Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

svchost opens multiple smtp connections

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

svchost opens multiple smtp connections

Unread postby helzayat » July 30th, 2008, 5:02 pm

After noticing my internet connection slowing down, I found that svchost.exe was opening multiple smtp connections to various, and changing, servers. I have avast! 4.8 installed and updated, and a scan detected nothing, neither did online scans at Trend and Panda. I read about someone else having this problem and solving it by doing a system restore to a point before it started. When I tried to do a system restore, Windows went through the motions, rebooted then told me it couldn't restore and that no changes had been made.
Using Sysinternals Process Explorer, I open the properties for svchost -k DcomLaunch (the offending instance of svchost) and under Threads, kill a bunch of "kernel32.dll!CreateThread+022" threads with high CSwitch Delta values, and this gets rid of the smtp connections until the next reboot. Sysinternals RootKitRevealer found nothing interesting. Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:48 PM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\xRaidSetup.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKCU\..\Run: [EPSON Stylus Photo R270 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNP.EXE /FU "C:\WINDOWS\TEMP\E_S68E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S730.tmp" /EF "HKCU"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Spyder3Utility.lnk = C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2766647870
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dhcpmon32 - C:\WINDOWS\SYSTEM32\dhcpmon32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe

--
End of file - 8186 bytes

As far as I can tell everything looks legitimate. Any ideas?
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm
Advertisement
Register to Remove

Re: svchost opens multiple smtp connections

Unread postby MWR 3 day Mod » August 6th, 2008, 8:36 am

Hi, helzayat

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: svchost opens multiple smtp connections

Unread postby Katana » August 6th, 2008, 1:50 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------


If you still require help please post a fresh HJT log along with the following


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: svchost opens multiple smtp connections

Unread postby helzayat » August 6th, 2008, 2:39 pm

Hello Katana and thank you for looking into this. Since I last posted, I reinstalled Windows (repair existing installation) and have not seen the problem since, however since I really only replaced the Windows files and did not delete or uninstall anything, I worry that some malware still lurks in my computer.
Here is the list:
@BIOS
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop Lightroom 2
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced WindowsCare Personal
AVG 8.0
Beyond Compare Version 2.5.3
Capture NX 2
Casper 5.0
CCleaner (remove only)
Downloader Pro
DriveImage XML
EPSON Printer Software
EPSON Scan
Free Download Manager 2.5
Free DWG Viewer 6.1
FreshDiagnose
FreshUI
Garmin WebUpdater
Gigabyte Raid Configurer
GnuWin32: Grep-2.5.1a-2
Google Earth
HijackThis 2.0.2
Indeo® Software
Intel® Matrix Storage Manager
IrfanView (remove only)
ISO Recorder
Java(TM) 6 Update 7
Lightroom
MailFrontier Desktop
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft AppLocale
Microsoft Color Control Panel Applet for Windows XP
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Application Compatibility Database
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser
NEC DISPLAY SOLUTIONS NaViSet
NEC DISPLAY SOLUTIONS: Monitor Installer
Nikon Message Center
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
NVIDIA Drivers
OpenOffice.org 2.4
PDF Settings
PerformanceTest v6.1
Picasa 2
Picture Control Utility
QuadToneRIP
Quick Screen Capture 3.0
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Remove Duplicates from Outlook Express
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB923789)
SiSoftware Sandra Professional Home XII.SP2c
Skype™ 3.8
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Spyder3Elite
Spyder3Print
Sudoku
The Ultimate Troubleshooter
TreeSize Professional 5.1.1
Trillian
VideoLAN VLC media player 0.8.6i
ViewNX
WDCSAM Driver
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (12/05/2006 1.0.0007.0)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.2
Xvid 1.1.3 final uninstall
Zinio Reader

and here is a fresh HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:37 PM, on 8/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\xRaidSetup.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\system32\rsmsink.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus Photo R270 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNP.EXE /FU "T:\Temp\E_S126.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "T:\Temp\E_S122.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Spyder3Utility.lnk = C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7684064475
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dhcpmon32 - C:\WINDOWS\SYSTEM32\dhcpmon32.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe

--
End of file - 8896 bytes
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm

Re: svchost opens multiple smtp connections

Unread postby Katana » August 6th, 2008, 3:08 pm

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\SYSTEM32\dhcpmon32.dll
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti



Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: svchost opens multiple smtp connections

Unread postby helzayat » August 6th, 2008, 3:40 pm

Here are virustotal results:
Activescan in next post
File dhcpmon32.dll received on 08.06.2008 21:31:25 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.7.0 2008.08.06 -
AntiVir 7.8.1.15 2008.08.06 TR/Crypt.FKM.Gen
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.06 -
AVG 8.0.0.156 2008.08.06 -
BitDefender 7.2 2008.08.06 Trojan.Crypt.EN
CAT-QuickHeal 9.50 2008.08.06 -
ClamAV 0.93.1 2008.08.06 -
DrWeb 4.44.0.09170 2008.08.06 -
eSafe 7.0.17.0 2008.08.06 Suspicious File
eTrust-Vet 31.6.6015 2008.08.06 -
Ewido 4.0 2008.08.06 -
F-Prot 4.4.4.56 2008.08.05 -
F-Secure 7.60.13501.0 2008.08.06 -
Fortinet 3.14.0.0 2008.08.06 -
GData 2.0.7306.1023 2008.08.06 -
Ikarus T3.1.1.34.0 2008.08.06 -
K7AntiVirus 7.10.405 2008.08.06 -
Kaspersky 7.0.0.125 2008.08.06 -
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.06 -
NOD32v2 3333 2008.08.06 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.06 -
Rising 20.56.22.00 2008.08.06 -
Sophos 4.31.0 2008.08.06 -
Sunbelt 3.1.1537.1 2008.08.06 -
Symantec 10 2008.08.06 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.06 -
VBA32 3.12.8.2 2008.08.05 -
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.06 Trojan.Crypt.FKM.Gen
Additional information
File size: 10752 bytes
MD5...: 52527cd7a0e9ef8ff580ec4f48855b72
SHA1..: 7c6576e6b7fce069124406b253ea0f8e58e0b75d
SHA256: 181730143413e35dae333bdd9b7ffbd23e5ad988bed692036d657c6e72682ac9
SHA512: 6f2c7dbfbaaaad04adfd90ee9ba6238a4877d48088413fce09e7413dc0eb4bef<br>2ef453937097c812d88265177f4e899768f9c49555007fdf570cc4fa944da547
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1000ad90<br>timedatestamp.....: 0x480ccfb5 (Mon Apr 21 17:32:37 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>UPX0 0x1000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>UPX1 0x9000 0x2000 0x2000 7.84 aabf436b7f1d100b6472e7c345542c9a<br>.rsrc 0xb000 0x1000 0x600 2.69 f1840bc58a2a3959b35e3f6b5c98f346<br><br>( 1 imports ) <br>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree<br><br>( 1 exports ) <br>ucej<br>
packers (F-Prot): UPX
packers (Kaspersky): PE_Patch.UPX, UPX

