDE5A0DFAF7C6370FB36402D7A746ED3
PID: 1220 (3988) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
size: 308368
MD5: BAD663957F682F95B22C4E83AB49CB52
PID: 2956 ( 700) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe
size: 706776
MD5: A854BC2D2AD9856F6B84C7870FF246D9
PID: 1120 (3988) C:\Users\Mairead\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
size: 79384
MD5: 09E411E1DC92D813F49DFEEB4039CBCA
PID: 2468 (3988) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 757296
MD5: DDE5A0DFAF7C6370FB36402D7A746ED3
PID: 4944 (1344) C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
PID: 300 ( 4) smss.exe
PID: 448 ( 440) csrss.exe
PID: 520 ( 440) wininit.exe
size: 96256
 
Part 2/3:
----------------------------
{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} (SkypeIEPluginBHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: SkypeIEPluginBHO
CLSID name: Skype Browser Helper
Path: C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\
Long name: skypeieplugin.dll
Short name: SKYPEI~1.DLL
Date (created): 10/10/2011 11:09:16 AM
Date (last access): 10/31/2011 2:29:58 PM
Date (last write): 10/10/2011 11:09:16 AM
Filesize: 3834016
Attributes: archive
MD5: BAD6A333613786540454044D8CD94524
CRC32: B3E6F0D3
Version: 5.6.0.8442

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 10/18/2011 7:05:34 PM
Date (last access): 11/9/2011 12:58:20 AM
Date (last write): 10/18/2011 7:05:34 PM
Filesize: 42272
Attributes: archive
MD5: DC365B6E595683F67BC21A203432E336
CRC32: ADEC3F07
Version: 6.0.290.11



--- ActiveX list ---
{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Installer: C:\Windows\Downloaded Program Files\ieawsdc.inf
Codebase: http://office.microsoft.com/sites/production/ieawsdc32.cab
description:
classification: Legitimate
known filename: IEAWSDC.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\PROGRA~2\MICROS~1\Office12\
Long name: IEAWSDC.DLL
Short name:
Date (created): 7/20/2010 5:04:42 PM
Date (last access): 7/20/2010 5:04:42 PM
Date (last write): 7/20/2010 5:04:42 PM
Filesize: 189952
Attributes: archive
MD5: C27136C396819E961147CC82E3588FFB
CRC32: 3C148808
Version: 14.0.5506.0

{036F8A56-0BC8-4607-8F98-D3231E6FF5ED} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\CentraUpdaterAx.inf
Codebase: http://cloud1.saba.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

{0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class)
DPF name:
CLSID name: asusTek_sysctrl Class
Installer: C:\Windows\Downloaded Program Files\asusTek_sys_ctrl.inf
Codebase: http://support.asus.com/select/asusTek_sys_ctrl3.cab
description:
classification: Legitimate
known filename: ASUSTE~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\Windows\Downloaded Program Files\
Long name: asusTek_sys_ctrl.dll
Short name: ASUSTE~1.DLL
Date (created): 12/21/2009 4:41:42 PM
Date (last access): 12/21/2009 4:41:42 PM
Date (last write): 12/21/2009 4:41:42 PM
Filesize: 139776
Attributes: archive
MD5: 9149E19DB451DF6C7735942DC71451C8
CRC32: 64EAF46F
Version: 3.0.0.1

{7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)
DPF name:
CLSID name: OnlineScanner Control
Installer: C:\Windows\Downloaded Program Files\OnlineScanner.inf
Codebase: http://download.eset.com/special/eos/OnlineScanner.cab
Path: C:\PROGRA~2\ESET\ESETON~1\
Long name: OnlineScanner.ocx
Short name: ONLINE~1.OCX
Date (created): 3/12/2013 12:00:18 AM
Date (last access): 3/12/2013 12:00:18 AM
Date (last write): 2/7/2013 12:35:42 PM
Filesize: 3101344
Attributes: archive
MD5: 1C82BFA19154D658E62743B98216A3A6
CRC32: 388F1908
Version: 1.0.0.6920

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_29
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 2/1/2011 4:14:52 PM
Date (last access): 10/3/2011 7:11:30 AM
Date (last write): 10/3/2011 6:06:06 AM
Filesize: 108320
Attributes: archive
MD5: F4AE1B6811B4E7B3F9B5C7F0FE76BBFC
CRC32: 0F37B160
Version: 6.0.290.11

{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_29
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 2/1/2011 4:14:52 PM
Date (last access): 10/3/2011 7:11:30 AM
Date (last write): 10/3/2011 6:06:06 AM
Filesize: 108320
Attributes: archive
MD5: F4AE1B6811B4E7B3F9B5C7F0FE76BBFC
CRC32: 0F37B160
Version: 6.0.290.11

