DesolateCarnage.net
Members | Search
Desolate Carnage
Hey Guest
Options Menu
DC ForumsGeneral Archive - 2010 → Pliz Halpz
Page 1 of 3 - 1 23
 
Pliz Halpz
Archived | Views: 5547 | Replies: 116 | Started 14 years, 7 months ago
 
#708954 | Wed - May 5 2010 - 09:05:57
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
So, this issue of "lag" isn't going away, but I don't think that's the cause. The computer feels slow, like I am uploading things.

I can't connect to League of Legends at all. Ventrilo has been getting spiky ms, and World of Warcraft ms has been 500-15,000.

When I open up the Task Manager, I am seeing multiple instances of svchost.exe open (no idea what that is), but also multiple instances of iexplore.exe running.

Under Networking Utilization, I'm seeing anywhere from 10-50% for whatever reason. Then it random drops down to 1-3%.

Also, if everything is minimized and I am at the Desktop, my mouse icon from the moment I log in is the pointer with the hourglass next to it, and it never goes away.

Thoughts?
 
#708955 | Wed - May 5 2010 - 09:09:22
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
do you use internet explorer
 
#708959 | Wed - May 5 2010 - 09:10:55
blind_chief*
Group: Members
Posts: 74,19840k
Joined: Oct 25 2006
Contact: Offline PM
Points: 6,883.75 $ $
google responses for iexplore.exe are varied ofc, but heres on that seems similar to what you are saying

http://forums.cnet.com/5208-10149_102-0.html?toiletID=253195

Okay, I've seen everyone in the world talking about this...
If your system hangs, Windows XP, and/or is very slow, and you do a Contro/Alt/Del to call up Task Manager and watch the active processes..you see iexplore.exe (Microsoft Internet Explorer) is using up to 90 CPU power (but you don't even have the software running?
That is the issue I tackled for four days now. Being an old DOS even CP/M fellow (pre-dos), I tried every program out there today...SpyBot, MicroTrend, Ad-Aware, etc.
McAfee download from my AOL, finally give me a hint, and I think I found the sucker. A block warning box kept coming in as McAfee scanner was running. It kept talking about "C:\Program Files\scvhostsvchost.exe trying to access the system and or dial out!
I used Windows Explorer to look (my normal setting is to see hidden files). There it was! A directory in Program Files called SVCHOST, with two files in it. I knew this Svchost should clearly be in the program files directory. I rebooted, because it would clearly let me delete it...in Safe Mode Command Prompt (F8 as system is starting). Went typing directly to the directory, deleted the .exe and .dat file found there and the directory name (Svchost). When I rebooted normally, iexplore.exe was never again in the Tack Manager Processes list...unless I ran it.
I think this is the answer to what everyone has been talking about.
Look for the HIDDEN directory with two files in Program Files that is Hidden. Svchost. Delete it!
Reboot.
Eric Shore
Publisher
Miami News
P.S. I hope this made it go away for good. Don't know how I got it on three system notebooks...obviously, someone is trying to make folks lives miserable enough to uninstall Microsoft Internet Explorer and use another browser. ******** out there!
 
#708961 | Wed - May 5 2010 - 09:12:06
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 09:09:22)
do you use internet explorer


Very rarely.
 
#708963 | Wed - May 5 2010 - 09:12:46
blind_chief*
Group: Members
Posts: 74,19840k
Joined: Oct 25 2006
Contact: Offline PM
Points: 6,883.75 $ $
you could have shit hiding in the iexplore.exe file too.
 
#708964 | Wed - May 5 2010 - 09:12:49
blackjack21*
Group: Members
Posts: 13,90610k
Joined: Apr 28 2007
Contact: Offline PM
Points: 3,331.84
verizon. fios.
 
#708965 | Wed - May 5 2010 - 09:13:03
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
joe, multiple instances of svchost are normal, but if theres ie browsers running whenst you dont use internet explorer, that will tip you off that theres shit going on in the background that you dont want/didnt authorize
 
#708966 | Wed - May 5 2010 - 09:14:48
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 10:12:06)
Quote (randomtask @ Wed - May 5 2010 - 09:09:22)
do you use internet explorer


Very rarely.


make your way to cnet and start downloading some free anti adware programs then
 
#708968 | Wed - May 5 2010 - 09:15:51
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
I just checked Joe, there is no directory C:\svchost or C:\Program Files\svchost

I got excited that that was all that it was.
 