Antivirus Version Last Update Result
AhnLab-V3 2008.8.7.0 2008.08.06 -
AntiVir 7.8.1.15 2008.08.06 TR/Crypt.FKM.Gen
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.06 -
AVG 8.0.0.156 2008.08.06 -
BitDefender 7.2 2008.08.06 Trojan.Crypt.EN
CAT-QuickHeal 9.50 2008.08.06 -
ClamAV 0.93.1 2008.08.06 -
DrWeb 4.44.0.09170 2008.08.06 -
eSafe 7.0.17.0 2008.08.06 Suspicious File
eTrust-Vet 31.6.6015 2008.08.06 -
Ewido 4.0 2008.08.06 -
F-Prot 4.4.4.56 2008.08.05 -
F-Secure 7.60.13501.0 2008.08.06 -
Fortinet 3.14.0.0 2008.08.06 -
GData 2.0.7306.1023 2008.08.06 -
Ikarus T3.1.1.34.0 2008.08.06 -
K7AntiVirus 7.10.405 2008.08.06 -
Kaspersky 7.0.0.125 2008.08.06 -
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.06 -
NOD32v2 3333 2008.08.06 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.06 -
Rising 20.56.22.00 2008.08.06 -
Sophos 4.31.0 2008.08.06 -
Sunbelt 3.1.1537.1 2008.08.06 -
Symantec 10 2008.08.06 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.06 -
VBA32 3.12.8.2 2008.08.05 -
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.06 Trojan.Crypt.FKM.Gen

Additional information
File size: 10752 bytes
MD5...: 52527cd7a0e9ef8ff580ec4f48855b72
SHA1..: 7c6576e6b7fce069124406b253ea0f8e58e0b75d
SHA256: 181730143413e35dae333bdd9b7ffbd23e5ad988bed692036d657c6e72682ac9
SHA512: 6f2c7dbfbaaaad04adfd90ee9ba6238a4877d48088413fce09e7413dc0eb4bef<br>2ef453937097c812d88265177f4e899768f9c49555007fdf570cc4fa944da547
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1000ad90<br>timedatestamp.....: 0x480ccfb5 (Mon Apr 21 17:32:37 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>UPX0 0x1000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>UPX1 0x9000 0x2000 0x2000 7.84 aabf436b7f1d100b6472e7c345542c9a<br>.rsrc 0xb000 0x1000 0x600 2.69 f1840bc58a2a3959b35e3f6b5c98f346<br><br>( 1 imports ) <br>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree<br><br>( 1 exports ) <br>ucej<br>
packers (F-Prot): UPX
packers (Kaspersky): PE_Patch.UPX, UPX
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm

Re: svchost opens multiple smtp connections

Unread postby helzayat » August 7th, 2008, 12:48 am

ActiveScan results:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-07 07:33:12
PROTECTIONS: 0
MALWARE: 37
SUSPECTS: 4
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Internet Security 8.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@atdmt[2].txt
00139535 Application/Processor HackTools No 0 Yes No Y:\Old Drive I - System\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 No No Y:\Old Drive G - New Volume\Hassan\SDFix.exe[Y:\Old Drive G - New Volume\Hassan\SDFix.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@mediaplex[2].txt
00145786 Cookie/LinkExchange TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\leonardo@linkexchange.txt
00145786 Cookie/LinkExchange TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\marianao@linkexchange.txt
00145786 Cookie/LinkExchange TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\hassan@linkexchange[3].txt
00145786 Cookie/LinkExchange TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\amr@linkexchange.txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.anm.co.uk/]
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.anm.co.uk/]
00147517 Cookie/Versiontracker TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@www.versiontracker[1].txt
00148914 Cookie/Tucows TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies-7.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\hassan@tucows(1).txt
00148914 Cookie/Tucows TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\marianao@tucows.txt
00148914 Cookie/Tucows TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies-7.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies-7.txt[.tucows.com/]
00161845 Cookie/Powerscan TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\hassan@gammae[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies-8.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies-7.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies-4.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.com.com/]
00167679 Cookie/Toplist TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\hassan@www.toplist[3].txt
00167679 Cookie/Toplist TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\hassan@www.toplist[4].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.xiti.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.xiti.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies.txt[.xiti.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Cookies\hassan@xiti[1].txt
00167709 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No Y:\Old Drive I - System\Documents and Settings\hassan\Application Data\Mozilla\Firefox\Profiles\default.pqh\cookies-8.txt[fe.lea.lycos.fr/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\hassan@toplist[1].txt
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.club.cdfreaks.com/]
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.club.cdfreaks.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@apmebf[1].txt
00168077 Cookie/Versiontracker TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@versiontracker[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@bs.serving-sys[2].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.cdfreaks.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.cdfreaks.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.cdfreaks.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.cdfreaks.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[server.iad.liveperson.net/hc/12511569]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[server.iad.liveperson.net/hc/8544611]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[stat.onestat.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.ads.pointroll.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@zedo[2].txt
00172447 Cookie/Inet-Traffic TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.inet-traffic.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\Documents and Settings\Hassan\Cookies\hassan@adrevolver[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.adultfriendfinder.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No Y:\Old Drive C - HOME\WINDOWS\Cookies\hassan@go[3].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.target.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.did-it.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No Z:\PortableApps\PortableApps\FirefoxPortable\Data\profile\cookies.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No Y:\Old Drive D - XPSP2\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\3jat47hq.default\cookies.txt[.atwola.com/]
01262593 Application/NirCmd.A HackTools No 0 No No Y:\Old Drive G - New Volume\Hassan\ComboFix.exe[Y:\Old Drive G - New Volume\Hassan\ComboFix.exe][327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No Y:\Old Drive G - New Volume\Hassan\ComboFix.exe[Y:\Old Drive G - New Volume\Hassan\ComboFix.exe][327882R2FWJFW\nircmd.com]
;===================================================================================================================================================================================
SUSPECTS
Sent Location u`
;===================================================================================================================================================================================
No Y:\Old Drive G - New Volume\Hassan\2006\spampal-1.73g-beta(2).exe u`
No Y:\Old Drive G - New Volume\Hassan\2006\spampal-1.73g-beta.exe u`
No Y:\Old Drive I - System\Program Files\CFi\ShellToys\eject.exe u`
No Y:\Old Drive I - System\WINDOWS\system32\DownloadManager.exe u`
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description u`
;===================================================================================================================================================================================
;===================================================================================================================================================================================
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm

Re: svchost opens multiple smtp connections

Unread postby Katana » August 7th, 2008, 4:21 am

There is still no sign of active malware, just a few cookies and old tools

Please delete the following as they are out of date

Y:\Old Drive I - System[b]\SDFix << This folder
Y:\Old Drive G - New Volume\Hassan\SDFix.exe << This file
C:\SDFix << This folder
Y:\Old Drive G - New Volume\Hassan\ComboFix.exe << This file[/b]



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: svchost opens multiple smtp connections

Unread postby helzayat » August 7th, 2008, 5:09 am

ComboFix log:
ComboFix 08-08-06.02 - Hassan 2008-08-07 12:01:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2837 [GMT 3:00]
Running from: C:\Documents and Settings\Hassan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
C:\WINDOWS\system32\eWebControl.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-07 11:22 . 2008-08-07 11:22 <DIR> d-------- C:\Downloads
2008-08-07 10:26 . 2008-08-07 10:26 <DIR> d-------- C:\temp\WPDNSE
2008-08-07 09:13 . 2008-08-07 09:14 <DIR> d-------- C:\temp\{9CFD87BD-8B3A-4880-925F-B6ADA2A6D26C}
2008-08-07 09:11 . 2008-08-07 11:02 <DIR> d-------- C:\temp
2008-08-06 22:44 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-06 22:24 . 2008-08-06 22:24 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-08-06 22:24 . 2008-08-06 22:28 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-08-06 22:24 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-06 21:56 . 2004-08-04 15:00 180,770 --a--c--- C:\WINDOWS\system32\dllcache\c_20932.nls
2008-08-06 21:55 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-08-06 21:55 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-08-06 21:55 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-08-06 21:55 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-08-06 21:55 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-08-06 21:55 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-08-06 21:55 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-08-06 21:55 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-08-06 21:54 . 2008-04-14 03:09 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-08-06 21:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-08-06 21:54 . 2008-04-14 03:09 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-08-06 21:54 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-08-06 19:46 . 2008-08-06 19:46 2,111 --a------ C:\ahci64.reg
2008-08-06 17:47 . 2008-08-06 18:54 <DIR> d-------- C:\Program Files\Quick Screen Capture
2008-08-06 17:47 . 2008-08-06 17:47 <DIR> d-------- C:\MyCaptures
2008-08-05 19:11 . 2008-08-05 19:20 <DIR> d-------- C:\Program Files\Netsniffer
2008-08-04 22:55 . 2008-08-04 22:55 <DIR> d-------- C:\Program Files\PerformanceTest
2008-08-04 21:56 . 2008-08-04 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-08-04 16:55 . 2008-08-04 16:55 <DIR> d-------- C:\Program Files\Future Systems Solutions
2008-08-04 16:55 . 2008-08-04 16:55 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\Future Systems Solutions
2008-08-04 16:55 . 2008-08-04 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Future Systems Solutions
2008-08-04 13:51 . 2008-08-04 13:51 <DIR> d-------- C:\WINDOWS\system32\ENU
2008-08-04 13:51 . 2008-05-23 15:26 1,034,776 --a------ C:\WINDOWS\system32\imsmudlg.exe
2008-08-04 13:51 . 2006-11-10 09:25 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2008-08-04 10:33 . 2008-08-04 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-08-03 00:22 . 2008-04-14 03:12 151,552 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-03 00:22 . 2008-04-14 03:12 151,552 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-08-03 00:22 . 2008-04-14 03:11 28,160 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-03 00:22 . 2008-04-14 03:11 28,160 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2008-08-03 00:22 . 2008-04-14 03:12 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-03 00:22 . 2008-04-14 03:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-08-02 17:50 . 2008-08-06 21:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-02 17:22 . 2008-04-23 07:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-02 17:22 . 2007-04-17 12:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-02 17:22 . 2007-03-08 08:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-02 17:22 . 2008-04-23 07:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-02 17:22 . 2008-04-23 07:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-02 17:22 . 2008-04-23 07:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-02 17:22 . 2008-04-23 07:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-02 17:22 . 2008-04-23 07:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-02 17:22 . 2008-04-22 10:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-02 17:10 . 2008-08-04 23:20 <DIR> d-------- C:\64-bit drivers
2008-08-02 17:08 . 2008-06-13 14:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-02 17:07 . 2008-05-08 17:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-02 16:21 . 2008-08-02 16:21 13,750 --a------ C:\WINDOWS\system32\wpa.bak
2008-08-02 16:15 . 2004-08-04 15:00 92,416 --a--c--- C:\WINDOWS\system32\dllcache\mga.sys
2008-08-02 16:14 . 2004-08-04 15:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-08-02 16:13 . 2004-08-04 10:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-02 16:12 . 2004-08-04 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-02 11:39 . 2008-08-07 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 04:52 . 2008-08-01 04:52 <DIR> d-------- C:\Linksys Skype Phone
2008-08-01 04:06 . 2008-08-07 10:36 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 04:06 . 2008-08-01 04:06 <DIR> d-------- C:\Program Files\AVG
2008-08-01 04:06 . 2008-08-01 04:57 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\AVGTOOLBAR
2008-08-01 04:06 . 2008-08-01 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-01 04:06 . 2008-08-01 04:38 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-01 04:06 . 2008-08-01 04:06 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-01 04:06 . 2008-08-01 04:06 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-08-01 04:06 . 2008-08-01 04:06 23,296 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-08-01 04:06 . 2008-08-01 04:06 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-01 04:06 . 2008-08-01 04:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-01 03:55 . 2008-08-01 05:40 170,042 --a------ C:\WINDOWS\setupapi.old
2008-07-31 17:49 . 2008-07-31 17:49 <DIR> d-------- C:\Deckard
2008-07-31 17:48 . 2008-07-31 17:49 686,630 --a------ C:\Program Files\dss.exe
2008-07-31 17:30 . 2008-07-31 17:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-31 00:59 . 2008-07-26 12:48 195,235 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-31 00:17 . 2008-07-31 00:17 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\Malwarebytes
2008-07-31 00:17 . 2008-07-31 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 21:40 . 2008-07-30 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 19:49 . 2008-08-01 04:07 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-30 03:14 . 2008-08-06 22:41 <DIR> d-------- C:\Program Files\Panda Security
2008-07-30 03:03 . 2008-07-30 02:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-30 02:55 . 2008-07-30 03:04 <DIR> d-------- C:\Documents and Settings\Hassan\.housecall6.6