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_29
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: npjpi160_29.dll
Short name: NPJPI1~1.DLL
Date (created): 10/3/2011 3:37:54 AM
Date (last access): 10/3/2011 7:11:40 AM
Date (last write): 10/3/2011 6:06:12 AM
Filesize: 141088
Attributes: archive
MD5: A8F3D654E83D928FBBD4714D2D54AB39
CRC32: A1FB5317
Version: 6.0.290.11

{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} ()
DPF name:
CLSID name:
Installer: C:\ProgramData\webex\ieatgpc.inf
Codebase:
description:
classification: Legitimate
known filename: ieatgpc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\ProgramData\webex\
Long name: ieatgpc.dll
Short name:
Date (created): 10/28/2011 6:32:44 AM
Date (last access): 12/9/2011 4:25:12 PM
Date (last write): 10/28/2011 6:32:44 AM
Filesize: 302904
Attributes: archive
MD5: C0CF56A4A837F43CF08ABA9985BE7AD4
CRC32: E8C35BF0
Version: 2.1.0.2

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\gp.inf
Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab



--- Process list ---
PID: 0 ( 0) [System]
PID: 2080 (1344) C:\Users\Mairead\AppData\Local\Akamai\netsession_win.exe
size: 4480768
MD5: AAB979089E192ACC0FE1E3C018F8B591
PID: 3048 (1344) C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
size: 97680
MD5: 32C26797AB646074A2BB562F9D10ADB5
PID: 2620 (2080) C:\Users\Mairead\AppData\Local\Akamai\netsession_win.exe
size: 4480768
MD5: AAB979089E192ACC0FE1E3C018F8B591
PID: 1368 (2284) C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
size: 375000
MD5: BEE1B9329506308987E9DBB38D7BD477
PID: 892 (2284) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
size: 946352
MD5: 3CB07566302BCEEB898DE270A0BEC175
PID: 2504 (2284) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
size: 205336
MD5: A2418D3C557C0A0C634DA713A8AC3789
PID: 4812 (2504) C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
size: 265240
MD5: 550B8CB98A8FA1D7A1A7371055A38DDA
PID: 4848 ( 700) C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
size: 680984
MD5: 902054D6B4292329F9594FFF24EE02DB
PID: 3988 (1344) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 757296
MD5: DDE5A0DFAF7C6370FB36402D7A746ED3
PID: 4732 (3988) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 757296
MD5: DDE5A0DFAF7C6370FB36402D7A746ED3
PID: 1220 (3988) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
size: 308368
MD5: BAD663957F682F95B22C4E83AB49CB52
PID: 2956 ( 700) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe
size: 706776
MD5: A854BC2D2AD9856F6B84C7870FF246D9
PID: 1120 (3988) C:\Users\Mairead\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
size: 79384
MD5: 09E411E1DC92D813F49DFEEB4039CBCA
PID: 2468 (3988) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 757296
MD5: DDE5A0DFAF7C6370FB36402D7A746ED3
PID: 4944 (1344) C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
PID: 300 ( 4) smss.exe
PID: 448 ( 440) csrss.exe
PID: 520 ( 440) wininit.exe
size: 96256
 
And here's the last one.
-------------------
PID: 540 ( 528) csrss.exe
PID: 576 ( 520) services.exe
PID: 592 ( 520) lsass.exe
PID: 600 ( 520) lsm.exe
PID: 700 ( 576) svchost.exe
size: 20480
PID: 768 ( 576) nvvsvc.exe
PID: 796 ( 576) nvSCPAPISvr.exe
PID: 844 ( 576) svchost.exe
size: 20480
PID: 872 ( 528) winlogon.exe
PID: 960 ( 576) svchost.exe
size: 20480
PID: 1000 ( 576) svchost.exe
size: 20480
PID: 260 ( 576) svchost.exe
size: 20480
PID: 472 ( 576) UMVPFSrv.exe
PID: 1104 ( 576) svchost.exe
size: 20480
PID: 1192 ( 768) NvXDSync.exe
PID: 1204 ( 768) nvvsvc.exe
PID: 1248 ( 576) svchost.exe
size: 20480
PID: 1468 ( 576) spoolsv.exe
PID: 1504 ( 576) svchost.exe
size: 20480
PID: 1600 ( 576) ACService.exe
PID: 1644 ( 576) PhotoshopElementsFileAgent.exe
PID: 1728 ( 576) armsvc.exe
PID: 1788 ( 576) svchost.exe
size: 20480
PID: 1808 ( 576) AppleMobileDeviceService.exe
PID: 1844 ( 576) AsSysCtrlService.exe
PID: 1884 ( 576) BCUService.exe
PID: 1912 ( 576) mDNSResponder.exe
PID: 1944 ( 576) DVMExportService.exe
PID: 2008 ( 576) ccSvcHst.exe
PID: 1664 ( 576) svchost.exe
size: 20480
PID: 2180 ( 576) WLIDSVC.EXE
PID: 2268 ( 576) SDWinSec.exe
size: 1153368
MD5: 794D4B48DFB6E999537C7C3947863463
PID: 2440 (2180) WLIDSVCM.EXE
PID: 2812 ( 576) SearchIndexer.exe
size: 427520
PID: 2256 ( 576) svchost.exe
size: 20480
PID: 3520 ( 576) svchost.exe
size: 20480
PID: 3736 ( 576) daemonu.exe
PID: 2872 ( 576) wmpnetwk.exe
PID: 1352 ( 576) C:\Windows\System32\taskhost.exe
PID: 2084 (1000) C:\Windows\System32\dwm.exe
PID: 1344 (1116) C:\Windows\explorer.exe
size: 2871808
MD5: 332FEAB1435662FC6C672E25BEB37BE3
PID: 1744 (2008) ccSvcHst.exe
PID: 3388 (1344) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
size: 7833120
MD5: 981EDD3164829B256E71B5AC8CF12EC3
PID: 4164 (1192) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
size: 2448744
MD5: A77BA10A0D610BBB6101AEA1E633ABE1
PID: 5016 ( 576) svchost.exe
size: 20480
PID: 4396 ( 700) dllhost.exe
size: 7168
PID: 5796 (1344) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
size: 917400
MD5: BF2F2717C13A4BD4FD73F2788534E86B
PID: 4108 (3988) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 757296
MD5: DDE5A0DFAF7C6370FB36402D7A746ED3
PID: 5976 ( 960) audiodg.exe
PID: 2848 (2812) C:\Windows\System32\SearchProtocolHost.exe
size: 164352
MD5: E1AC89F6C5252057E6062843E36A6701
PID: 4408 (2812) SearchFilterHost.exe
size: 86528


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/24/2013 5:49:25 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\SysWOW64\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:

Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 6: WindowsLive NSP
GUID: {4177DDE9-6028-479E-B7B7-03591A63FF3A}
Filename: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL

Namespace Provider 7: WindowsLive Local NSP
GUID: {229F2A2C-5F18-4A06-8F89-3A372170624D}
Filename: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL

Namespace Provider 8: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files (x86)\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
 
That file date is from 2009, this may be a false positive as its not showing up on any other logs after it was removed.


See if you can see that file

  • Close all programs so that you are at your desktop.
  • Open the Control Panel switch to classic view, then click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and exit My Computer.
  • Now your computer is configured to show all hidden files.







Now look for and see if its present
C:\Windows\svchost.exe


C:\Windows\system32\svchost.exe <--This one is legit and your system wont run without it so make sure to leave this one be
 
Last edited:
Here is a little help

You need to run the 64bit version

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64 Bit Version

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :file
C:\Windows\svchost.exe
:filefind
svchost.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
I looked in C:/Windows, and there is a file by that name. It's labeled as from 7/13/2009, though.

Here's the log:
SystemLook 30.07.11 by jpshortstuff
Log created at 11:31 on 27/03/2013 by Mairead
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== file ==========

C:\Windows\svchost.exe - File found and opened.
MD5: 2CEFF13ACE25A40BD8D97654944297CD
Created at 08:31 on 22/03/2013
Modified at 01:14 on 14/07/2009
Size: 20480 bytes
Attributes: --a----
FileDescription: winrscmde
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
ProductVersion: 6.1.7600.16385
OriginalFilename: winrscmde.exe
InternalName: winrscmde.exe
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

========== filefind ==========

Searching for "svchost.exe"
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 216424 bytes [23:38 10/03/2013] [21:49 14/12/2012] 22101A85B3CA2FE2BE05FE9A61A7A83D
C:\Windows\svchost.exe --a---- 20480 bytes [08:31 22/03/2013] [01:14 14/07/2009] 2CEFF13ACE25A40BD8D97654944297CD
C:\Windows\erdnt\cache64\svchost.exe --a---- 27136 bytes [15:46 10/03/2013] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
C:\Windows\erdnt\cache86\svchost.exe --a---- 20992 bytes [15:46 10/03/2013] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\System32\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\SysWOW64\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe --a---- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\_OTL\MovedFiles\03112013_141506\C_Windows\svchost.exe --a---- 20480 bytes [00:01 11/03/2013] [01:14 14/07/2009] 2CEFF13ACE25A40BD8D97654944297CD
C:\_OTL\MovedFiles\03202013_231037\C_Windows\svchost.exe --a---- 20480 bytes [00:01 11/03/2013] [01:14 14/07/2009] 2CEFF13ACE25A40BD8D97654944297CD

-= EOF =-
 
Hi,

Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :processes
killallprocesses

:OTL


:Services

:Reg

:Files
ipconfig /flushdns /c
C:\Windows\svchost.exe
C:\Windows\erdnt\cache64\svchost.exe
C:\Windows\erdnt\cache86\svchost.exe 
C:\_OTL\MovedFiles\03112013_141506\C_Windows\svchost.exe
C:\_OTL\MovedFiles\03202013_231037\C_Windows\svchost.exe


:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces


Then reboot your system and run this through System Look one more time and post the logs please

:file
C:\Windows\svchost.exe
:filefind
svchost.exe
 
Here's the log. Should I go delete the old Spybot logs like you had me do last time?
All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Mairead\Desktop\cmd.bat deleted successfully.
C:\Users\Mairead\Desktop\cmd.txt deleted successfully.
C:\Windows\svchost.exe moved successfully.
C:\Windows\erdnt\cache64\svchost.exe moved successfully.
C:\Windows\erdnt\cache86\svchost.exe moved successfully.
C:\_OTL\MovedFiles\03112013_141506\C_Windows\svchost.exe moved successfully.
C:\_OTL\MovedFiles\03202013_231037\C_Windows\svchost.exe moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mairead
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 142736431 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5157107 bytes
->Flash cache emptied: 1720 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1486 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50132 bytes
RecycleBin emptied: 2870812 bytes

Total Files Cleaned = 144.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 03272013_132904

Files\Folders moved on Reboot...
C:\Users\Mairead\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Mairead\AppData\Local\Google\Google Talk Plugin\gtbaxplugin.log moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
Yes you can, go ahead and plug those entries back into System Look after a you reboot your computer.

Not sure where this file is located, lets look for it to

:file
C:\Windows\svchost.exe
:filefind
svchost.exe
winrscmde.exe

Then run a new scan with Spybot and just post the info if it picks the bad file back up
 
Last edited:
WOO! IT'S GONE! IT'S GONE! IT'S GONE! Spybot says I'm clear! Thank you so much! I apologize for the lengthy process.

I just threw a donation at Spybot, but is there anything I can do for you/the forums? It seems really unfair that I ate up 3 weeks of your life and you don't get anything out of it. At the very least, keep me in mind if you ever need a reference. I'm an English teacher, so I can write a great recommendation letter. :)

Here's the log, just in case I missed something.

SystemLook 30.07.11 by jpshortstuff
Log created at 14:49 on 28/03/2013 by Mairead
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== file ==========

C:\Windows\svchost.exe - Unable to find/read file.

========== filefind ==========

Searching for "svchost.exe"
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 216424 bytes [23:38 10/03/2013] [21:49 14/12/2012] 22101A85B3CA2FE2BE05FE9A61A7A83D
C:\Windows\System32\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\SysWOW64\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe --a---- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\_OTL\MovedFiles\03272013_132904\C_Windows\svchost.exe --a---- 20480 bytes [08:31 22/03/2013] [01:14 14/07/2009] 2CEFF13ACE25A40BD8D97654944297CD
C:\_OTL\MovedFiles\03272013_132904\C_Windows\erdnt\cache64\svchost.exe --a---- 27136 bytes [15:46 10/03/2013] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D
C:\_OTL\MovedFiles\03272013_132904\C_Windows\erdnt\cache86\svchost.exe --a---- 20992 bytes [15:46 10/03/2013] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\_OTL\MovedFiles\03272013_132904\C__OTL\MovedFiles\03112013_141506\C_Windows\svchost.exe --a---- 20480 bytes [00:01 11/03/2013] [01:14 14/07/2009] 2CEFF13ACE25A40BD8D97654944297CD
C:\_OTL\MovedFiles\03272013_132904\C__OTL\MovedFiles\03202013_231037\C_Windows\svchost.exe --a---- 20480 bytes [00:01 11/03/2013] [01:14 14/07/2009] 2CEFF13ACE25A40BD8D97654944297CD

Searching for "winrscmde.exe"
No files found.

-= EOF =-
 
Hi,

Thats wonderful. You did not eat up 3 weeks of my time, helping nice people like yourself is what I do and getting you and your computer to a clean state is all the reward I need.

Lets not jump for joy just yet. Use your computer for a few days, I will keep this thread open for you, then run a new scan with Spybot and lets make sure its gone
 
You must log in or register to reply here.
Back
Top