#708969 | Wed - May 5 2010 - 09:15:56
Sgull*
Group: Members
Posts: 60,63040k
Joined: Aug 30 2006
Contact: Offline PM
Points: 75,457.20
job; new comp
 
#708979 | Wed - May 5 2010 - 09:23:27
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
 
#708984 | Wed - May 5 2010 - 09:26:00
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 10:23:27)
http://dly.free.fr/site/spip.php?article2


mercredi 29 décembre 2004
 
#708986 | Wed - May 5 2010 - 09:28:58
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (MoS. @ Wed - May 5 2010 - 09:23:27)
http://dly.free.fr/site/spip.php?article2


clearly very useful.
 
#708989 | Wed - May 5 2010 - 09:38:32
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 10:28:58)
Quote (MoS. @ Wed - May 5 2010 - 09:23:27)
http://dly.free.fr/site/spip.php?article2


clearly very useful.


http://download.cnet.com/Trend-Micro-Hijac...4-10227353.html

run this/save a logfile/poop it

it should point out the path of the shit
 
#708990 | Wed - May 5 2010 - 09:41:36
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 09:38:32)
Quote (MoS. @ Wed - May 5 2010 - 10:28:58)
Quote (MoS. @ Wed - May 5 2010 - 09:23:27)
http://dly.free.fr/site/spip.php?article2


clearly very useful.


http://download.cnet.com/Trend-Micro-Hijac...4-10227353.html

run this/save a logfile/poop it

it should point out the path of the shit


Downloading ComboFix, Malware Bytes, and Hijack This

>.<
 
#708994 | Wed - May 5 2010 - 09:44:10
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
CODE

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:46:43 AM, on 5/5/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Master\LOCALS~1\Temp\uxq9by.exe
C:\DOCUME~1\Master\LOCALS~1\Temp\lcibai.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
c:\lsass.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: C:\WINDOWS\system32\yl3y1aeb.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\yl3y1aeb.dll
O4 - HKLM\..\Run: [31480] C:\DOCUME~1\Master\LOCALS~1\Temp\lcibai.exe
O4 - HKLM\..\Policies\Explorer\Run: [50pfo] C:\DOCUME~1\Master\LOCALS~1\Temp\uxq9by.exe
O4 - HKUS\S-1-5-18\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\WINDOWS\TEMP\smss.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\WINDOWS\TEMP\smss.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=GRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: GootkitSSO - {24ED5AE6-6131-4167-B283-6E52AAC30F52} - C:\WINDOWS\System32\msxsltsso.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\yl3y1aeb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6011 bytes
 
#708996 | Wed - May 5 2010 - 09:48:14
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
lsass.exe
 
#708997 | Wed - May 5 2010 - 09:48:40
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (randomtask @ Wed - May 5 2010 - 10:48:14)
lsass.exe


run the program again, click the check box next to this, click fix selected

see if it works or clearly
 
#708998 | Wed - May 5 2010 - 09:48:55
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 09:48:14)
lsass.exe


Yeah, no idea what that is, when I went to try to terminate it in the Task Manager it said it was unable to do so.
 
#708999 | Wed - May 5 2010 - 09:49:53
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 09:48:40)
Quote (randomtask @ Wed - May 5 2010 - 10:48:14)
lsass.exe


run the program again, click the check box next to this, click fix selected

see if it works or clearly


Currently doing a Quick Scan with this MalwareBytes program, says lots of shits infected so far.

Will do that once this is done.
 
#709000 | Wed - May 5 2010 - 09:50:24
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 10:48:55)
Quote (randomtask @ Wed - May 5 2010 - 09:48:14)
lsass.exe


Yeah, no idea what that is, when I went to try to terminate it in the Task Manager it said it was unable to do so.


http://www.liutilities.com/products/wintas...slibrary/lsass/

[etc]
 
#709002 | Wed - May 5 2010 - 09:53:00
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (MoS. @ Wed - May 5 2010 - 09:49:53)
Quote (randomtask @ Wed - May 5 2010 - 09:48:40)
Quote (randomtask @ Wed - May 5 2010 - 10:48:14)
lsass.exe


run the program again, click the check box next to this, click fix selected

see if it works or clearly


Currently doing a Quick Scan with this MalwareBytes program, says lots of shits infected so far.

Will do that once this is done.


Quick Scan does clearly seem to be so quick.
 
#709005 | Wed - May 5 2010 - 09:55:06
hedonism
Group: Members
Posts: 22,70420k
Joined: Oct 22 2006
Contact: Offline PM
Points: 1,044.55
dont stream porn during raid time
 
#709006 | Wed - May 5 2010 - 09:55:09
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 10:53:00)
Quote (MoS. @ Wed - May 5 2010 - 09:49:53)
Quote (randomtask @ Wed - May 5 2010 - 09:48:40)
Quote (randomtask @ Wed - May 5 2010 - 10:48:14)
lsass.exe


run the program again, click the check box next to this, click fix selected

see if it works or clearly


Currently doing a Quick Scan with this MalwareBytes program, says lots of shits infected so far.

Will do that once this is done.


Quick Scan does clearly seem to be so quick.


wouldnt want to miss raid tn8!
 
#709008 | Wed - May 5 2010 - 09:58:04
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 09:55:09)
Quote (MoS. @ Wed - May 5 2010 - 10:53:00)
Quote (MoS. @ Wed - May 5 2010 - 09:49:53)
Quote (randomtask @ Wed - May 5 2010 - 09:48:40)
Quote (randomtask @ Wed - May 5 2010 - 10:48:14)
lsass.exe


run the program again, click the check box next to this, click fix selected

see if it works or clearly


Currently doing a Quick Scan with this MalwareBytes program, says lots of shits infected so far.

Will do that once this is done.


Quick Scan does clearly seem to be so quick.


wouldnt want to miss raid tn8!


More interested in what the difference between "Quick Scan" and "Full Scan" is if this is taking so long.
 
#709009 | Wed - May 5 2010 - 09:58:26
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (MoS. @ Wed - May 5 2010 - 09:58:04)
Quote (randomtask @ Wed - May 5 2010 - 09:55:09)
Quote (MoS. @ Wed - May 5 2010 - 10:53:00)
Quote (MoS. @ Wed - May 5 2010 - 09:49:53)
Quote (randomtask @ Wed - May 5 2010 - 09:48:40)
Quote (randomtask @ Wed - May 5 2010 - 10:48:14)
lsass.exe


run the program again, click the check box next to this, click fix selected

see if it works or clearly


Currently doing a Quick Scan with this MalwareBytes program, says lots of shits infected so far.

Will do that once this is done.


Quick Scan does clearly seem to be so quick.


wouldnt want to miss raid tn8!


More interested in what the difference between "Quick Scan" and "Full Scan" is if this is taking so long.


And I am clearly up for loot.
 
#709015 | Wed - May 5 2010 - 10:08:37
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
CODE

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4069

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

5/5/2010 11:11:32 AM
mbam-log-2010-05-05 (11-11-32).txt

Scan type: Quick scan
Objects scanned: 136421
Time elapsed: 19 minute(s), 37 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 4
Registry Keys Infected: 29
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 60

Memory Processes Infected:
C:\WINDOWS\Temp\svchost.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\Documents and Settings\Master\Local Settings\Temp\uxq9by.exe (Trojan.VBKrypt) -> Unloaded process successfully.
c:\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\nmklo.dll (Worm.Mariofev) -> Delete on reboot.
C:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
C:\WINDOWS\system32\yl3y1aeb.dll (Trojan.Ertfor) -> Delete on reboot.
C:\Documents and Settings\Master\Local Settings\Temp\qb8ad7d.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0fb18f7e-af26-4599-844d-e239c155a084} (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{24ed5ae6-6131-4167-b283-6e52aac30f52} (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5ea9be80-7c81-49d8-bfed-be937964b004} (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{64315ebb-03fb-4dfb-ba56-97e90e299b74} (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7a9590f2-3733-431f-976e-563a9f482f4a} (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90d1848d-15b9-487d-82a8-ade16050efe7} (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf59c009-1ee7-405c-ae72-e4d602aee03e} (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appilat_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\50pfo (Trojan.VBKrypt) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Master\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Master\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Master\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16037017 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\yl3y1aeb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nmklo.dll (Spyware.Agent.H) -> Delete on reboot.
C:\WINDOWS\Temp\svchost.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
C:\Documents and Settings\Master\Local Settings\Temp\uxq9by.exe (Trojan.VBKrypt) -> Delete on reboot.
C:\Documents and Settings\Master\Local Settings\Temp\qb8ad7d.dll (Trojan.Ertfor) -> Delete on reboot.
C:\WINDOWS\Temp\smss.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cooper.mine (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\62.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\lscwmci.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\zrgsjsmc5.sys (Rootkit.Tent) -> Delete on reboot.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\854123118.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\8b8af799.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\9E.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\avp32.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\BN98.tmp (Trojan.Otlard) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\drweb.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\hexdump.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\install.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\j0w56g.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\kh3j6910.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\kqxic87txy.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\login.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\mdm.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\qb8ad7d.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\smss.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\thwbqhf.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\uxq9by.exe (Trojan.VBKrypt) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\win16.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\winamp.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\wko8koo9.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Master\Local Settings\Temp\j0w56g.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2401735792.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2448221990.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avp.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\debug.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win16.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\hexdump.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplarer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\login.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\notepad.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\taskmgr.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\user.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\0KB4VZZ3\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\KI0RPKSM\oriqbjdp[1].htm (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\LJQRKVHG\hypwhc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\LJQRKVHG\yptozgozmu[1].htm (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Master\Local Settings\Temporary Internet Files\Content.IE5\0KB4VZZ3\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Master\Local Settings\Temporary Internet Files\Content.IE5\KI0RPKSM\oriqbjdp[1].htm (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Master\Local Settings\Temporary Internet Files\Content.IE5\LJQRKVHG\yptozgozmu[1].htm (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Master\Local Settings\Temporary Internet Files\Content.IE5\LJQRKVHG\hypwhc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16037017\16037017.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h7t.wt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgtd.ruy (Malware.Trace) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
 
#709016 | Wed - May 5 2010 - 10:10:42
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
looks like it worked
 
#709017 | Wed - May 5 2010 - 10:12:04
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
make sure you allow the program to do whatever it wants when you reboot, it has to run before all the shit gets loaded again otherwise the shit wont let the antivirus delete it
 
#709018 | Wed - May 5 2010 - 10:13:09
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Let MaylwareBytes do it's thing, rebooted, same proelblems.
 
#709019 | Wed - May 5 2010 - 10:13:23
blind_chief*
Group: Members
Posts: 74,19840k
Joined: Oct 25 2006
Contact: Offline PM
Points: 6,883.75 $ $
.

This post has been edited by blind_chief on Wed - May 5 2010 - 10:17:20
 
#709024 | Wed - May 5 2010 - 10:19:03
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 11:13:09)
Let MaylwareBytes do it's thing, rebooted, same proelblems.


new hjt log proal
 
#709026 | Wed - May 5 2010 - 10:20:37
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (randomtask @ Wed - May 5 2010 - 11:19:03)
Quote (MoS. @ Wed - May 5 2010 - 11:13:09)
Let MaylwareBytes do it's thing, rebooted, same proelblems.


new hjt log proal


what most likely happened was the main virus executable saw it was missing files (that were deleted by malwarebytes) and then reproduced them before malwarebytes could delete the entire thing
 
#709027 | Wed - May 5 2010 - 10:21:31
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (randomtask @ Wed - May 5 2010 - 11:20:37)
Quote (randomtask @ Wed - May 5 2010 - 11:19:03)
Quote (MoS. @ Wed - May 5 2010 - 11:13:09)
Let MaylwareBytes do it's thing, rebooted, same proelblems.


new hjt log proal


what most likely happened was the main virus executable saw it was missing files (that were deleted by malwarebytes) and then reproduced them before malwarebytes could delete the entire thing


which is why most of the fixes for shit like this involves booting into safe mode (no executables besides the core windows programs are loaded), then specifically pinpointing them and deleting them by hand
 
#709030 | Wed - May 5 2010 - 10:24:12
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
if we were in joes basement i could just turn my chair around and fix it for you, what a shame
 
#709033 | Wed - May 5 2010 - 10:26:14
hippie
Group: Guest
Posts: 7,189
Joined: Mar 13 2007
Contact: Offline PM
Points: 0.00
reformat
 
#709036 | Wed - May 5 2010 - 10:27:49
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 10:24:12)
if we were in joes basement i could just turn my chair around and fix it for you, what a shame


 
#709039 | Wed - May 5 2010 - 10:30:13
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
CODE

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:33:26 AM, on 5/5/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\DOCUME~1\Master\LOCALS~1\Temp\lcibai.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
c:\lsass.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 - HKLM\..\Run: [31581] C:\DOCUME~1\Master\LOCALS~1\Temp\lcibai.exe
O8 - Extra context menu item: &Search - ?p=GRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: GootkitSSO - {99308BCA-D80F-4A7D-8400-ADAE21C71495} - C:\WINDOWS\System32\msxsltsso.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5264 bytes
 
#709040 | Wed - May 5 2010 - 10:33:48
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
did you try "fix"ing the c:lsass.exe with hjt yet

clearly the system32/lsass.exe, but the one running str8 from c
 
#709042 | Wed - May 5 2010 - 10:36:57
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 10:33:48)
did you try "fix"ing the c:lsass.exe with hjt yet

clearly the system32/lsass.exe, but the one running str8 from c


How?

It doesn't show up in Hijack This list, only in the processes being run, but clearly the list of things I can check.
 
#709044 | Wed - May 5 2010 - 10:40:09
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 11:36:57)
Quote (randomtask @ Wed - May 5 2010 - 10:33:48)
did you try "fix"ing the c:lsass.exe with hjt yet

clearly the system32/lsass.exe, but the one running str8 from c


How?

It doesn't show up in Hijack This list, only in the processes being run, but clearly the list of things I can check.


oh, donno

try rebooting into safe mode (f8 during startup), manually deleting lsass.exe, then running malwarebytes whilst you are in safe mode

if you want to go all out, save that malwarebytes log you pooped a few poops ago into a txt file, then go through and look for everything listed on that list (files and registry) and delete it all by hand

 
#709045 | Wed - May 5 2010 - 10:41:31
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
and you might as well delete punkbuster and that cd burner shit whilst youre at it, if you dont ever use those things theres nn to have them running at all times, no matter how minuscule the memory usage might be
 
#709048 | Wed - May 5 2010 - 10:45:31
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 10:41:31)
and you might as well delete punkbuster and that cd burner shit whilst youre at it, if you dont ever use those things theres nn to have them running at all times, no matter how minuscule the memory usage might be


No idea what the PnkBstrA & PnkBstrB shit is.

AFK reboot into fag mode
 
#709050 | Wed - May 5 2010 - 10:52:10
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 11:45:31)
Quote (randomtask @ Wed - May 5 2010 - 10:41:31)
and you might as well delete punkbuster and that cd burner shit whilst youre at it, if you dont ever use those things theres nn to have them running at all times, no matter how minuscule the memory usage might be


No idea what the PnkBstrA & PnkBstrB shit is.

AFK reboot into fag mode


proprietary software that some online games make mandatory to make sure you arent hacking, like warden
 
#709059 | Wed - May 5 2010 - 11:12:11
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Went to Safe Mode, ran MalwareBytes again. Only had 6 infected files this time.

lsass was one of them.

Rebooted in normal mode, lsass still around, all previous problems still exist.
 
#709060 | Wed - May 5 2010 - 11:12:14
___*
Group: Members
Posts: 26,99320k
Joined: Aug 30 2006
Contact: Offline PM
Points: 1,959.57
can i poop my hjt log itt for john also ?
 
#709061 | Wed - May 5 2010 - 11:12:42
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
proal, but why
 
#709062 | Wed - May 5 2010 - 11:13:50
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 12:12:11)
Went to Safe Mode, ran MalwareBytes again.  Only had 6 infected files this time.

lsass was one of them.

Rebooted in normal mode, lsass still around, all previous problems still exist.


search some techie forums for a specific fix for lsass then, now that you know exactly what the big problem is, you should be able to find a solution out there somewhere
 
#709063 | Wed - May 5 2010 - 11:14:25
MoS.
Group: Members
Posts: 27,88820k
Joined: Aug 31 2006
Contact: Offline PM
Points: 381.50 $
Quote (randomtask @ Wed - May 5 2010 - 11:13:50)
Quote (MoS. @ Wed - May 5 2010 - 12:12:11)
Went to Safe Mode, ran MalwareBytes again.  Only had 6 infected files this time.

lsass was one of them.

Rebooted in normal mode, lsass still around, all previous problems still exist.


search some techie forums for a specific fix for lsass then, now that you know exactly what the big problem is, you should be able to find a solution out there somewhere


Already on it chief.
 
#709065 | Wed - May 5 2010 - 11:14:39
randomtask*
Group: Members
Posts: 74,76940k
Joined: Aug 5 2007
Contact: Offline PM
Points: 7,730.25 $
Quote (MoS. @ Wed - May 5 2010 - 12:14:25)
Quote (randomtask @ Wed - May 5 2010 - 11:13:50)
Quote (MoS. @ Wed - May 5 2010 - 12:12:11)
Went to Safe Mode, ran MalwareBytes again.  Only had 6 infected files this time.

lsass was one of them.

Rebooted in normal mode, lsass still around, all previous problems still exist.


search some techie forums for a specific fix for lsass then, now that you know exactly what the big problem is, you should be able to find a solution out there somewhere


Already on it chief.


gz
Archived | Views: 5547 | Replies: 116 | General Archive - 2010 Topic List
Page 1 of 3 - 1 23
 
Quit the Internet
DC Forums powered by ___ and 3rror.org © 2006-2015