2008-07-30 01:10 . 2008-07-30 01:21 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\Download Manager
2008-07-29 15:09 . 2008-08-06 06:01 <DIR> d-------- C:\Program Files\Runtime Software
2008-07-29 11:59 . 2008-07-29 11:59 <DIR> d-------- C:\Program Files\Alex Feinman
2008-07-28 14:50 . 2008-07-28 14:50 <DIR> d-------- C:\WINDOWS\drivers
2008-07-28 14:50 . 2004-08-01 08:09 55,936 --a------ C:\WINDOWS\system32\drivers\ousb2hub.sys
2008-07-28 14:50 . 2004-08-01 08:09 44,928 --a------ C:\WINDOWS\system32\drivers\ousbehci.sys
2008-07-28 14:50 . 2004-09-01 14:30 9,984 --a------ C:\WINDOWS\system32\drivers\o1394b.sys
2008-07-27 22:36 . 2008-07-23 15:24 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-27 22:36 . 2008-07-26 12:48 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-27 22:36 . 2008-08-07 11:52 189,256 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-27 22:36 . 2008-07-26 12:48 18,335 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-27 22:31 . 2008-07-27 22:31 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Program Files\Pro Imaging Powertoys
2008-07-26 20:47 . 2008-07-26 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Application
2008-07-25 17:54 . 2008-07-25 17:54 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-25 17:54 . 2008-07-25 17:54 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-07-25 17:27 . 2008-07-25 18:41 <DIR> d-------- C:\Program Files\Nokia
2008-07-25 17:27 . 2008-07-25 17:27 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-25 17:27 . 2008-07-25 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-07-25 17:27 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-07-25 17:27 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-25 17:27 . 2008-05-07 07:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-25 17:27 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-07-25 17:27 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-07-25 17:27 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-07-25 17:27 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-07-25 14:39 . 2008-07-25 14:41 <DIR> d-------- C:\Program Files\DAZ
2008-07-25 14:35 . 2008-07-25 14:35 <DIR> d-------- C:\Program Files\Common Files\DAZ
2008-07-23 20:03 . 2008-07-23 20:03 <DIR> d-------- C:\Garmin
2008-07-22 15:26 . 2008-07-22 15:26 52 --a------ C:\WINDOWS\MediaGUI.INI
2008-07-22 06:44 . 2008-07-22 06:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-22 06:44 . 2008-08-02 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-22 06:37 . 2008-07-22 06:37 <DIR> d-------- C:\Program Files\IObit
2008-07-21 22:22 . 2008-07-21 22:22 <DIR> d-------- C:\Program Files\GnuWin32
2008-07-21 13:15 . 2008-07-21 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Memeo
2008-07-21 12:53 . 2008-07-21 12:53 364,544 --a------ C:\WINDOWS\system32\WDBtnMgr.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 08:58 --------- d-----w C:\Program Files\Trillian
2008-08-06 17:43 --------- d-----w C:\Documents and Settings\Hassan\Application Data\OpenOffice.org2
2008-08-06 02:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 02:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-08-04 18:31 --------- d-----w C:\Program Files\Datacolor
2008-08-04 10:36 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-08-04 09:48 --------- d-----w C:\Program Files\Intel
2008-08-04 07:48 --------- d-----w C:\Program Files\GIGABYTE
2008-08-04 07:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 07:21 79,960 ----a-w C:\WINDOWS\system32\drivers\jraid.sys
2008-07-30 22:19 --------- d-----w C:\Program Files\Java
2008-07-28 15:35 --------- d-----w C:\Documents and Settings\Hassan\Application Data\Skype
2008-07-28 15:31 --------- d-----w C:\Documents and Settings\Hassan\Application Data\skypePM
2008-07-27 22:28 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
2008-07-26 18:41 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbx.DAT
2008-07-22 19:36 --------- d-----w C:\Program Files\Beyond Compare 2
2008-07-21 12:41 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-07-21 10:43 --------- d-----w C:\Program Files\Western Digital Technologies
2008-07-17 18:14 --------- d-----w C:\Program Files\Common Files\Nikon
2008-07-12 08:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-06 11:56 --------- d-----w C:\Program Files\AnswersThatWork
2008-07-06 07:31 --------- d-----w C:\Program Files\QuickTime
2008-07-06 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-06 06:47 --------- d-----w C:\Program Files\Skype
2008-07-06 06:47 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-06 06:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-06 06:42 --------- d-----w C:\Program Files\TjInit Utility
2008-07-05 12:53 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-05 07:36 --------- d-----w C:\Documents and Settings\Hassan\Application Data\MailFrontier
2008-07-05 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-05 06:10 --------- d-----w C:\Program Files\MailFrontier
2008-07-04 14:44 --------- d-----w C:\Program Files\SiSoftware
2008-07-04 08:44 --------- d-----w C:\Program Files\BreezeSys
2008-07-04 08:12 --------- d-----w C:\Program Files\Common Files\Java
2008-07-02 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-02 16:39 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-02 16:28 --------- d-----w C:\Program Files\CCleaner
2008-07-02 08:56 --------- d-----w C:\Program Files\DIFX
2008-07-02 07:15 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-07-02 07:15 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_Spyder3_01001.Wdf
2008-07-02 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-02 04:59 --------- d-----w C:\Program Files\Bonjour
2008-07-02 04:54 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-01 21:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-01 21:39 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-01 20:57 --------- d-----w C:\Documents and Settings\Hassan\Application Data\Nikon
2008-06-28 11:34 815,104 ----a-w C:\Program Files\HWMonitor.exe
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 16:12 --------- d-----w C:\Documents and Settings\Hassan\Application Data\Scooter Software
2008-06-06 15:42 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLck.DAT
2008-05-31 05:57 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-31 05:48 558,142 ----a-w C:\WINDOWS\java\Packages\N3F5B179.ZIP
2008-05-31 05:48 155,995 ----a-w C:\WINDOWS\java\Packages\7N3JBLZR.ZIP
2008-05-16 11:01 313,888 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2007-04-28 20:49 610,304 ----a-w C:\Program Files\SmartEdge.exe
2007-01-09 16:09 2,812,575 ----a-w C:\Program Files\exiftool.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 03:12 1695232]
"Matador"="C:\PROGRA~1\MAILFR~1\mantispm.exe" [2006-01-20 10:44 894544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 03:12 15360]
"Zinio DLM"="C:\Program Files\Zinio\ZinioReader.exe" [2008-05-01 01:48 3874886]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-07-26 12:48 13570048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-01 04:38 1235736]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 17:41 178712]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-07-26 12:48 86016]
"nwiz"="nwiz.exe" [2008-07-26 12:48 1657376 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 03:12 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 03:12 15360]

C:\Documents and Settings\Hassan\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2008-05-19 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Spyder3Utility.lnk - C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe [2008-03-19 17:06:30 6333954]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpmon32]
2004-07-09 17:59 10752 C:\WINDOWS\system32\dhcpmon32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home XII.SP2c\\RpcAgentSrv.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"Y:\\Old Drive G - New Volume\\emule mod\\emule\\eMule.exe"=
"C:\\Documents and Settings\\Hassan\\Application Data\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3676:TCP"= 3676:TCP:messenger
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-01 04:06]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-01 04:38]
R1 vcdrom;Virtual CD-ROM Device Driver;Y:\Old Drive D - XPSP2\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 12:45]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-01 04:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-01 04:38]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-08-01 04:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-01 04:06]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe [2008-04-23 18:55]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-08-01 04:06]
R3 DCSCUSB;Spectrocolorimeter Driver (dcscusb.sys);C:\WINDOWS\system32\Drivers\dcscusb.sys [2006-06-13 09:15]
R3 Spyder3;Datacolor Spyder3;C:\WINDOWS\system32\DRIVERS\Spyder3.sys [2007-11-06 12:08]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-08-01 04:06]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\@BIOS\markfun.w32 [2007-08-21 19:49]
S3 NDSPCIIO;NDSPCIIO;C:\WINDOWS\system32\DRIVERS\NDSPCIIO.SYS []
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\DRIVERS\wdcsam.sys [2006-09-07 21:16]
S4 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2004-08-01 08:09]
S4 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2004-08-01 08:09]
S4 TJUSBDEV;TJUSBDEV.Sys TjgerJet USB Device Driver;C:\WINDOWS\system32\Drivers\TJUSBDEV.sys [2003-08-14 16:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\W]
\Shell\AutoRun\command - W:\autorun.exe

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Hassan\Application Data\Mozilla\Firefox\Profiles\r8bkycz5.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://cm.my.yahoo.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 12:02:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\@BIOS\markfun.w32"
.
Completion time: 2008-08-07 12:02:42
ComboFix-quarantined-files.txt 2008-08-07 09:02:40

Pre-Run: 42,997,878,784 bytes free
Post-Run: 42,980,708,352 bytes free

305 --- E O F --- 2008-08-02 18:26:47

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:31 PM, on 8/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Spyder3Utility.lnk = C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7684064475
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dhcpmon32 - C:\WINDOWS\SYSTEM32\dhcpmon32.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe

--
End of file - 7915 bytes
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm

Re: svchost opens multiple smtp connections

Unread postby Katana » August 7th, 2008, 8:00 am

What is your W drive ?

Is it a usb with something connected to it ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: svchost opens multiple smtp connections

Unread postby helzayat » August 7th, 2008, 9:06 am

W: was either a network share or a mounted ISO image, I don't recall now. It is no longer connected. I use VCdControlTool to mount iso's.
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm

Re: svchost opens multiple smtp connections

Unread postby Katana » August 7th, 2008, 10:34 am

==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
you are strongly advised to do the following, immediately:
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
==============================WARNING==============================


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=33226&p=333159#p333159
    Comment:: Katana -- Trojan.Crypt.EN ?
    
    Suspect::[4]
    C:\WINDOWS\SYSTEM32\dhcpmon32.dll
    
    DirLook::
    C:\temp\WPDNSE
    C:\temp\{9CFD87BD-8B3A-4880-925F-B6ADA2A6D26C}
    
    Driver::
    NDSPCIIO
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "Y:\\Old Drive G - New Volume\\emule mod\\emule\\eMule.exe"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\W]
    ADS::


  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.

@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
type C:\ahci64.reg >> C:\kresults.txt
start notepad C:\kresults.txt
del /q %0
exit

Double click on look.bat

Notepad will open, please copy/paste the results here.


Eset NOD32 Online AntiVirus

Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: svchost opens multiple smtp connections

Unread postby helzayat » August 7th, 2008, 11:16 am

I ran the ComboFix script you gave me, I am concerned because on rebooting it had turned of AVG and I could only turn it back on by rebooting a second time.
Here is the ComboFix log:
ComboFix 08-08-06.02 - Hassan 2008-08-07 17:49:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2626 [GMT 3:00]
Running from: C:\Documents and Settings\Hassan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hassan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDSPCIIO
-------\Service_NDSPCIIO


