1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive System.exe takes 99% of CPU Usage

Discussion in 'Malware and Virus Removal Archive' started by memo5200, 2010/08/30.

Thread Status:
Not open for further replies.
  1. 2010/08/30
    memo5200

    memo5200 Inactive Thread Starter

    Joined:
    2009/05/21
    Messages:
    59
    Likes Received:
    1
    [Inactive] System.exe takes 99% of CPU Usage

    Hello :)
    The Issue : three days ago I experienced a weird problem that during games playing I had much hang which cause by "system.exe" that takes about 99% of my CPU .
    later I had similar problem with "svchost.exe" which made almost same symptoms .
    Fortunately it was a malware ; has removed after long time of suffering
    so I tried also many anti-virus with last update and many of OS to eliminate this issue but everything doesn't work.

    Hijackthis Report:
    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 12:39:51 ص, on 31/08/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\WINDOWS\system32\taskmgr.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kaspersky-help.com/?hl=en&link=viruswatch&syst=Microsoft%20Windows%20XP%20Professional%20Service%20Pack%203%20(build%202600)&pid=kav&version=11.0.0.232&hotfix=&installid={825A9A80-A7D6-4321-82B5-1102A264A9E1}&serial=0F92-000534-0A1876A5&ktype=2&kcount=1&kcreat=20/08/2010&kexp=27/09/2010&kinst=28/08/2010
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

    --
    End of file - 4546 bytes


    ================================================
    DSS Report:
    ================================================

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by MEMO at 4:58:13.79 on Tue 08/31/2010
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1256.20.1033.18.1023.168 [GMT 3:00]

    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    D:\Games\Online Games\Silkroad Online\Silkroad\sro_client.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\Internet Download Manager\IEMonitor.exe
    C:\WINDOWS\system32\ping.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    D:\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.kaspersky-help.com/?hl=en&link=viruswatch&syst=Microsoft%20Windows%20XP%20Professional%20Service%20Pack%203%20(build%202600)&pid=kav&version=11.0.0.232&hotfix=&installid={825A9A80-A7D6-4321-82B5-1102A264A9E1}&serial=0F92-000534-0A1876A5&ktype=2&kcount=1&kcreat=20/08/2010&kexp=27/09/2010&kinst=28/08/2010
    BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
    IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
    IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\memo\applic~1\mozilla\firefox\profiles\84llmw7t.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.eg/
    FF - component: c:\documents and settings\memo\application data\idm\idmmzcc3\components\idmmzcc.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-29 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-29 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-29 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-29 60936]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]

    =============== Created Last 30 ================

    2010-08-30 22:01:56 0 d-----w- c:\docume~1\memo\applic~1\Avira
    2010-08-29 06:08:02 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-29 06:08:02 0 d-----w- c:\program files\Avira
    2010-08-29 06:08:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-08-29 05:56:54 248448 ----a-w- c:\windows\system32\PROUnstl.exe
    2010-08-29 05:56:54 1904 ------w- c:\windows\system32\SetupBD.din
    2010-08-29 00:57:44 0 d-----r- C:\RavBin
    2010-08-29 00:57:38 1060864 ----a-w- c:\windows\system32\mfc71.dll
    2010-08-29 00:57:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Rising
    2010-08-29 00:54:42 0 d-----w- c:\windows\system32\appmgmt
    2010-08-29 00:54:42 0 d-----w- c:\docume~1\memo\applic~1\BitDefender
    2010-08-29 00:51:29 52 ----a-w- c:\windows\system32\ashttpstats.csv
    2010-08-29 00:50:36 385 ----a-w- c:\windows\system32\user_gensett.xml
    2010-08-29 00:15:21 376 ----a-w- c:\documents and settings\memo\Application Dataprivacy.xml
    2010-08-28 23:55:58 0 d-----w- c:\program files\BitDefender
    2010-08-28 23:55:58 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
    2010-08-28 23:55:33 0 d-----w- c:\program files\common files\BitDefender
    2010-08-28 21:24:46 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    2010-08-28 21:11:03 3583592 ----a-w- c:\windows\system32\GameMon.des
    2010-08-28 21:07:34 5174 ----a-w- c:\windows\system32\nppt9x.vxd
    2010-08-28 21:07:34 4682 ----a-w- c:\windows\system32\npptNT2.sys
    2010-08-28 21:06:39 0 d-----w- c:\program files\common files\INCA Shared
    2010-08-28 19:30:47 376 ----a-w- c:\windows\ODBC.INI
    2010-08-28 19:30:29 17920 ----a-w- c:\windows\system32\mdimon.dll
    2010-08-28 19:25:15 0 d-----w- c:\windows\SHELLNEW
    2010-08-28 19:24:56 0 d-----w- c:\program files\Microsoft ActiveSync
    2010-08-28 00:25:11 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
    2010-08-28 00:24:04 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
    2010-08-28 00:18:11 0 d-----w- c:\program files\common files\HP
    2010-08-28 00:11:31 0 d-----w- C:\ijji
    2010-08-28 00:01:01 267864 ----a-w- c:\windows\system32\hpzids01.dll
    2010-08-28 00:00:54 0 d-----w- c:\program files\HP
    2010-08-28 00:00:51 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-08-28 00:00:51 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-08-28 00:00:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2010-08-28 00:00:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2010-08-27 23:59:19 2828 ------w- c:\windows\hphmdl15.dat
    2010-08-27 23:59:19 137438 ----a-w- c:\windows\HPHins15.dat
    2010-08-27 23:58:58 486134 ----a-w- c:\windows\system32\autorun.inf
    2010-08-27 23:48:43 713312 ----a-w- c:\windows\system32\ijjiSetup.exe
    2010-08-27 23:48:43 62048 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
    2010-08-27 23:48:42 0 d-----w- c:\program files\REACTOR
    2010-08-27 23:46:34 0 d-----w- c:\program files\TrendMicro
    2010-08-27 23:45:07 0 d-----w- c:\program files\Foxit Software
    2010-08-27 23:45:07 0 d-----w- c:\docume~1\memo\applic~1\Foxit
    2010-08-27 23:40:58 0 d-----w- c:\program files\CCleaner
    2010-08-27 23:39:53 604488 ----a-w- c:\windows\system32\TUProgSt.exe
    2010-08-27 23:39:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll
    2010-08-27 23:39:46 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
    2010-08-27 23:39:45 0 d-----w- c:\docume~1\memo\applic~1\TuneUp Software
    2010-08-27 23:39:05 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
    2010-08-27 23:39:04 0 d-----w- c:\program files\TuneUp Utilities 2009
    2010-08-27 23:38:54 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
    2010-08-27 23:30:05 0 d-----w- c:\program files\Yahoo!
    2010-08-27 23:27:45 0 d-----w- c:\docume~1\memo\applic~1\IDM
    2010-08-27 23:27:44 0 d-----w- c:\docume~1\memo\applic~1\DMCache
    2010-08-27 23:27:38 0 d-----w- c:\program files\Internet Download Manager
    2010-08-27 23:24:42 0 d-----w- c:\program files\K-Lite Codec Pack
    2010-08-27 23:22:07 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-08-27 23:22:07 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-08-27 23:22:07 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-08-27 23:22:07 129520 ------w- c:\windows\system32\pxafs.dll
    2010-08-27 23:21:07 0 d-----w- c:\program files\Dictionary
    2010-08-27 23:18:08 6272 -c--a-w- c:\windows\system32\dllcache\splitter.sys
    2010-08-27 23:18:08 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
    2010-08-27 23:18:06 83072 -c--a-w- c:\windows\system32\dllcache\wdmaud.sys
    2010-08-27 23:18:06 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
    2010-08-27 23:18:05 52864 -c--a-w- c:\windows\system32\dllcache\dmusic.sys
    2010-08-27 23:18:05 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
    2010-08-27 23:18:03 56576 -c--a-w- c:\windows\system32\dllcache\swmidi.sys
    2010-08-27 23:18:03 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
    2010-08-27 23:18:02 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
    2010-08-27 23:18:02 142592 ----a-w- c:\windows\system32\drivers\aec.sys
    2010-08-27 23:18:01 172416 -c--a-w- c:\windows\system32\dllcache\kmixer.sys
    2010-08-27 23:18:01 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
    2010-08-27 23:17:28 0 d-----w- c:\program files\Analog Devices
    2010-08-27 23:16:03 0 d-----w- c:\program files\NVIDIA Corporation
    2010-08-27 23:15:59 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
    2010-08-27 23:15:23 485920 ----a-w- c:\windows\system32\nvudisp.exe
    2010-08-27 23:15:23 19495 ----a-w- c:\windows\system32\nvdisp.nvu
    2010-08-27 23:14:22 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-08-27 13:35:08 0 d-s---w- c:\windows\system32\Microsoft
    2010-08-27 13:07:51 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
    2010-08-27 13:07:21 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
    2010-08-27 13:06:46 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
    2010-08-27 13:06:33 74240 ----a-w- c:\windows\system32\usbui.dll
    2010-08-27 13:06:23 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
    2010-08-27 13:05:24 0 d-----w- c:\program files\common files\ODBC
    2010-08-27 13:05:21 0 d-----w- c:\program files\common files\SpeechEngines
    2010-08-27 13:05:01 0 d-----r- c:\documents and settings\all users\Documents
    2010-08-27 13:04:58 16535 ----a-r- c:\windows\SET8.tmp
    2010-08-27 13:04:55 1088840 ----a-r- c:\windows\SET4.tmp
    2010-08-27 13:04:54 1296669 ----a-r- c:\windows\SET3.tmp
    2010-08-27 13:04:49 0 d-----w- c:\windows\system32\CatRoot2
    2010-08-27 13:04:49 0 d-----w- c:\windows\system32\CatRoot
    2010-08-27 13:04:23 0 d-----w- C:\Documents and Settings
    2010-08-27 13:03:40 689 ----a-w- c:\windows\system32\$winnt$.inf
    2010-08-27 10:19:42 0 d-sh--w- c:\documents and settings\all users\DRM
    2010-08-27 10:19:24 0 d--h--w- c:\program files\WindowsUpdate
    2010-08-27 10:18:44 0 d-----w- c:\program files\common files\MSSoap
    2010-08-27 10:17:12 0 d-----w- c:\program files\Online Services
    2010-08-27 10:17:04 0 d-----w- c:\program files\Messenger
    2010-08-27 10:17:00 0 d-----w- c:\program files\MSN Gaming Zone
    2010-08-27 10:16:20 0 d-----w- c:\program files\Windows NT

    ==================== Find3M ====================

    2010-08-27 10:17:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-06-02 08:00:00 108032 ----a-w- c:\windows\system32\ff_vfw.dll

    ============= FINISH: 4:59:03.14 ===============


    ==========================================
    Attach Report:
    ==========================================
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/27/2010 1:23:43 PM
    System Uptime: 8/30/2010 10:18:11 PM (6 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P5GPL-X
    Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | LGA 775 | 2676/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 13 GiB total, 2.291 GiB free.
    D: is FIXED (NTFS) - 62 GiB total, 8.049 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    A.V.A
    Adobe Flash Player 10 Plugin
    Adobe® Flash® Player 10 ActiveX
    Avira AntiVir Personal - Free Antivirus
    BufferChm
    CCleaner (remove only)
    D1400
    D1400_Help
    DeviceDiscovery
    DeviceManagementQFolder
    dj_sf_ProductContext
    dj_sf_software
    dj_sf_software_req
    Foxit Reader
    HiJackThis
    HP Deskjet Printer Driver Software 9.0
    HP Imaging Device Functions 9.0
    Intel(R) Network Connections 13.3.46.0
    Internet Download Manager
    K-Lite Mega Codec Pack 6.0.4
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.8)
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    PanoStandAlone
    REACTOR
    S4 League_EU
    SoundMAX
    Status
    Toolbox
    TrayApp
    TuneUp Utilities 2009
    UnloadSupport
    VC80CRTRedist - 8.0.50727.4053
    WebFldrs XP
    WebReg
    Winamp
    WinRAR archiver
    Yahoo! Messenger

    ==== Event Viewer Messages From Past Week ========

    8/30/2010 7:30:02 AM, error: atapi [5] - A parity error was detected on \Device\Ide\IdePort2.
    8/30/2010 7:01:31 AM, error: Service Control Manager [7000] - The EagleNT service failed to start due to the following error: The system cannot find the file specified.
    8/30/2010 5:05:34 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
    8/29/2010 9:07:45 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    8/29/2010 9:07:45 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\MEMO\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    8/29/2010 9:07:45 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    8/29/2010 8:57:01 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
    8/29/2010 6:00:41 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/29/2010 3:51:05 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    8/29/2010 11:35:13 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
    8/28/2010 3:49:09 AM, error: Service Control Manager [7031] - The Agnitum Client Security Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
    8/28/2010 2:39:50 AM, error: Service Control Manager [7000] - The TuneUp Theme Extension service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
    8/27/2010 4:42:38 PM, error: Service Control Manager [7000] - The kl2 service failed to start due to the following error: A device attached to the system is not functioning.
    8/27/2010 4:35:26 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/27/2010 1:23:58 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

    ==== End Of File ===========================


    ==========================================
     
    Last edited: 2010/08/31
  2. 2010/08/30
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    Hi,

    Read this post as indicated at the top of this forum & follow the instructions.
     

  3. to hide this advert.

  4. 2010/08/30
    memo5200

    memo5200 Inactive Thread Starter

    Joined:
    2009/05/21
    Messages:
    59
    Likes Received:
    1
    Done..and i am sorry for the missing reports
     
  5. 2010/08/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, paste Attach.txt into your reply.
     
  6. 2010/08/31
    memo5200

    memo5200 Inactive Thread Starter

    Joined:
    2009/05/21
    Messages:
    59
    Likes Received:
    1
    Done again , sorry i think i saw a P.S says compress and attach "attach File "
     
  7. 2010/08/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.


    STEP 3. Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.