Help!! svchost process is using 100% CPU, slowing my PC to a halt

BullGuard Antivirus Forum > Virus > Virus Questions > Help!! svchost process is using 100% CPU, slowing my PC to a halt

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 4-12-2003 8:41 (GMT +1)

It is good news, you did´nt find messenger exe ;-)

Fix these with hijackthis, and you´re clean
O4 - HKCU\..\Run: [Msn Messenger Service] messenger.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1281ee7182b7a64ea818/netzip/RdxIE601.cab

Just run Spybot and Adaware frequently.

Hide system files again.

It's a good idea to Flush your System Restore after ridding yourself of malware:

1. On the Desktop, right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Follow steps 1 to 3 again, then uncheck Turn off System Restore tab.

When you are sure you are clean create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

I suggest you install Ccleaner::
http://www.ccleaner.com/
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

You may also want to read Tony Klein's article on "How I got Infected in the First Place":
http://castlecops.com/postt7736.html

Touch

Member of - Alliance of Security Analysis Professiona

frankt
New Member

Date Joined Apr 2005
Total Posts : 4

Posted 4-10-2005 8:39 (GMT +1)

A few minutes after starting my PC, an svchost process appears that builds up very quickly to use up 99% of the cpu slowing the PC down. This happens even if I have no other programs running.

Can anyone please help?

Here's the hijack log file

Logfile of HijackThis v1.99.1
Scan saved at 5:27:20 PM, on 4/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Vet\isafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Vet\VetTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\PHRS\LibMan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6126babbfa3727ca4f79b0d384ca90cb\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belfasttelegraph.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\regedit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Gremlin] C:\WINDOWS\System32\intrenat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [85BC5E94] C:\WINDOWS\System32\sixlwlxqgat.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\orcah.exe
O4 - HKLM\..\Run: [Msn Messenger Service] messenger.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [EA65BE91] C:\WINDOWS\System32\sixlwlxqgat.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Msn Messenger Service] messenger.exe
O4 - HKCU\..\Run: [DELETE ME] worm.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Msn Messenger Service] messenger.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PHRS - WP Link.lnk = C:\Program Files\PHRS\LibMan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1281ee7182b7a64ea818/netzip/RdxIE601.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks FrankT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 4-10-2005 11:24 (GMT +1)

Hey FrankT cool

You have a "interesting" mix of virus,worms and trojans smilewinkgrin

I suggest you run some olinescans first:

http://www.dslreports.com/faq/8993

Panda
Trend
Trojanscan

Reboot and post new log file

Touch

Member of - Alliance of Security Analysis Professiona

frankt
New Member

Date Joined Apr 2005
Total Posts : 4

Posted 4-10-2005 7:52 (GMT +1)

Tried the three scans, here is my new log
Logfile of HijackThis v1.99.1
Scan saved at 4:45:40 AM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Vet\isafe.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Vet\VetTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\PHRS\LibMan.exe
C:\Program Files\Tevion Multimedia\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\svchost.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6126babbfa3727ca4f79b0d384ca90cb\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belfasttelegraph.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\regedit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [85BC5E94] C:\WINDOWS\System32\sixlwlxqgat.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\orcah.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [EA65BE91] C:\WINDOWS\System32\sixlwlxqgat.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Msn Messenger Service] messenger.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PHRS - WP Link.lnk = C:\Program Files\PHRS\LibMan.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Tevion Multimedia\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1281ee7182b7a64ea818/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks
Frankt

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 4-11-2005 9:42 (GMT +1)

We have improvements here ;-)

Please download:

Adware http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
Update when downloaded

Spybot: http://www.safer-networking.org/en/download/index.html
Check for updates

Be sure you are configured to SHOW ALL FILES AND FOLDERS, including System and Hidden Files. If you don't know how to do that, check http://www.xtra.co.nz/help/0,,4155-1916458,00.html and follow the step-by-step directions for your Windows version.

Please go offline

Then run Hijackthis and place a check beside each of the following. Once you have checked them, click fix checked.

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\regedit.exe
O4 - HKLM\..\Run: [85BC5E94] C:\WINDOWS\System32\sixlwlxqgat.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\orcah.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [EA65BE91] C:\WINDOWS\System32\sixlwlxqgat.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Reboot into Safe Mode - Hit F8 key untill menu shows up

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.
C:\WINDOWS\System32\regedit.exe

>>>>>>>Notice, you have a legal here: C:\WINDOWS\regedit.exe
-------------------------------------------------------------------------------

C:\WINDOWS\System32\sixlwlxqgat.exe
C:\WINDOWS\web\related.htm

C:\WINDOWS\System32\orcah.exe

Start-Search and delete
mscnfg32.exe

Spybot, click on the Immunize button. Then "Scan System" button. Next, close all Internet Explorer windows, and click - Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Adware
Click Start and on the next screen choose:
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Save the log file when it asks and then click Finish.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next.

Reboot

Go to Start | Run and type: cleanmgr.exe and hit enter.
When prompted what drive to clean select your hard drive c:
If asked what folders to clean in a list, tick them all to clean all temp folders, downloaded program folders, temporary internet files, etc., and the recycle/trash bin.

Post fresh hijackthis log

Touch

Member of - Alliance of Security Analysis Professiona

Post Edited (Touch) : 4/11/2005 9:55:57 AM GMT

frankt
New Member

Date Joined Apr 2005
Total Posts : 4

Posted 4-11-2005 11:39 (GMT +1)

I hope I have done all that you asked.
Hijack Log herewith
Logfile of HijackThis v1.99.1
Scan saved at 8:39:00 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Vet\isafe.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Vet\VetTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\PHRS\LibMan.exe
C:\Program Files\Tevion Multimedia\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6126babbfa3727ca4f79b0d384ca90cb\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belfasttelegraph.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\Tevion Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKCU\..\Run: [Msn Messenger Service] messenger.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PHRS - WP Link.lnk = C:\Program Files\PHRS\LibMan.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Tevion Multimedia\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1281ee7182b7a64ea818/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 4-11-2005 12:00 (GMT +1)

I´m not sure about this-messenger.exe

Start-Search/find: messenger.exe
Rightclick on it/them, it should be a legal (microsoft file) If it is´nt, please tell what it is

Touch

Member of - Alliance of Security Analysis Professiona

frankt
New Member

Date Joined Apr 2005
Total Posts : 4

Posted 4-11-2005 9:46 (GMT +1)

File messenger.exe not found. I'm still not sure I did the last procedure with Spybot and Adware correctly.
Should I redo it just to make sure I did it correctly?
Thank you for the time you're taking to try and help me.

Ritario
New Member

Date Joined Apr 2008
Total Posts : 5

Posted 4-28-2008 5:21 (GMT +1)

i am having a similar problem involving svchost, however it only starts when i try to run a program, and as long as the program i am not trying to run is my internet all i ahve to do it shut it down. sometimes this shuts down ym sound. others times it does not. oes anyone have any suggestions for me ... as i have tried everything i can think of aside from downloading new scan programs... and i don;t have any idea which programs are good anymore... was using spysweeper, adaware, and norton, but i despise norton now. so i am asssuming that i have a virus/spyware/malware however idk what to do to get rid of it. please help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:49 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\uqvviojd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_14\bin\npjpi142_14.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC17B68A-A0F8-4BE4-8365-A864D5048C01}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\uqvviojd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4422 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 4-28-2008 6:42 (GMT +1)

Hello Ritario

Please download Combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Post Edited (Touch) : 28-04-2008 05:44:50 GMT

Ritario
New Member

Date Joined Apr 2008
Total Posts : 5

Posted 4-29-2008 9:02 (GMT +1)

question, will there be an indication of the log being completed as i have been waiting for over 14hours on it to tell me that eh log file has been created... and right now i am on another computer, this one at my work. and there is still no indicatoin taht it has been completed... i havn;t touched it yet.... and i will not know any further info until i return home... and if it is done then i shall post otherwise i will just have to wait until tomorrow to read what you respond with

thx for all the help so far, and i am glad to know that ther eis somewher to come when i exhust all my oter efforts.

Ritario
New Member

Date Joined Apr 2008
Total Posts : 5

Posted 4-30-2008 5:30 (GMT +1)

ok... here is what i got from both scans... hopefuly this is what i was needing to post...

and i tried to get this to go as a .txt file but it keep saying cannot do mime text... and it is far to late at night for me to try and figure out what i need to fix it with

^_^

ComboFix 08-04-27.3 - Bradley Bowman 2008-04-29 9:29:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.539 [GMT -7:00]
Running from: C:\Documents and Settings\Bradley Bowman\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\retadpu2000383.exe
C:\WINDOWS\system32\acqgdnjv.dll
C:\WINDOWS\system32\afhuctkr.ini
C:\WINDOWS\system32\aflbsoxb.ini
C:\WINDOWS\system32\agqebrvf.ini
C:\WINDOWS\system32\aifcgqyk.dll
C:\WINDOWS\system32\akiwehuj.ini
C:\WINDOWS\system32\akoonael.ini
C:\WINDOWS\system32\amdxmbrv.ini
C:\WINDOWS\system32\amixvcfe.dll
C:\WINDOWS\system32\amweypfs.dll
C:\WINDOWS\system32\apkybasn.dll
C:\WINDOWS\system32\aqsxaarm.ini
C:\WINDOWS\system32\argnuhom.ini
C:\WINDOWS\system32\atisliuh.ini
C:\WINDOWS\system32\bbcvpjuk.ini
C:\WINDOWS\system32\bctacphe.dll
C:\WINDOWS\system32\bedfyfng.dll
C:\WINDOWS\system32\bhlthdrt.dll
C:\WINDOWS\system32\bidksaqm.ini
C:\WINDOWS\system32\bjqmnsux.ini
C:\WINDOWS\system32\bjtaxxbd.ini
C:\WINDOWS\system32\blqqyyej.dll
C:\WINDOWS\system32\bluuehdp.ini
C:\WINDOWS\system32\boxqojd.dll
C:\WINDOWS\system32\boxqojde.dll
C:\WINDOWS\system32\bqkmnyte.ini
C:\WINDOWS\system32\bqosfamg.dll
C:\WINDOWS\system32\bqwhdemu.ini
C:\WINDOWS\system32\btmrhcqy.dll
C:\WINDOWS\system32\bxagydoj.dll
C:\WINDOWS\system32\byklqccd.ini
C:\WINDOWS\system32\byseortv.ini
C:\WINDOWS\system32\cecxsepy.ini
C:\WINDOWS\system32\cguubehp.ini
C:\WINDOWS\system32\chaitqfg.ini
C:\WINDOWS\system32\clqdrphb.ini
C:\WINDOWS\system32\comcnwyo.ini
C:\WINDOWS\system32\cpkeoldi.ini
C:\WINDOWS\system32\cpryhber.dll
C:\WINDOWS\system32\cqkvhokp.dll
C:\WINDOWS\system32\cqnqglwe.ini
C:\WINDOWS\system32\cvboxrsw.dll
C:\WINDOWS\system32\cvkswemc.ini
C:\WINDOWS\system32\cvrcjjxc.ini
C:\WINDOWS\system32\cxyloqgr.ini
C:\WINDOWS\system32\cyrwevua.ini
C:\WINDOWS\system32\dbxxatjb.dll
C:\WINDOWS\system32\dccqlkyb.dll
C:\WINDOWS\system32\dchkyxcw.ini
C:\WINDOWS\system32\dchsijfs.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\debpumdi.dll
C:\WINDOWS\system32\dethbjxv.dll
C:\WINDOWS\system32\dfakjxtw.dll
C:\WINDOWS\system32\dfavixef.ini
C:\WINDOWS\system32\dgjbhhfp.ini
C:\WINDOWS\system32\dkpgpots.ini
C:\WINDOWS\system32\dkuvqpbm.dll
C:\WINDOWS\system32\dlytilki.dll
C:\WINDOWS\system32\dmuwwakh.dll
C:\WINDOWS\system32\dpvoic.dll
C:\WINDOWS\system32\duaghnrh.ini
C:\WINDOWS\system32\dvnirfql.dll
C:\WINDOWS\system32\eafrdkxb.ini
C:\WINDOWS\system32\eajobfsv.dll
C:\WINDOWS\system32\ebfwlpsc.dll
C:\WINDOWS\system32\ecxjvjan.ini
C:\WINDOWS\system32\ecxkphet.dll
C:\WINDOWS\system32\eflwiugy.ini
C:\WINDOWS\system32\ekwaxwrw.dll
C:\WINDOWS\system32\elaiwfoc.ini
C:\WINDOWS\system32\elvbbuck.dll
C:\WINDOWS\system32\emdxtkdb.dll
C:\WINDOWS\system32\ennekqpd.ini
C:\WINDOWS\system32\enownuoj.dll
C:\WINDOWS\system32\etynmkqb.dll
C:\WINDOWS\system32\eufxherd.dll
C:\WINDOWS\system32\fcmgvevx.ini
C:\WINDOWS\system32\fgsgjbmk.ini
C:\WINDOWS\system32\flpavsgn.dll
C:\WINDOWS\system32\fmdwswxo.ini
C:\WINDOWS\system32\fmmogutf.ini
C:\WINDOWS\system32\foelkkcp.dll
C:\WINDOWS\system32\fuycpdfn.ini
C:\WINDOWS\system32\fvfqryiq.ini
C:\WINDOWS\system32\fwkfpmnc.dll
C:\WINDOWS\system32\gdjhprih.ini
C:\WINDOWS\system32\gdyahcej.ini
C:\WINDOWS\system32\geifptxw.dll
C:\WINDOWS\system32\giaxyvsl.ini
C:\WINDOWS\system32\gjlxbmqc.ini
C:\WINDOWS\system32\gmafsoqb.ini
C:\WINDOWS\system32\gmilnqcy.dll
C:\WINDOWS\system32\gmuxswyf.dll
C:\WINDOWS\system32\gpqtdarh.dll
C:\WINDOWS\system32\gsbdphru.ini
C:\WINDOWS\system32\gteojxcw.ini
C:\WINDOWS\system32\gvvrixqv.ini
C:\WINDOWS\system32\gxkaengx.dll
C:\WINDOWS\system32\haeorlmt.ini
C:\WINDOWS\system32\hggheff.dll
C:\WINDOWS\system32\hinntgeu.dll
C:\WINDOWS\system32\hkgcrrym.dll
C:\WINDOWS\system32\hmfwelfo.ini
C:\WINDOWS\system32\hpdiqbig.ini
C:\WINDOWS\system32\hpklycir.dll
C:\WINDOWS\system32\hudyoieu.ini
C:\WINDOWS\system32\hvbgnjcx.ini
C:\WINDOWS\system32\iaaftchs.dll
C:\WINDOWS\system32\icyihgrd.ini
C:\WINDOWS\system32\idjxgmej.dll
C:\WINDOWS\system32\idloekpc.dll
C:\WINDOWS\system32\idmupbed.ini
C:\WINDOWS\system32\igtvglmq.dll
C:\WINDOWS\system32\iiwpixxw.ini
C:\WINDOWS\system32\ijtygqro.ini
C:\WINDOWS\system32\ilfdxllf.ini
C:\WINDOWS\system32\imlvfoor.dll
C:\WINDOWS\system32\imtedhlm.dll
C:\WINDOWS\system32\ipovqfnd.ini
C:\WINDOWS\system32\ipywsxbp.ini
C:\WINDOWS\system32\itjlgmdw.ini
C:\WINDOWS\system32\ixwksekc.dll
C:\WINDOWS\system32\jcuvcsfd.ini
C:\WINDOWS\system32\jduqmlpq.dll
C:\WINDOWS\system32\jemgxjdi.ini
C:\WINDOWS\system32\!!!trsvf.dll
C:\WINDOWS\system32\jeyyqqlb.ini
C:\WINDOWS\system32\jgtohsdu.dll
C:\WINDOWS\system32\jkpnfwww.ini
C:\WINDOWS\system32\jkucbrel.dll
C:\WINDOWS\system32\jllgeiro.dll
C:\WINDOWS\system32\jlncmxbt.ini
C:\WINDOWS\system32\jlondvet.dll
C:\WINDOWS\system32\jodygaxb.ini
C:\WINDOWS\system32\joyhleca.ini
C:\WINDOWS\system32\jphbqcqm.ini
C:\WINDOWS\system32\jsacwkot.ini
C:\WINDOWS\system32\jslkswsy.dll
C:\WINDOWS\system32\jvaxqbbs.dll
C:\WINDOWS\system32\jybhfxic.dll
C:\WINDOWS\system32\jycqhsek.ini
C:\WINDOWS\system32\jyflbypb.ini
C:\WINDOWS\system32\jygrapwr.dll
C:\WINDOWS\system32\kbrjlebd.dll
C:\WINDOWS\system32\kccotyms.ini
C:\WINDOWS\system32\kemgkbxf.ini
C:\WINDOWS\system32\kfaijsnn.dll
C:\WINDOWS\system32\kjwlkvdp.ini
C:\WINDOWS\system32\kmbjgsgf.dll
C:\WINDOWS\system32\kndgnmgq.dll
C:\WINDOWS\system32\koawawrm.dll
C:\WINDOWS\system32\kqmprmla.ini
C:\WINDOWS\system32\krpatiwy.ini
C:\WINDOWS\system32\ksirctmr.dll
C:\WINDOWS\system32\kudtasbl.dll
C:\WINDOWS\system32\kujpvcbb.dll
C:\WINDOWS\system32\kvibqwjh.ini
C:\WINDOWS\system32\kwiyygkv.dll
C:\WINDOWS\system32\kyqgcfia.ini
C:\WINDOWS\system32\lbsatduk.ini
C:\WINDOWS\system32\lcrwlktd.ini
C:\WINDOWS\system32\ldlvreks.ini
C:\WINDOWS\system32\ldwkadvq.ini
C:\WINDOWS\system32\lebfxuls.ini
C:\WINDOWS\system32\lerbcukj.ini
C:\WINDOWS\system32\lgoghccs.ini
C:\WINDOWS\system32\lhcpxxtf.ini
C:\WINDOWS\system32\lhqqetou.ini
C:\WINDOWS\system32\lhssqile.dll
C:\WINDOWS\system32\likqhwng.ini
C:\WINDOWS\system32\lirompfu.ini
C:\WINDOWS\system32\llqbiswb.dll
C:\WINDOWS\system32\lpymauqo.ini
C:\WINDOWS\system32\lrggiuyq.dll
C:\WINDOWS\system32\lsjohhph.dll
C:\WINDOWS\system32\ltejpewt.ini
C:\WINDOWS\system32\ltsrdhvm.ini
C:\WINDOWS\system32\ltvrjlqc.ini
C:\WINDOWS\system32\lviqglhn.dll
C:\WINDOWS\system32\majnobal.dll
C:\WINDOWS\system32\mcprkgty.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mejlqwjl.ini
C:\WINDOWS\system32\mgqbebbi.dll
C:\WINDOWS\system32\mgxmoycc.dll
C:\WINDOWS\system32\mjceoefm.dll
C:\WINDOWS\system32\mlaoqsor.ini
C:\WINDOWS\system32\mljigfd.dll
C:\WINDOWS\system32\mmrlpwcd.ini
C:\WINDOWS\system32\mohungra.dll
C:\WINDOWS\system32\mqaskdib.dll
C:\WINDOWS\system32\mqcqbhpj.dll
C:\WINDOWS\system32\mraaxsqa.dll
C:\WINDOWS\system32\mrwawaok.ini
C:\WINDOWS\system32\msiconf.exe
C:\WINDOWS\system32\mtsxbdeb.ini
C:\WINDOWS\system32\mvcxuxsj.dll
C:\WINDOWS\system32\mvhdrstl.dll
C:\WINDOWS\system32\mvmfrfbo.ini
C:\WINDOWS\system32\mwntuxrn.dll
C:\WINDOWS\system32\mxtttpga.ini
C:\WINDOWS\system32\nfdpcyuf.dll
C:\WINDOWS\system32\nkegaufb.dll
C:\WINDOWS\system32\nmksmmgd.dll
C:\WINDOWS\system32\noihgipr.dll
C:\WINDOWS\system32\nrlkuosi.ini
C:\WINDOWS\system32\ntsukxys.ini
C:\WINDOWS\system32\nxxuqame.dll
C:\WINDOWS\system32\oadgqlmh.dll
C:\WINDOWS\system32\obfrfmvm.dll
C:\WINDOWS\system32\octatouw.dll
C:\WINDOWS\system32\odvhubqc.ini
C:\WINDOWS\system32\oflewfmh.dll
C:\WINDOWS\system32\ogsnelox.dll
C:\WINDOWS\system32\ohluivsc.dll
C:\WINDOWS\system32\olrgllqi.ini
C:\WINDOWS\system32\oollpler.dll
C:\WINDOWS\system32\oquamypl.dll
C:\WINDOWS\system32\osqujuen.ini
C:\WINDOWS\system32\outdrrjy.ini
C:\WINDOWS\system32\ovskphks.ini
C:\WINDOWS\system32\oyachlny.dll
C:\WINDOWS\system32\oypjlplx.ini
C:\WINDOWS\system32\oywncmoc.dll
C:\WINDOWS\system32\pdtrjdux.dll
C:\WINDOWS\system32\pgwclukg.dll
C:\WINDOWS\system32\pikgibeh.dll
C:\WINDOWS\system32\pltwctwc.dll
C:\WINDOWS\system32\ppshgdsg.dll
C:\WINDOWS\system32\ppytmyrx.ini
C:\WINDOWS\system32\pqwdmkrt.dll
C:\WINDOWS\system32\prcbbles.ini
C:\WINDOWS\system32\prxaalmb.ini
C:\WINDOWS\system32\psfjfyxh.ini
C:\WINDOWS\system32\ptqdrboe.ini
C:\WINDOWS\system32\pwjykhex.dll
C:\WINDOWS\system32\qaajkoav.ini
C:\WINDOWS\system32\qcwpmolx.ini
C:\WINDOWS\system32\qdqyobrn.ini
C:\WINDOWS\system32\qfnfwgxk.dll
C:\WINDOWS\system32\qgmngdnk.ini
C:\WINDOWS\system32\qhhokitp.ini
C:\WINDOWS\system32\qjrkwccs.dll
C:\WINDOWS\system32\qkmghrrm.dll
C:\WINDOWS\system32\qouikcoj.ini
C:\WINDOWS\system32\qplmqudj.ini
C:\WINDOWS\system32\qqlqwhdr.dll
C:\WINDOWS\system32\qvdakwdl.dll
C:\WINDOWS\system32\qwsbipat.ini
C:\WINDOWS\system32\rcmifpau.dll
C:\WINDOWS\system32\remyakuh.ini
C:\WINDOWS\system32\resnukdb.ini
C:\WINDOWS\system32\rlwmnaom.dll
C:\WINDOWS\system32\rmtcrisk.ini
C:\WINDOWS\system32\rnfncktc.ini
C:\WINDOWS\system32\rnhcptga.ini
C:\WINDOWS\system32\roofvlmi.ini
C:\WINDOWS\system32\rupuhium.ini
C:\WINDOWS\system32\rvqrihxw.ini
C:\WINDOWS\system32\rycwsqxn.dll
C:\WINDOWS\system32\sbbqxavj.ini
C:\WINDOWS\system32\sccnwfwy.dll
C:\WINDOWS\system32\seaaahbj.ini
C:\WINDOWS\system32\sennqall.dll
C:\WINDOWS\system32\sfjishcd.ini
C:\WINDOWS\system32\sfjishcd.tmp
C:\WINDOWS\system32\sfshmdms.ini
C:\WINDOWS\system32\sgwpyheu.ini
C:\WINDOWS\system32\skxerpoc.dll
C:\WINDOWS\system32\smdmhsfs.dll
C:\WINDOWS\system32\sqtgabxx.ini
C:\WINDOWS\system32\ssjikxai.dll
C:\WINDOWS\system32\svwqyujp.dll
C:\WINDOWS\system32\tbxmcnlj.dll
C:\WINDOWS\system32\teiadbug.dll
C:\WINDOWS\system32\tgxgkxhe.ini
C:\WINDOWS\system32\tjmtgsfj.ini
C:\WINDOWS\system32\tjxselen.ini
C:\WINDOWS\system32\tmbhgcha.ini
C:\WINDOWS\system32\tmdwicou.dll
C:\WINDOWS\system32\tmlroeah.dll
C:\WINDOWS\system32\tojdakgf.dll
C:\WINDOWS\system32\tokwcasj.dll
C:\WINDOWS\system32\tqivkkbm.ini
C:\WINDOWS\system32\trybeleo.ini
C:\WINDOWS\system32\tsgwkdxm.ini
C:\WINDOWS\system32\tsirmpve.ini
C:\WINDOWS\system32\twdahgkf.dll
C:\WINDOWS\system32\uavrriax.dll
C:\WINDOWS\system32\ubrogybi.dll
C:\WINDOWS\system32\ucxsnrcv.dll
C:\WINDOWS\system32\udxbvdyb.dll
C:\WINDOWS\system32\uehypwgs.dll
C:\WINDOWS\system32\uhhpyuff.ini
C:\WINDOWS\system32\uhmdmuvy.ini
C:\WINDOWS\system32\uldddurc.ini
C:\WINDOWS\system32\uoteqqhl.dll
C:\WINDOWS\system32\uoxhfdtj.dll
C:\WINDOWS\system32\uqsnwqnb.ini
C:\WINDOWS\system32\urhpdbsg.dll
C:\WINDOWS\system32\utndphed.ini
C:\WINDOWS\system32\uwtdqlmc.ini
C:\WINDOWS\system32\uygkpona.ini
C:\WINDOWS\system32\vaokjaaq.dll
C:\WINDOWS\system32\vcrnsxcu.ini
C:\WINDOWS\system32\vgbeoodx.dll
C:\WINDOWS\system32\vhbeafno.dll
C:\WINDOWS\system32\vivtymrw.dll
C:\WINDOWS\system32\vjndgqca.ini
C:\WINDOWS\system32\vkgyyiwk.ini
C:\WINDOWS\system32\vklfqxia.dll
C:\WINDOWS\system32\vlpmtkql.ini
C:\WINDOWS\system32\vqanepmn.ini
C:\WINDOWS\system32\vqepkvcx.ini
C:\WINDOWS\system32\vrxqgonq.ini
C:\WINDOWS\system32\vshfnxgt.ini
C:\WINDOWS\system32\vuvbsymy.ini
C:\WINDOWS\system32\vvmluwov.ini
C:\WINDOWS\system32\vwtfwtwl.ini
C:\WINDOWS\system32\vyqwccrc.ini
C:\WINDOWS\system32\wcfhkpdp.dll
C:\WINDOWS\system32\wcojouif.dll
C:\WINDOWS\system32\wdmgljti.dll
C:\WINDOWS\system32\weaobxib.ini
C:\WINDOWS\system32\wixmdpul.dll
C:\WINDOWS\system32\wkmfoxkr.dll
C:\WINDOWS\system32\wlqapjrp.dll
C:\WINDOWS\system32\wmbystpa.dll
C:\WINDOWS\system32\wpwhs!!!.ini
C:\WINDOWS\system32\wsrxobvc.ini
C:\WINDOWS\system32\wvwswrkv.ini
C:\WINDOWS\system32\wwykvxbc.ini
C:\WINDOWS\system32\wxnyxtnb.ini
C:\WINDOWS\system32\wxutnpev.ini
C:\WINDOWS\system32\wxximbdu.dll
C:\WINDOWS\system32\xbwunrwd.ini
C:\WINDOWS\system32\xehkyjwp.ini
C:\WINDOWS\system32\xetvrlmq.dll
C:\WINDOWS\system32\xkwfhkao.ini
C:\WINDOWS\system32\xlompwcq.dll
C:\WINDOWS\system32\xqkrmrwn.ini
C:\WINDOWS\system32\xrymtypp.dll
C:\WINDOWS\system32\xtuipyvd.dll
C:\WINDOWS\system32\xvevgmcf.dll
C:\WINDOWS\system32\xxbagtqs.dll
C:\WINDOWS\system32\yaabilax.dll
C:\WINDOWS\system32\yapjhteb.dll
C:\WINDOWS\system32\ycnpafsl.dll
C:\WINDOWS\system32\ycqnlimg.ini
C:\WINDOWS\system32\yihtjgml.dll
C:\WINDOWS\system32\yiigumom.ini
C:\WINDOWS\system32\yiybrxjo.dll
C:\WINDOWS\system32\ykrdpnfd.ini
C:\WINDOWS\system32\ynlhcayo.ini
C:\WINDOWS\system32\yolfygec.ini
C:\WINDOWS\system32\ysdopwxa.dll
C:\WINDOWS\system32\yvumdmhu.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini2
C:\WINDOWS\system32\yycdd.tmp
C:\WINDOWS\system32\yywulotn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Service_DomainService

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-27 21:45 . 2008-04-27 21:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 21:45 . 2008-04-27 21:45 <DIR> d-------- C:\Documents and Settings\Bradley Bowman\Application Data\Lavasoft
2008-04-27 21:38 . 2008-04-27 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 23:40 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-04-20 23:36 . 2008-04-20 23:36 <DIR> d-------- C:\Program Files\Ubi Soft
2008-04-20 23:22 . 2008-04-20 23:22 331,858 --a------ C:\WINDOWS\_detmp.1
2008-04-20 18:51 . 2008-04-20 18:51 <DIR> d-------- C:\Documents and Settings\Bradley Bowman\WINDOWS
2008-04-20 18:51 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-04-14 23:10 . 2008-04-17 22:06 <DIR> d-------- C:\Program Files\TibEd
2008-04-14 22:59 . 2008-04-14 22:59 <DIR> d-------- C:\Westwood

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 05:07 --------- d-----w C:\Program Files\mIRC
2008-04-28 01:37 --------- d-----w C:\Program Files\EA GAMES
2008-04-10 08:37 --------- d-----w C:\Program Files\Common Files\aolshare
2008-04-10 08:37 --------- d-----w C:\Program Files\America Online 9.0a
2008-03-16 03:01 --------- d-----w C:\Documents and Settings\Bradley Bowman\Application Data\AOL
2008-03-16 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-16 02:52 --------- d-----w C:\Program Files\AOL Toolbar
2008-03-16 02:51 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-16 02:51 --------- d-----w C:\Program Files\AOL Deskbar
2008-03-16 02:47 --------- d-----w C:\Program Files\America Online 9.0
2008-03-16 02:37 --------- d-----w C:\Program Files\Common Files\AolCoach
2008-03-13 16:53 --------- d-----w C:\Program Files\Java
2008-03-13 05:40 --------- d-----w C:\Program Files\Learn2.com
2008-03-12 13:20 --------- d-----w C:\Documents and Settings\Mom\Application Data\AOL
2008-03-10 04:43 --------- d-----w C:\Program Files\LimeWire
2008-03-09 02:07 98,048 ----a-w C:\WINDOWS\system32\dmim.dll
2008-03-08 05:42 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-02 07:51 --------- d-----w C:\Documents and Settings\Bradley Bowman\Application Data\LimeWire
2008-02-01 06:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-02 07:00 6,778 -c--a-w C:\Documents and Settings\Bradley Bowman\Application Data\wklnhst.dat
2007-08-17 00:37 962 -c--a-w C:\Documents and Settings\Mom\Application Data\wklnhst.dat

File Attachment :
hijackthis.log 4KB (application/octet-stream)

This file has been downloaded 70 time(s).

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 4-30-2008 6:18 (GMT +1)

Please download -

www.malwarebytes.org/AboutBuster.zip
Unzip all files to a folder on Desktop.

Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Start AboutBuster 6.0
Hit begin removal and allow the program to run.
AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
Shut down AboutBuster. A log should has been created.

Reboot

Post new combofix log, with AboutBuster log- and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ritario
New Member

Date Joined Apr 2008
Total Posts : 5

Posted 5-1-2008 6:02 (GMT +1)

kk... that was much faster than before... on all fronts so here is what i got so far...

ComboFix 08-04-27.3 - Bradley Bowman 2008-04-29 9:29:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.539 [GMT -7:00]
Running from: C:\Documents and Settings\Bradley Bowman\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Service_DomainService

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 05:07 --------- d-----w C:\Program Files\mIRC
2008-04-28 01:37 --------- d-----w C:\Program Files\EA GAMES
2008-04-10 08:37 --------- d-----w C:\Program Files\Common Files\aolshare
2008-04-10 08:37 --------- d-----w C:\Program Files\America Online 9.0a
2008-03-16 03:01 --------- d-----w C:\Documents and Settings\Bradley Bowman\Application Data\AOL
2008-03-16 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-16 02:52 --------- d-----w C:\Program Files\AOL Toolbar
2008-03-16 02:51 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-16 02:51 --------- d-----w C:\Program Files\AOL Deskbar
2008-03-16 02:47 --------- d-----w C:\Program Files\America Online 9.0
2008-03-16 02:37 --------- d-----w C:\Program Files\Common Files\AolCoach
2008-03-13 16:53 --------- d-----w C:\Program Files\Java
2008-03-13 05:40 --------- d-----w C:\Program Files\Learn2.com
2008-03-12 13:20 --------- d-----w C:\Documents and Settings\Mom\Application Data\AOL
2008-03-10 04:43 --------- d-----w C:\Program Files\LimeWire
2008-03-09 02:07 98,048 ----a-w C:\WINDOWS\system32\dmim.dll
2008-03-08 05:42 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-02 07:51 --------- d-----w C:\Documents and Settings\Bradley Bowman\Application Data\LimeWire
2008-02-01 06:33 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-02 07:00 6,778 -c--a-w C:\Documents and Settings\Bradley Bowman\Application Data\wklnhst.dat
2007-08-17 00:37 962 -c--a-w C:\Documents and Settings\Mom\Application Data\wklnhst.dat
.

now regarding the about teh aboutbusterlog file. i will post it as soon as i find it

as ther eis no indication that it was made..... perhaps it is created under a strange name?

btw update about the comp itself, boots faster and can sometimes the svchost doens;t alwasy start but as soon as i start to run anything that using more than 40% of my processor it kicks in and notihng beyond that works unles i shut down svchost

Ritario
New Member

Date Joined Apr 2008
Total Posts : 5

Posted 5-6-2008 5:55 (GMT +1)

any more thoughts?

Back to