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-07 12:48 . 2008-08-07 12:48 26,680 --a------ C:\WINDOWS\River SumidaG.bmp
2008-08-07 12:47 . 2008-08-07 12:47 36,352 --ahs---- C:\WINDOWS\Thumbs.db
2008-08-07 12:47 . 2008-08-07 12:47 4,608 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-08-07 11:22 . 2008-08-07 11:22 <DIR> d-------- C:\Downloads
2008-08-07 10:26 . 2008-08-07 10:26 <DIR> d-------- C:\temp\WPDNSE
2008-08-07 09:13 . 2008-08-07 09:14 <DIR> d-------- C:\temp\{9CFD87BD-8B3A-4880-925F-B6ADA2A6D26C}
2008-08-07 09:11 . 2008-08-07 11:02 <DIR> d-------- C:\temp
2008-08-06 22:44 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-06 22:24 . 2008-08-06 22:24 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-08-06 22:24 . 2008-08-06 22:28 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-08-06 22:24 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-06 21:56 . 2004-08-04 15:00 180,770 --a--c--- C:\WINDOWS\system32\dllcache\c_20932.nls
2008-08-06 21:55 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-08-06 21:55 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-08-06 21:55 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-08-06 21:55 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-08-06 21:55 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-08-06 21:55 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-08-06 21:55 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-08-06 21:55 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-08-06 21:54 . 2008-04-14 03:09 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-08-06 21:54 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-08-06 21:54 . 2008-04-14 03:09 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-08-06 21:54 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-08-06 19:46 . 2008-08-06 19:46 2,111 --a------ C:\ahci64.reg
2008-08-06 17:47 . 2008-08-06 18:54 <DIR> d-------- C:\Program Files\Quick Screen Capture
2008-08-06 17:47 . 2008-08-06 17:47 <DIR> d-------- C:\MyCaptures
2008-08-05 19:11 . 2008-08-05 19:20 <DIR> d-------- C:\Program Files\Netsniffer
2008-08-04 22:55 . 2008-08-04 22:55 <DIR> d-------- C:\Program Files\PerformanceTest
2008-08-04 21:56 . 2008-08-04 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-08-04 16:55 . 2008-08-04 16:55 <DIR> d-------- C:\Program Files\Future Systems Solutions
2008-08-04 16:55 . 2008-08-04 16:55 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\Future Systems Solutions
2008-08-04 16:55 . 2008-08-04 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Future Systems Solutions
2008-08-04 13:51 . 2008-08-04 13:51 <DIR> d-------- C:\WINDOWS\system32\ENU
2008-08-04 13:51 . 2008-05-23 15:26 1,034,776 --a------ C:\WINDOWS\system32\imsmudlg.exe
2008-08-04 13:51 . 2006-11-10 09:25 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2008-08-04 10:33 . 2008-08-04 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-08-03 00:22 . 2008-04-14 03:12 151,552 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-03 00:22 . 2008-04-14 03:12 151,552 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-08-03 00:22 . 2008-04-14 03:11 28,160 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-03 00:22 . 2008-04-14 03:11 28,160 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2008-08-03 00:22 . 2008-04-14 03:12 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-03 00:22 . 2008-04-14 03:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-08-02 17:50 . 2008-08-06 21:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-02 17:22 . 2008-04-23 07:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-02 17:22 . 2007-04-17 12:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-02 17:22 . 2007-03-08 08:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-02 17:22 . 2008-04-23 07:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-02 17:22 . 2008-04-23 07:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-02 17:22 . 2008-04-23 07:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-02 17:22 . 2008-04-23 07:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-02 17:22 . 2008-04-23 07:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-02 17:22 . 2008-04-22 10:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-02 17:10 . 2008-08-04 23:20 <DIR> d-------- C:\64-bit drivers
2008-08-02 17:08 . 2008-06-13 14:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-02 17:07 . 2008-05-08 17:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-02 16:21 . 2008-08-02 16:21 13,750 --a------ C:\WINDOWS\system32\wpa.bak
2008-08-02 16:15 . 2004-08-04 15:00 92,416 --a--c--- C:\WINDOWS\system32\dllcache\mga.sys
2008-08-02 16:14 . 2004-08-04 15:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-08-02 16:13 . 2004-08-04 10:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-02 16:13 . 2008-08-02 16:13 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-02 16:12 . 2004-08-04 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-02 11:39 . 2008-08-07 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 04:52 . 2008-08-01 04:52 <DIR> d-------- C:\Linksys Skype Phone
2008-08-01 04:06 . 2008-08-07 10:36 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 04:06 . 2008-08-01 04:06 <DIR> d-------- C:\Program Files\AVG
2008-08-01 04:06 . 2008-08-01 04:57 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\AVGTOOLBAR
2008-08-01 04:06 . 2008-08-01 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-01 04:06 . 2008-08-01 04:38 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-01 04:06 . 2008-08-01 04:06 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-01 04:06 . 2008-08-01 04:06 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-08-01 04:06 . 2008-08-01 04:06 23,296 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-08-01 04:06 . 2008-08-01 04:06 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-01 04:06 . 2008-08-01 04:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-01 03:55 . 2008-08-01 05:40 170,042 --a------ C:\WINDOWS\setupapi.old
2008-07-31 17:49 . 2008-07-31 17:49 <DIR> d-------- C:\Deckard
2008-07-31 17:48 . 2008-07-31 17:49 686,630 --a------ C:\Program Files\dss.exe
2008-07-31 17:30 . 2008-07-31 17:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-31 00:59 . 2008-07-26 12:48 195,235 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-31 00:17 . 2008-07-31 00:17 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\Malwarebytes
2008-07-31 00:17 . 2008-07-31 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 21:40 . 2008-07-30 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 19:49 . 2008-08-01 04:07 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-30 03:14 . 2008-08-06 22:41 <DIR> d-------- C:\Program Files\Panda Security
2008-07-30 03:03 . 2008-07-30 02:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-30 02:55 . 2008-07-30 03:04 <DIR> d-------- C:\Documents and Settings\Hassan\.housecall6.6
2008-07-30 01:10 . 2008-07-30 01:21 <DIR> d-------- C:\Documents and Settings\Hassan\Application Data\Download Manager
2008-07-29 15:09 . 2008-08-06 06:01 <DIR> d-------- C:\Program Files\Runtime Software
2008-07-29 11:59 . 2008-07-29 11:59 <DIR> d-------- C:\Program Files\Alex Feinman
2008-07-28 14:50 . 2008-07-28 14:50 <DIR> d-------- C:\WINDOWS\drivers
2008-07-28 14:50 . 2004-08-01 08:09 55,936 --a------ C:\WINDOWS\system32\drivers\ousb2hub.sys
2008-07-28 14:50 . 2004-08-01 08:09 44,928 --a------ C:\WINDOWS\system32\drivers\ousbehci.sys
2008-07-28 14:50 . 2004-09-01 14:30 9,984 --a------ C:\WINDOWS\system32\drivers\o1394b.sys
2008-07-27 22:36 . 2008-07-23 15:24 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-27 22:36 . 2008-07-26 12:48 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-27 22:36 . 2008-08-07 12:12 189,256 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-27 22:36 . 2008-07-26 12:48 18,335 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-27 22:31 . 2008-07-27 22:31 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Program Files\Pro Imaging Powertoys
2008-07-26 20:47 . 2008-07-26 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Application
2008-07-25 17:54 . 2008-07-25 17:54 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-25 17:54 . 2008-07-25 17:54 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-07-25 17:27 . 2008-07-25 18:41 <DIR> d-------- C:\Program Files\Nokia
2008-07-25 17:27 . 2008-07-25 17:27 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-25 17:27 . 2008-07-25 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-07-25 17:27 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-07-25 17:27 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-25 17:27 . 2008-05-07 07:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-25 17:27 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-07-25 17:27 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-07-25 17:27 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-07-25 17:27 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-07-25 14:39 . 2008-07-25 14:41 <DIR> d-------- C:\Program Files\DAZ
2008-07-25 14:35 . 2008-07-25 14:35 <DIR> d-------- C:\Program Files\Common Files\DAZ
2008-07-23 20:03 . 2008-07-23 20:03 <DIR> d-------- C:\Garmin
2008-07-22 15:26 . 2008-07-22 15:26 52 --a------ C:\WINDOWS\MediaGUI.INI
2008-07-22 06:44 . 2008-07-22 06:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-22 06:44 . 2008-08-02 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-22 06:37 . 2008-07-22 06:37 <DIR> d-------- C:\Program Files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 14:50 --------- d-----w C:\Program Files\Trillian
2008-08-06 17:43 --------- d-----w C:\Documents and Settings\Hassan\Application Data\OpenOffice.org2
2008-08-06 02:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 02:48 --------- d-----w C:\Program Files\NEC DISPLAY SOLUTIONS
2008-08-04 18:31 --------- d-----w C:\Program Files\Datacolor
2008-08-04 10:36 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-08-04 09:48 --------- d-----w C:\Program Files\Intel
2008-08-04 07:48 --------- d-----w C:\Program Files\GIGABYTE
2008-08-04 07:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 07:21 79,960 ----a-w C:\WINDOWS\system32\drivers\jraid.sys
2008-07-30 22:19 --------- d-----w C:\Program Files\Java
2008-07-28 15:35 --------- d-----w C:\Documents and Settings\Hassan\Application Data\Skype
2008-07-28 15:31 --------- d-----w C:\Documents and Settings\Hassan\Application Data\skypePM
2008-07-27 22:28 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
2008-07-26 18:41 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbx.DAT
2008-07-26 09:48 6,097,536 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-07-22 19:36 --------- d-----w C:\Program Files\Beyond Compare 2
2008-07-21 12:41 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-07-21 10:43 --------- d-----w C:\Program Files\Western Digital Technologies
2008-07-17 18:14 --------- d-----w C:\Program Files\Common Files\Nikon
2008-07-12 08:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-06 11:56 --------- d-----w C:\Program Files\AnswersThatWork
2008-07-06 07:31 --------- d-----w C:\Program Files\QuickTime
2008-07-06 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-06 06:47 --------- d-----w C:\Program Files\Skype
2008-07-06 06:47 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-06 06:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-06 06:42 --------- d-----w C:\Program Files\TjInit Utility
2008-07-05 12:53 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-05 07:36 --------- d-----w C:\Documents and Settings\Hassan\Application Data\MailFrontier
2008-07-05 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-05 06:10 --------- d-----w C:\Program Files\MailFrontier
2008-07-04 14:44 --------- d-----w C:\Program Files\SiSoftware
2008-07-04 08:44 --------- d-----w C:\Program Files\BreezeSys
2008-07-04 08:12 --------- d-----w C:\Program Files\Common Files\Java
2008-07-02 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-02 16:39 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-02 16:28 --------- d-----w C:\Program Files\CCleaner
2008-07-02 08:56 --------- d-----w C:\Program Files\DIFX
2008-07-02 07:15 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-07-02 07:15 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_Spyder3_01001.Wdf
2008-07-02 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-02 04:59 --------- d-----w C:\Program Files\Bonjour
2008-07-02 04:54 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-01 21:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-01 21:39 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-01 20:57 --------- d-----w C:\Documents and Settings\Hassan\Application Data\Nikon
2008-06-28 11:34 815,104 ----a-w C:\Program Files\HWMonitor.exe
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 16:12 --------- d-----w C:\Documents and Settings\Hassan\Application Data\Scooter Software
2008-06-06 15:42 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLck.DAT
2008-05-31 05:57 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-04-28 20:49 610,304 ----a-w C:\Program Files\SmartEdge.exe
2007-01-09 16:09 2,812,575 ----a-w C:\Program Files\exiftool.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\temp\{9CFD87BD-8B3A-4880-925F-B6ADA2A6D26C} ----


---- Directory of C:\temp\WPDNSE ----



((((((((((((((((((((((((((((( snapshot@2008-08-07_12.02.30.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 03:12 1695232]
"Matador"="C:\PROGRA~1\MAILFR~1\mantispm.exe" [2006-01-20 10:44 894544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 03:12 15360]
"Zinio DLM"="C:\Program Files\Zinio\ZinioReader.exe" [2008-05-01 01:48 3874886]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-07-26 12:48 13570048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-01 04:38 1235736]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 17:41 178712]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-07-26 12:48 86016]
"nwiz"="nwiz.exe" [2008-07-26 12:48 1657376 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 03:12 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 03:12 15360]

C:\Documents and Settings\Hassan\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2008-05-19 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Spyder3Utility.lnk - C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe [2008-03-19 17:06:30 6333954]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhcpmon32]
2004-07-09 17:59 10752 C:\WINDOWS\system32\dhcpmon32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home XII.SP2c\\RpcAgentSrv.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"Y:\\Old Drive G - New Volume\\emule mod\\emule\\eMule.exe"=
"C:\\Documents and Settings\\Hassan\\Application Data\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3676:TCP"= 3676:TCP:messenger
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-01 04:06]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-01 04:38]
R1 vcdrom;Virtual CD-ROM Device Driver;Y:\Old Drive D - XPSP2\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 12:45]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-01 04:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-01 04:38]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-08-01 04:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-01 04:06]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe [2008-04-23 18:55]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-08-01 04:06]
R3 DCSCUSB;Spectrocolorimeter Driver (dcscusb.sys);C:\WINDOWS\system32\Drivers\dcscusb.sys [2006-06-13 09:15]
R3 Spyder3;Datacolor Spyder3;C:\WINDOWS\system32\DRIVERS\Spyder3.sys [2007-11-06 12:08]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-08-01 04:06]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\@BIOS\markfun.w32 [2007-08-21 19:49]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\DRIVERS\wdcsam.sys [2006-09-07 21:16]
S4 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2004-08-01 08:09]
S4 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2004-08-01 08:09]
S4 TJUSBDEV;TJUSBDEV.Sys TjgerJet USB Device Driver;C:\WINDOWS\system32\Drivers\TJUSBDEV.sys [2003-08-14 16:23]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 17:53:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\@BIOS\markfun.w32"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-07 17:54:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 14:54:55
ComboFix2.txt 2008-08-07 09:02:43

Pre-Run: 42,985,869,312 bytes free
Post-Run: 42,874,748,928 bytes free

313 --- E O F --- 2008-08-02 18:26:47
and here is the kresults.txt:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_2922&CC_0106]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_282A&CC_0104]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_2829&CC_0106]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_2822&CC_0104]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_2821&CC_0106]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_2682&CC_0104]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_2681&CC_0106]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_27C3&CC_0104]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_27C6&CC_0104]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_27C1&CC_0106]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_27C5&CC_0106]
"Service"="iaStor"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#VEN_8086&DEV_2653&CC_0106]
"Service"="iaStor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor]
"Type"=dword:00000001
"Start"=dword:00000000
"Group"="SCSI miniport"
"ErrorControl"=dword:00000001
"ImagePath"="system32\\drivers\\iaStor.sys"
"tag"=dword:00000019
"DisplayName"="Intel AHCI Controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters]
"queuePriorityEnable"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Enum]
"0"="PCI\\VEN_8086&DEV_2821&SUBSYS_B0051458&REV_02\\3&13c0b0c5&0&FA"
"Count"=dword:00000001
"NextInstance"=dword:00000001
I will now run the eset scan.
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm

Re: svchost opens multiple smtp connections

Unread postby helzayat » August 7th, 2008, 1:59 pm

I am unable to run the eset scan; 45 minutes or so into the scan (progress bar at about 70%) IE just quits, with no error reporting of any kind, and no events recorded. One second it's scanning, the next, no IE window. The third time I tried with no other programs running and without touching the mouse or keyboard, same result. I had AVG resident scan disabled.
helzayat
Active Member
 
Posts: 12
Joined: July 30th, 2008, 4:35 pm

Re: svchost opens multiple smtp connections

Unread postby Katana » August 7th, 2008, 3:00 pm

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware