Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Both CPUs being maxed out at 100%

Reply
1 2

Join Date: Mar 2008
Posts: 23
Reputation: fruehling is an unknown quantity at this point 
Solved Threads: 0
fruehling fruehling is offline Offline
Newbie Poster

Both CPUs being maxed out at 100%

 
0
  #1
Aug 23rd, 2008
Hi all,


I hope someone can help. I've been all over the net trying to find a fix for this. At random times (usually in the evening to early morning) both my processors (Dell Inspiron E1505 core 2 duo) will max out at 100% usage (noticed with a sidebar gadget). When checking with the task manager there can be a few different culprits.

It varies between these three:

- Taskmgr
- Audiodg
- Svchost

I found a thread somewhere showing how to fix the Audiodg issue by disabling advance sound options. Since I did that, Audiodg has been cool.

I found another thread somewhere that listed the following fix for a problem:
"Run all these commands in a command prompt one after the other
regsvr32 MSXML3.dll
regsvr32 WUAUENG1.dll
regsvr32 WUAPI.DLL
regsvr32 WUAUENG.DLL
regsvr32 WUAUENG1.DLL
regsvr32 ATL.DLL
regsvr32 WUCLTUI.DLL
regsvr32 WUPS.DLL
regsvr32 WUPS2.DLL
regsvr32 WUWEB.DLL
net stop WuAuServ
rename %windir%\SoftwareDistribution SoftwareDistribution_buggy
net start WuAuServ "
So I did that, but a few of those commands couldn't find the dll (the above seems to be for XP, so maybe that is why). And since doing that, now at start up my computer will go to 100% cpus for 3 minutes. So I would like to undo the above somehow.

That's as far as I have gotten with solving this issue. Please anyone help if you can. Thanks!! Here is the Hijackthis log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:57 AM, on 8/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Windows\sttray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6342C9DD-4FC1-4AC6-9352-4B82D9A0FA19}: NameServer = 217.199.126.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4259 bytes
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 173
Reputation: Cyber Punk is an unknown quantity at this point 
Solved Threads: 8
Cyber Punk's Avatar
Cyber Punk Cyber Punk is offline Offline
Junior Poster

Re: Both CPUs being maxed out at 100%

 
0
  #2
Aug 23rd, 2008
I find nothing wrong with your HijackThis log.

Please re-open HijackThis and click on Do a system scan only. Locate the following entries and place a check against them.


O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Please post this log in your reply.
Last edited by Cyber Punk; Aug 23rd, 2008 at 3:09 pm. Reason: removed an entry.
If I have helped you in any way, please consider making a donation to DaniWeb.
It helps us keep going
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 23
Reputation: fruehling is an unknown quantity at this point 
Solved Threads: 0
fruehling fruehling is offline Offline
Newbie Poster

Re: Both CPUs being maxed out at 100%

 
0
  #3
Aug 23rd, 2008
Thanks for the reply! Doing the above now. Quick question: After putting the check next to the entries in hijackthis, should I also "Fix Checked"?
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 23
Reputation: fruehling is an unknown quantity at this point 
Solved Threads: 0
fruehling fruehling is offline Offline
Newbie Poster

Re: Both CPUs being maxed out at 100%

 
0
  #4
Aug 23rd, 2008
Ok. I just went ahead and did "fix checked" for hijackthis. And here is the log file for malwarebytes:

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 6.0.6000

2:07:29 PM 8/23/2008
mbam-log-08-23-2008 (14-07-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 89651
Time elapsed: 38 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 173
Reputation: Cyber Punk is an unknown quantity at this point 
Solved Threads: 8
Cyber Punk's Avatar
Cyber Punk Cyber Punk is offline Offline
Junior Poster

Re: Both CPUs being maxed out at 100%

 
0
  #5
Aug 24th, 2008
Ah, sorry. Yes you must click Fix Checked.
I was in a hurry but I picked up your log on the way.

How is your computer now?
If I have helped you in any way, please consider making a donation to DaniWeb.
It helps us keep going
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 23
Reputation: fruehling is an unknown quantity at this point 
Solved Threads: 0
fruehling fruehling is offline Offline
Newbie Poster

Re: Both CPUs being maxed out at 100%

 
0
  #6
Aug 24th, 2008
Thanks for the reply. Well, no problems yet, but it's a random and periodic problem. Hopefully it helps though. One thing is that now my sidebar is gone. Do you think the sidebar itself was causing this problem?

A friend of mine said that the laptop may be overheating, and somehow that causes the CPUs to max out. That seems unlikely to me.
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 173
Reputation: Cyber Punk is an unknown quantity at this point 
Solved Threads: 8
Cyber Punk's Avatar
Cyber Punk Cyber Punk is offline Offline
Junior Poster

Re: Both CPUs being maxed out at 100%

 
0
  #7
Aug 24th, 2008
No, it's because it's been fixed in HijackThis.

Just copy paste this into notepad and then select File > Save as... and save it as Sidebar.reg

Under Save as type, select, All file(*.*).

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun"

Save it in your desktop and double click on it and merge it with the registry.
I added this in the fix by mistake, forgive me.
Last edited by Cyber Punk; Aug 24th, 2008 at 2:26 pm.
If I have helped you in any way, please consider making a donation to DaniWeb.
It helps us keep going
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 23
Reputation: fruehling is an unknown quantity at this point 
Solved Threads: 0
fruehling fruehling is offline Offline
Newbie Poster

Re: Both CPUs being maxed out at 100%

 
0
  #8
Aug 25th, 2008
Hi! Thanks. I got the sidebar back running with your .reg merge.

Bad news is that the problem is still there. It happened before I put the sidebar back. Any other ideas? :-(

Could this actually be from the laptop overheating?
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 173
Reputation: Cyber Punk is an unknown quantity at this point 
Solved Threads: 8
Cyber Punk's Avatar
Cyber Punk Cyber Punk is offline Offline
Junior Poster

Re: Both CPUs being maxed out at 100%

 
0
  #9
Aug 25th, 2008
Could this actually be from the laptop overheating?
I'll give it one more try before I answer that question.

Please download Combofix by sUbs and save it to your Desktop.
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click Start and choose Run. Then copy the entire content of the following quotebox and paste it into the run box.
    "%userprofile%\desktop\ComboFix.exe" /KillAll
  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.
  • After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.
  • Reconnect to the internet
  • Post the following logs/Reports:
    [b]
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
Also, please include an MBAM scan result in a seperate post.
If I have helped you in any way, please consider making a donation to DaniWeb.
It helps us keep going
Reply With Quote Quick reply to this message  
Join Date: Mar 2008
Posts: 23
Reputation: fruehling is an unknown quantity at this point 
Solved Threads: 0
fruehling fruehling is offline Offline
Newbie Poster

Re: Both CPUs being maxed out at 100%

 
0
  #10
Aug 26th, 2008
Ok. Here is Combo log:

ComboFix 08-08-25.01 - Jake 2008-08-26 10:43:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1386 [GMT -7:00]
Running from: C:\Users\Jake\Desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Jake\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Users\Jake\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jacob@ad.yieldmanager[1].txt
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jacob@insightexpressai[2].txt
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jacob@revsci[2].txt
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jake@live[1].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-25 19:47 . 2007-02-15 19:46 311,296 --a------ C:\Windows\System32\mswmdm.dll
2008-08-25 19:47 . 2007-02-15 19:48 36,864 --a------ C:\Windows\System32\wmdmps.dll
2008-08-25 19:47 . 2007-02-15 19:48 31,744 --a------ C:\Windows\System32\wmdmlog.dll
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\Users\Jake\AppData\Roaming\Malwarebytes
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 13:20 . 2008-08-17 15:01 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-23 13:20 . 2008-08-17 15:01 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-23 09:50 . 2008-08-23 09:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 04:42 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-19 04:42 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-19 04:42 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-19 04:42 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-19 04:42 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-19 04:42 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-19 04:42 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-19 04:42 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-19 04:42 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-16 10:07 . 2008-08-25 14:17 <DIR> d-------- C:\Users\Jake\AppData\Roaming\skypePM
2008-08-16 10:07 . 2008-08-16 10:07 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-08-15 17:49 . 2008-08-25 14:20 <DIR> d-------- C:\Users\Jake\AppData\Roaming\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\Users\All Users\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\ProgramData\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\Program Files\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-14 01:01 . 2008-07-15 16:48 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 11:22 . 2008-06-18 20:25 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 11:22 . 2008-06-18 20:25 272,896 --a------ C:\Windows\System32\polstore.dll
2008-08-13 11:22 . 2008-04-19 01:13 268,800 --a------ C:\Windows\System32\es.dll
2008-08-13 11:22 . 2008-06-18 20:25 61,440 --a------ C:\Windows\System32\winipsec.dll
2008-08-13 11:22 . 2008-06-18 20:25 28,672 --a------ C:\Windows\System32\FwRemoteSvr.dll
2008-08-13 11:20 . 2008-04-09 22:01 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 11:20 . 2008-04-09 19:43 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-08-01 10:40 . 2008-08-01 10:40 <DIR> d-------- C:\Users\Jake\AppData\Roaming\Prish
2008-08-01 10:40 . 2008-08-01 10:40 <DIR> d-------- C:\Program Files\Prish Image Resizer
2008-07-31 19:40 . 2008-08-04 21:21 237,568 --a------ C:\Windows\System32\rmc_rtspdl.dll
2008-07-31 19:40 . 2008-08-04 21:21 156,672 --a------ C:\Windows\System32\rmc_fixasf.exe
2008-07-31 19:38 . 2008-07-31 19:40 323,584 --a------ C:\Windows\System32\AUDIOGENIE2.DLL
2008-07-31 19:37 . 2008-07-31 19:37 <DIR> d-------- C:\Windows\Replay Media Catcher
2008-07-31 19:12 . 2008-07-31 19:41 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-07-31 10:22 . 2008-07-31 10:22 <DIR> d--h----- C:\Users\All Users\CanonBJ
2008-07-31 10:22 . 2008-07-31 10:22 <DIR> d--h----- C:\ProgramData\CanonBJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 01:56 --------- d-----w C:\Users\Jake\AppData\Roaming\OpenOffice.org2
2008-08-22 18:13 --------- d-----w C:\Program Files\DivX
2008-08-14 08:01 --------- d-----w C:\Program Files\Windows Mail
2008-08-04 14:34 --------- d-----w C:\Users\Jake\AppData\Roaming\VoipCheapCom
2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-07-18 16:03 71,680 ----a-w C:\Windows\mmfs.dll
2008-07-18 07:30 --------- d-----w C:\Program Files\Paint.NET
2008-07-15 18:54 --------- d-----w C:\Program Files\DOSBox-0.72
2008-07-14 09:09 --------- d-----w C:\Program Files\flv to avi
2008-07-13 17:17 --------- d-----w C:\Program Files\Common Files\wsm
2008-07-13 17:16 --------- d-----w C:\Program Files\Quick AVI Joiner
2008-07-13 17:16 --------- d-----w C:\Program Files\Kate's Video Joiner
2008-07-13 17:11 --------- d-----w C:\Users\Jake\AppData\Roaming\Download Manager
2008-07-13 17:04 --------- d-----w C:\Program Files\Ordix
2008-07-13 05:57 --------- d-----w C:\Program Files\ATI Technologies
2008-07-12 08:47 --------- d-----w C:\Users\Jake\AppData\Roaming\vlc
2008-07-12 08:36 --------- d-----w C:\Program Files\VideoLAN
2008-07-12 08:11 --------- d-----w C:\Program Files\Dell
2008-07-12 07:32 --------- d-----w C:\Program Files\Intel
2008-07-12 07:29 --------- d--h--w C:\Users\Jake\AppData\Roaming\GTek
2008-07-12 07:28 --------- d-----w C:\ProgramData\Gtek
2008-07-12 07:28 --------- d-----w C:\Program Files\DellAutomatedPCTuneUp
2008-07-12 07:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-12 07:22 --------- d-----w C:\Program Files\SigmaTel
2008-07-12 07:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-12 07:12 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-12 07:11 --------- d-----w C:\Program Files\Synaptics
2008-07-12 07:07 50,792 ----a-w C:\Windows\system32\drivers\termdd.sys
2008-07-12 07:07 50,280 ----a-w C:\Windows\system32\drivers\volmgr.sys
2008-07-12 07:07 28,776 ----a-w C:\Windows\system32\drivers\mssmbios.sys
2008-07-12 07:07 140,392 ----a-w C:\Windows\system32\drivers\pci.sys
2008-07-12 07:07 13,928 ----a-w C:\Windows\system32\drivers\msisadrv.sys
2008-07-12 07:07 12,776 ----a-w C:\Windows\system32\drivers\swenum.sys
2008-07-12 07:01 --------- d-----w C:\ProgramData\Dell
2008-07-12 06:59 --------- d-----w C:\ProgramData\SupportSoft
2008-07-12 06:59 --------- d-----w C:\Program Files\Dell Support Center
2008-07-12 06:58 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-07-12 06:53 --------- d-----w C:\Program Files\Roxio
2008-07-12 06:50 --------- d-----w C:\Users\Jake\AppData\Roaming\ATI
2008-07-12 06:45 --------- d-----w C:\Program Files\ATI
2008-07-12 06:32 --------- d-----w C:\Users\Jake\AppData\Roaming\DivX
2008-07-12 04:46 174 --sha-w C:\Program Files\desktop.ini
2008-07-12 04:42 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-12 04:42 --------- d-----w C:\Program Files\Windows Defender
2008-07-12 04:42 --------- d-----w C:\Program Files\Windows Calendar
2008-07-11 22:45 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-07-11 22:45 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-07-11 22:45 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-07-11 22:45 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-07-11 22:45 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-07-11 22:43 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-07-11 22:43 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-07-11 22:43 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-07-11 22:43 2,923,520 ----a-w C:\Windows\explorer.exe
2008-07-11 22:43 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-07-11 22:43 11,264 ----a-w C:\Windows\system32\drivers\wmiacpi.sys
2008-07-11 22:40 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-07-11 22:33 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-07-11 22:33 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-07-11 22:27 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-07-11 22:27 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-07-11 22:27 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-07-11 22:25 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-07-11 22:25 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-07-11 22:25 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-07-11 22:25 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-07-11 22:25 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-07-11 22:25 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-07-11 22:23 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-07-11 22:23 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-07-11 22:23 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2008-07-11 22:23 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-07-11 22:23 193,536 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-07-11 22:22 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-07-11 22:22 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-07-11 22:16 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-07-11 22:16 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-07-11 22:16 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-07-11 22:16 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-07-11 22:16 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-07-11 22:16 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-07-11 22:14 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2008-07-11 22:14 13,312 ----a-w C:\Windows\system32\drivers\sffdisk.sys
2008-07-11 22:14 12,800 ----a-w C:\Windows\system32\drivers\sffp_sd.sys
2008-07-11 22:10 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-11 22:08 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-11 22:08 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-11 22:06 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2008-07-11 22:05 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-07-11 22:05 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-07-11 22:05 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-07-11 22:05 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-07-11 22:04 12,800 ----a-w C:\Windows\system32\drivers\fs_rec.sys
2008-07-11 21:27 --------- d-----w C:\Program Files\Java
2008-07-11 21:14 --------- d-----w C:\ProgramData\NOS
2008-07-11 21:14 --------- d-----w C:\Program Files\NOS
2008-07-11 21:14 --------- d-----w C:\Program Files\Alwil Software
2008-07-11 21:09 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-11 21:08 --------- d-----w C:\Program Files\Common Files\Java
2008-07-11 21:06 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 18:27 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 09:06 815104]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 00:51 303104 C:\Windows\sttray.exe]

C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-28 23:57:36 49152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - C:\Program Files\AutoHotkey\AutoHotkey.exe [2008-03-09 08:12:24 240640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKLM\~\startupfolder\C:^Users^Jake^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-11 16:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
--a------ 2007-10-10 23:49 465136 C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-03-11 02:44 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-03-11 02:44 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 02:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2183261671-2244579172-1524993158-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{56A4CF55-5EAB-47EB-A5DF-06121F2068F0}"= UDP:C:\Program Files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{306B3D93-6B38-4596-9729-86D723966CED}"= TCP:C:\Program Files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{43619AD0-929A-4F3A-9600-EB512620DF82}"= UDP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{A1032EDC-8961-4CB2-ADB8-59FC6DADDDAD}"= TCP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{48D46A52-526F-4A2C-B6CC-F260B11B9A1E}"= C:\Program Files\Skype\Phone\Skype.exekype
"{AFCEE012-FBA7-48C2-B14F-9CFD83E3C31C}"= UDP:990:LocalSubnet:LocalSubnet|IF={4F1DAECF-10FD-4158-B44F-2FB9059D6D7D}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-07-19 07:35]
R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 10:05]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 07:36]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;C:\Windows\system32\DRIVERS\datunidr.sys [2007-08-23 08:29]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-14 12:04]
S2 LicCtrlService;LicCtrl Service;rundll32.exe C:\Windows\mmfs.dll,Service []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Jake\AppData\Roaming\Mozilla\Firefox\Profiles\8ypnaspl.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 10:46:34
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\DLAAPI_W.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-08-26 10:49:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 17:48:55

Pre-Run: 45,139,574,784 bytes free
Post-Run: 45,307,473,920 bytes free

261 --- E O F --- 2008-08-26 03:40:13
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg bar blackhat botnet botnets censorship commercial commercials conficker connect crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted usa virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC