Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Multiple processes of iexplorer.exe and svchost.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Multiple processes of iexplorer.exe and svchost.exe

Unread postby GeoForce » September 23rd, 2009, 8:37 am

Hi guys...

First of all i looked other topics related with my problem and didn't find an answer...
My problem is that from 4 to 5 days ago i noticed my pc very slow. I went to task Manager and got like 50 iexplorer.exe running simultaneosly "eating" all my pc resources. I try to close one after another and it appears a Internet Window Saying that my session as been recovered (and asks if i want to go to home page or open recovered site).
After reading some things and googling i think i may have a Trojan horse or any other type of malware.

As so, i hope you guys can help me with my situation
Here is the HJT log file(sometimes i have more iexplore.exe processes in execution):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:31:33, on 22-09-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Belkin\F5D9050\Belkinwcui.exe
C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrador\Ambiente de trabalho\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: D - {BD389B4D-F612-3AD3-B593-2F487D256161} - C:\WINDOWS\system32\xwr26881.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Programas\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Programas\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\jogos\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3550939906
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540022} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/s ... er_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: WIKI.DLL
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programas\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\Nokia\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9204 bytes
GeoForce
Active Member
 
Posts: 13
Joined: September 21st, 2009, 8:02 pm
Advertisement
Register to Remove

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby MWR 3 day Mod » September 27th, 2009, 2:32 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby deltalima » October 1st, 2009, 4:24 am

Hi GeoForce,

Welcome to the Malware Removal forums.
My nickname is deltalima and I will be helping you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me.

Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

LIST OF PROGRAMS USING HIJACKTHIS
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby deltalima » October 1st, 2009, 5:30 pm

Hi GeoForce,

I noticed you have PunkBuster installed... read the "Published features" section.
PunkBuster can take control over various aspects of your computer and some gaming tools not unlike PunkBuster, also hinder their removals.
By the definition we use, PunkBuster is actual spyware. Therefore, I'm asking you to choose one of the following options:
  1. We "try" to leave PunkBuster alone... however, there is no guarantee a spyware component doesn't "inadvertently" get taken out... so PunkBuster might fail. This will also prevent you from playing games using PunkBuster enabled servers.
  2. We can just remove PunkBuster. You can reinstall it afterwards if you wish, but please keep in mind that it is spyware.
  3. We can not clean this computer at all. This ensures PunkBuster will continue to function.
If you choose to remove PunkBuster, please perform the uninstall steps below. Otherwise, let me know what other option you chose.

Uninstall PunkBuster
Please download PBSVC Setup Program. Save it to your desktop.
  1. Double click on pbsvc.exe to start it... then click Uninstall.
    Once that's finished...
  2. Click Start > Run and copy and paste the following into the open text box:
    Code: Select all
    cmd /c for %i in (A B K) do sc delete PnkBstr%i
  3. Click OK. A black box will flash very briefly, this is normal.
  4. Double click My Computer on your desktop and browse to C:\windows\system32\drivers
  5. Locate the file: PnkBstrK.sys... if found delete it.
Let me know if you performed these steps successfully.

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O2 - BHO: D - {BD389B4D-F612-3AD3-B593-2F487D256161} - C:\WINDOWS\system32\xwr26881.dll
O20 - AppInit_DLLs: WIKI.DLL
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/L ... nstall.cab G
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/s ... er_v10.cab
O15 - Trusted Zone: http://asia.msi.com.tw G
O15 - Trusted Zone: http://global.msi.com.tw G
O15 - Trusted Zone: http://www.msi.com.tw


Now close all other open windows and then click on Fix Checked. Close HijackThis.

Now you need to show all files and folders

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types* Uncheck the Hide protected operating system files (recommended) option.
  • Click Apply to confirm.
  • Click OK

Using Windows Explorer (to get there right-click your Start button and go to Explore), please delete this file (if present):
C:\WINDOWS\system32\xwr26881.dll

Now we need to do a search.
Start > Search > For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:
WIKI.DLL
If this file is found please delete it.

Now Reboot your computer and run a fresh scan with HijackThis and post the log back here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby GeoForce » October 2nd, 2009, 7:57 pm

HJT program list:

Actualização Crítica para o Windows Media Player 11 (KB959772)
Actualização de Segurança para o Windows Media Player (KB952069)
Actualização de Segurança para o Windows Media Player (KB968816)
Actualização de Segurança para o Windows Media Player (KB973540)
Actualização de Segurança para o Windows Media Player 11 (KB936782)
Actualização de Segurança para o Windows Media Player 11 (KB954154)
Actualização de segurança para Windows Internet Explorer 7 (KB938127)
Actualização de segurança para Windows Internet Explorer 7 (KB944533)
Actualização de segurança para Windows Internet Explorer 7 (KB950759)
Actualização de segurança para Windows Internet Explorer 7 (KB953838)
Actualização de segurança para Windows Internet Explorer 7 (KB956390)
Actualização de segurança para Windows Internet Explorer 7 (KB958215)
Actualização de segurança para Windows Internet Explorer 7 (KB960714)
Actualização de segurança para Windows Internet Explorer 7 (KB961260)
Actualização de segurança para Windows Internet Explorer 7 (KB963027)
Actualização de segurança para Windows Internet Explorer 7 (KB969897)
Actualização de segurança para Windows Internet Explorer 8 (KB969897)
Actualização de segurança para Windows Internet Explorer 8 (KB971961)
Actualização de segurança para Windows Internet Explorer 8 (KB972260)
Actualização de segurança para Windows XP (KB923561)
Actualização de segurança para Windows XP (KB923789)
Actualização de segurança para Windows XP (KB938464)
Actualização de Segurança para Windows XP (KB941569)
Actualização de segurança para Windows XP (KB946648)
Actualização de segurança para Windows XP (KB950759)
Actualização de segurança para Windows XP (KB950760)
Actualização de segurança para Windows XP (KB950762)
Actualização de segurança para Windows XP (KB950974)
Actualização de segurança para Windows XP (KB951066)
Actualização de segurança para Windows XP (KB951376)
Actualização de segurança para Windows XP (KB951376-v2)
Actualização de segurança para Windows XP (KB951698)
Actualização de segurança para Windows XP (KB951748)
Actualização de segurança para Windows XP (KB952004)
Actualização de segurança para Windows XP (KB952954)
Actualização de segurança para Windows XP (KB953839)
Actualização de segurança para Windows XP (KB954211)
Actualização de segurança para Windows XP (KB954459)
Actualização de segurança para Windows XP (KB954600)
Actualização de segurança para Windows XP (KB955069)
Actualização de segurança para Windows XP (KB956391)
Actualização de segurança para Windows XP (KB956572)
Actualização de segurança para Windows XP (KB956744)
Actualização de segurança para Windows XP (KB956802)
Actualização de segurança para Windows XP (KB956803)
Actualização de segurança para Windows XP (KB956841)
Actualização de segurança para Windows XP (KB956844)
Actualização de segurança para Windows XP (KB957095)
Actualização de segurança para Windows XP (KB957097)
Actualização de segurança para Windows XP (KB958644)
Actualização de segurança para Windows XP (KB958687)
Actualização de segurança para Windows XP (KB958690)
Actualização de segurança para Windows XP (KB959426)
Actualização de segurança para Windows XP (KB960225)
Actualização de segurança para Windows XP (KB960715)
Actualização de segurança para Windows XP (KB960803)
Actualização de segurança para Windows XP (KB960859)
Actualização de segurança para Windows XP (KB961371)
Actualização de segurança para Windows XP (KB961373)
Actualização de segurança para Windows XP (KB961501)
Actualização de segurança para Windows XP (KB968537)
Actualização de segurança para Windows XP (KB969898)
Actualização de segurança para Windows XP (KB970238)
Actualização de segurança para Windows XP (KB971557)
Actualização de segurança para Windows XP (KB971633)
Actualização de segurança para Windows XP (KB971657)
Actualização de segurança para Windows XP (KB973346)
Actualização de segurança para Windows XP (KB973354)
Actualização de segurança para Windows XP (KB973507)
Actualização de segurança para Windows XP (KB973869)
Actualização para Windows Internet Explorer 8 (KB971180)
Actualização para Windows XP (KB942763)
Actualização para Windows XP (KB951072-v2)
Actualização para Windows XP (KB951978)
Actualização para Windows XP (KB955839)
Actualização para Windows XP (KB967715)
Actualização para Windows XP (KB968389)
Actualização para Windows XP (KB973815)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Shockwave Player 11
Azureus
Belkin Wireless G Plus MIMO USB Network Adapter
CCleaner (remove only)
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Correcção para o Windows Media Player 11 (KB939683)
Counter-Strike: Source
DMW Client SE
Foxit Reader
Garena
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix para Windows Internet Explorer 7 (KB947864)
Hotfix para Windows XP (KB952287)
Hotfix para Windows XP (KB961118)
Hotfix para Windows XP (KB970653-v3)
Java(TM) 6 Update 15
K-Lite Codec Pack 3.2.5 Standard
LimeWire 5.1.3
Marsu-Fix
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - PTG
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - PTG
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Language Pack - ptg
Microsoft .NET Framework 3.5 Language Pack - PTG
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Need for Speed™ SHIFT
Nero Suite
NVIDIA Drivers
NVIDIA PhysX
OpenAL
PC Connectivity Solution
PowerArchiver 2006 v9.62
Pro Evolution Soccer 2009
Realtek AC'97 Audio
RivaTuner v2.09
Samsung Master
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Silkroad
Steam
TeamSpeak 2 RC2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Warcraft III 1.22 Patch
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Language Pack 1.0
XP Codec Pack
XviD MPEG-4 Video Codec

New HJT log file ( I couldn't find the files you named - PnkBstrK.sys xwr26881.dll and WIKI.DLL):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:51:52, on 03-10-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\windows\SOUNDMAN.EXE
C:\windows\system32\rundll32.exe
C:\Programas\Belkin\F5D9050\Belkinwcui.exe
C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\Administrador\Ambiente de trabalho\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Programas\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Programas\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\jogos\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3550939906
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540022} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programas\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Programas\Nokia\PC Connectivity Solution\ServiceLayer.exe (file missing)

--
End of file - 5829 bytes
GeoForce
Active Member
 
Posts: 13
Joined: September 21st, 2009, 8:02 pm

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby deltalima » October 3rd, 2009, 3:15 pm

Hi GeoForce,

The HijackThis log looks good. The multiple iexplorer.exe lines are gone and the several svchost.exe are normal under Windows XP.

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus
LimeWire 5.1.3


Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

As a final check please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Now please post the log from Malwarebytes Anti-Malware along with a new HijackThis log and LIST OF PROGRAMS USING HIJACKTHIS (as described in my fist post).
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby GeoForce » October 3rd, 2009, 4:59 pm

Malwarebytes Anti-Malware log

Malwarebytes' Anti-Malware 1.41
Versão do banco de dados: 2900
Windows 5.1.2600 Service Pack 3

03-10-2009 21:53:27
mbam-log-2009-10-03 (21-53-21).txt

Tipo de Verificação: Completa (C:\|D:\|)
Objetos verificados: 164047
Tempo decorrido: 27 minute(s), 32 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registo infectadas: 3
Valores do Registo infectados: 0
Ítens do Registo infectados: 0
Pastas infectadas: 0
Ficheiros infectados: 2

Processos da Memória infectados:
(Nenhum item malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum item malicioso foi detectado)

Chaves do Registo infectadas:
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\D.1 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> No action taken.

Valores do Registo infectados:
(Nenhum item malicioso foi detectado)

Ítens do Registo infectados:
(Nenhum item malicioso foi detectado)

Pastas infectadas:
(Nenhum item malicioso foi detectado)

Ficheiros infectados:
C:\Documents and Settings\Administrador\Ambiente de trabalho\backups\backup-20091003-004439-355.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{58EAD091-649D-4FD8-B4AB-861855863432}\RP187\A0047673.dll (Trojan.BHO) -> No action taken.


HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56:29, on 03-10-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\windows\SOUNDMAN.EXE
C:\Programas\DMW Client 3\dmwclient.exe
C:\windows\system32\rundll32.exe
C:\Programas\Belkin\F5D9050\Belkinwcui.exe
C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\wuauclt.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrador\Ambiente de trabalho\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Programas\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Programas\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\jogos\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3550939906
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540022} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programas\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Programas\Nokia\PC Connectivity Solution\ServiceLayer.exe (file missing)

--
End of file - 5948 bytes


Program List log

Actualização Crítica para o Windows Media Player 11 (KB959772)
Actualização de Segurança para o Windows Media Player (KB952069)
Actualização de Segurança para o Windows Media Player (KB968816)
Actualização de Segurança para o Windows Media Player (KB973540)
Actualização de Segurança para o Windows Media Player 11 (KB936782)
Actualização de Segurança para o Windows Media Player 11 (KB954154)
Actualização de segurança para Windows Internet Explorer 7 (KB938127)
Actualização de segurança para Windows Internet Explorer 7 (KB944533)
Actualização de segurança para Windows Internet Explorer 7 (KB950759)
Actualização de segurança para Windows Internet Explorer 7 (KB953838)
Actualização de segurança para Windows Internet Explorer 7 (KB956390)
Actualização de segurança para Windows Internet Explorer 7 (KB958215)
Actualização de segurança para Windows Internet Explorer 7 (KB960714)
Actualização de segurança para Windows Internet Explorer 7 (KB961260)
Actualização de segurança para Windows Internet Explorer 7 (KB963027)
Actualização de segurança para Windows Internet Explorer 7 (KB969897)
Actualização de segurança para Windows Internet Explorer 8 (KB969897)
Actualização de segurança para Windows Internet Explorer 8 (KB971961)
Actualização de segurança para Windows Internet Explorer 8 (KB972260)
Actualização de segurança para Windows XP (KB923561)
Actualização de segurança para Windows XP (KB923789)
Actualização de segurança para Windows XP (KB938464)
Actualização de Segurança para Windows XP (KB941569)
Actualização de segurança para Windows XP (KB946648)
Actualização de segurança para Windows XP (KB950759)
Actualização de segurança para Windows XP (KB950760)
Actualização de segurança para Windows XP (KB950762)
Actualização de segurança para Windows XP (KB950974)
Actualização de segurança para Windows XP (KB951066)
Actualização de segurança para Windows XP (KB951376)
Actualização de segurança para Windows XP (KB951376-v2)
Actualização de segurança para Windows XP (KB951698)
Actualização de segurança para Windows XP (KB951748)
Actualização de segurança para Windows XP (KB952004)
Actualização de segurança para Windows XP (KB952954)
Actualização de segurança para Windows XP (KB953839)
Actualização de segurança para Windows XP (KB954211)
Actualização de segurança para Windows XP (KB954459)
Actualização de segurança para Windows XP (KB954600)
Actualização de segurança para Windows XP (KB955069)
Actualização de segurança para Windows XP (KB956391)
Actualização de segurança para Windows XP (KB956572)
Actualização de segurança para Windows XP (KB956744)
Actualização de segurança para Windows XP (KB956802)
Actualização de segurança para Windows XP (KB956803)
Actualização de segurança para Windows XP (KB956841)
Actualização de segurança para Windows XP (KB956844)
Actualização de segurança para Windows XP (KB957095)
Actualização de segurança para Windows XP (KB957097)
Actualização de segurança para Windows XP (KB958644)
Actualização de segurança para Windows XP (KB958687)
Actualização de segurança para Windows XP (KB958690)
Actualização de segurança para Windows XP (KB959426)
Actualização de segurança para Windows XP (KB960225)
Actualização de segurança para Windows XP (KB960715)
Actualização de segurança para Windows XP (KB960803)
Actualização de segurança para Windows XP (KB960859)
Actualização de segurança para Windows XP (KB961371)
Actualização de segurança para Windows XP (KB961373)
Actualização de segurança para Windows XP (KB961501)
Actualização de segurança para Windows XP (KB968537)
Actualização de segurança para Windows XP (KB969898)
Actualização de segurança para Windows XP (KB970238)
Actualização de segurança para Windows XP (KB971557)
Actualização de segurança para Windows XP (KB971633)
Actualização de segurança para Windows XP (KB971657)
Actualização de segurança para Windows XP (KB973346)
Actualização de segurança para Windows XP (KB973354)
Actualização de segurança para Windows XP (KB973507)
Actualização de segurança para Windows XP (KB973869)
Actualização para Windows Internet Explorer 8 (KB971180)
Actualização para Windows XP (KB942763)
Actualização para Windows XP (KB951072-v2)
Actualização para Windows XP (KB951978)
Actualização para Windows XP (KB955839)
Actualização para Windows XP (KB967715)
Actualização para Windows XP (KB968389)
Actualização para Windows XP (KB973815)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Shockwave Player 11
Belkin Wireless G Plus MIMO USB Network Adapter
CCleaner (remove only)
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Correcção para o Windows Media Player 11 (KB939683)
Counter-Strike: Source
DMW Client SE
Foxit Reader
Garena
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix para Windows Internet Explorer 7 (KB947864)
Hotfix para Windows XP (KB952287)
Hotfix para Windows XP (KB961118)
Hotfix para Windows XP (KB970653-v3)
Java(TM) 6 Update 15
K-Lite Codec Pack 3.2.5 Standard
Malwarebytes' Anti-Malware
Marsu-Fix
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - PTG
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - PTG
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Language Pack - ptg
Microsoft .NET Framework 3.5 Language Pack - PTG
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Need for Speed™ SHIFT
Nero Suite
NVIDIA Drivers
NVIDIA PhysX
OpenAL
PC Connectivity Solution
PowerArchiver 2006 v9.62
Pro Evolution Soccer 2009
Realtek AC'97 Audio
RivaTuner v2.09
Samsung Master
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Silkroad
Steam
TeamSpeak 2 RC2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Warcraft III 1.22 Patch
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Language Pack 1.0
XP Codec Pack
XviD MPEG-4 Video Codec
GeoForce
Active Member
 
Posts: 13
Joined: September 21st, 2009, 8:02 pm

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby deltalima » October 4th, 2009, 3:22 pm

Hi GeoForce,

Please re-open HijackThis and select Scan. Check the boxes next to all the entry listed below (if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Now close all other open windows and then click on Fix Checked. Close HijackThis.

Please reboot your computer and then run another scan with Malwarebytes. Ensure that when the scan has completed everything that has been detected is checked and then click Remove Selected.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log and the Malwarebytes log
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby GeoForce » October 5th, 2009, 11:17 am

Kaspersky scan log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, October 5, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, October 05, 2009 13:27:17
Records in database: 2916791
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 50551
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:46:31

No threats found. Scanned area is clean.

HJT log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:44:06, on 05-10-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\windows\SOUNDMAN.EXE
C:\windows\system32\rundll32.exe
C:\windows\system32\RUNDLL32.EXE
C:\Programas\Belkin\F5D9050\Belkinwcui.exe
C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Programas\Java\jre6\bin\java.exe
C:\Documents and Settings\Administrador\Ambiente de trabalho\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Programas\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Programas\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\jogos\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3550939906
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540022} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Programas\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programas\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Programas\Nokia\PC Connectivity Solution\ServiceLayer.exe (file missing)

--
End of file - 5829 bytes

Malwarebytes log file

Malwarebytes' Anti-Malware 1.41
Versão do banco de dados: 2907
Windows 5.1.2600 Service Pack 3

05-10-2009 16:14:14
mbam-log-2009-10-05 (16-14-14).txt

Tipo de Verificação: Completa (C:\|D:\|)
Objetos verificados: 167083
Tempo decorrido: 26 minute(s), 22 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registo infectadas: 0
Valores do Registo infectados: 0
Ítens do Registo infectados: 0
Pastas infectadas: 0
Ficheiros infectados: 0

Processos da Memória infectados:
(Nenhum item malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum item malicioso foi detectado)

Chaves do Registo infectadas:
(Nenhum item malicioso foi detectado)

Valores do Registo infectados:
(Nenhum item malicioso foi detectado)

Ítens do Registo infectados:
(Nenhum item malicioso foi detectado)

Pastas infectadas:
(Nenhum item malicioso foi detectado)

Ficheiros infectados:
(Nenhum item malicioso foi detectado)
GeoForce
Active Member
 
Posts: 13
Joined: September 21st, 2009, 8:02 pm

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby deltalima » October 6th, 2009, 3:18 am

Hi GeoForce,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Turn OFF System Restore
  1. Right click on My Computer ... choose Properties from the menu.
  2. Press the System Restore ...tab.
  3. Check "Turn off System Restore"...check box.
  4. Click Apply
  5. Click OK.
Turn ON System Restore
  1. Right click on My Computer ... choose Properties from the menu.
  2. Press the System Restore ...tab.
  3. UN-Check "Turn off System Restore"...check box.
  4. Click Apply
  5. Click OK.
When turned back on... a new Restore Point will be created automatically.

Update your AntiVirus Software and keep your other programs up-to-date
It is vital that you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world.Firewalls protect against hackers and malicious intruders.. I would like you to download and install a free firewall from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio

Note If you choose Zonealarm then ensure the option for the ZoneAlarm Spy Blocker is NOT chosen during installation. (see here for more information).

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

How is the computer running now? Please post back if you are experiencing any further problems.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby GeoForce » October 6th, 2009, 6:17 am

Hi!

Thank you so much for your help. My computer is running clean and fast now! I already installed Spyware Blaster and updated it.
I also runned Secunia Software Inspector and i just needed to upgrade adobe flash.
I have just one question to make you... I have ESET NOD32 Antivirus (cracked version). My friends always told me it was a very good antivirus. Do you recommend it? Or is anyother antivirus program better and free that you recommend?

Thkx Geo
GeoForce
Active Member
 
Posts: 13
Joined: September 21st, 2009, 8:02 pm

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby deltalima » October 6th, 2009, 9:31 am

Hi GeoForce,

I cannot condone the use of any cracked software. Indeed the source of the infection could have been the cracked software that you have been using.

Please see the forum rules here

There are several free antivirus products

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

If you choose to install AVG then please ensure that you select to NOT to install the optional toolbar.

Please remove the cracked version of NOD32 and any other cracked software that you have installed then install one of these free antivirus products or purchase an antivirus product.

Once installed then please run a full system scan with the antivirus software and post the results back here.

Next download CKScanner from here
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Now please run a new HijackThis scan and post the log along with the results from CKScanner and the results from the Antivirus scan.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby GeoForce » October 6th, 2009, 8:16 pm

Avira AntiVir Personal

Report file date: quarta-feira, 7 de Outubro de 2009 00:27

Scanning for 1780400 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : NUNO

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 29-07-2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21-07-2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27-02-2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20-02-2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27-02-2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27-10-2008 12:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24-06-2009 09:21:42
ANTIVIR2.VDF : 7.1.6.50 4333568 Bytes 29-09-2009 23:26:03
ANTIVIR3.VDF : 7.1.6.80 320512 Bytes 06-10-2009 23:26:04
Engineversion : 8.2.1.33
AEVDF.DLL : 8.1.1.2 106867 Bytes 06-10-2009 23:26:18
AESCRIPT.DLL : 8.1.2.35 483707 Bytes 06-10-2009 23:26:17
AESCN.DLL : 8.1.2.5 127346 Bytes 06-10-2009 23:26:16
AERDL.DLL : 8.1.3.2 479604 Bytes 06-10-2009 23:26:16
AEPACK.DLL : 8.2.0.0 422261 Bytes 06-10-2009 23:26:15
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23-07-2009 09:59:39
AEHEUR.DLL : 8.1.0.166 2003319 Bytes 06-10-2009 23:26:14
AEHELP.DLL : 8.1.7.0 237940 Bytes 06-10-2009 23:26:09
AEGEN.DLL : 8.1.1.67 364916 Bytes 06-10-2009 23:26:07
AEEMU.DLL : 8.1.1.0 393587 Bytes 06-10-2009 23:26:05
AECORE.DLL : 8.1.8.1 184693 Bytes 06-10-2009 23:26:04
AEBB.DLL : 8.1.0.3 53618 Bytes 09-10-2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12-12-2008 08:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05-12-2008 10:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20-01-2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05-12-2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24-03-2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30-01-2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28-01-2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02-02-2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05-12-2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15-05-2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17-04-2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\programas\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: quarta-feira, 7 de Outubro de 2009 00:27

Starting search for hidden objects.
'45602' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'TeamSpeak.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'steam.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'op_mon.exe' - '0' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'Belkinwcui.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'acs.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\' <Programas>
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{58EAD091-649D-4FD8-B4AB-861855863432}\RP191\A0049999.dll
[DETECTION] Contains recognition pattern of the SPR/Dldr.PopCap.B program
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <Jogos>
D:\Jogos\PES2009\pes2009.exe
[DETECTION] Is the TR/Patched.Gen Trojan

Beginning disinfection:
C:\System Volume Information\_restore{58EAD091-649D-4FD8-B4AB-861855863432}\RP191\A0049999.dll
[DETECTION] Contains recognition pattern of the SPR/Dldr.PopCap.B program
[NOTE] The file was moved to '4afbdd27.qua'!
D:\Jogos\PES2009\pes2009.exe
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to '4b3edd5c.qua'!


End of the scan: quarta-feira, 7 de Outubro de 2009 01:12
Used time: 40:20 Minute(s)

The scan has been done completely.

5746 Scanned directories
281352 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
281348 Files not concerned
2578 Archives were scanned
2 Warnings
3 Notes
45602 Objects were scanned with rootkit scan
0 Hidden objects were found


CK Scanner

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\administrador\os meus documentos\os meus ficheiros recebidos\garena.crack.2.4.0.1239(1)(1).rar
c:\programas\garena\garena.crack.2.4.0.1239\garena.exe
c:\programas\garena\plugins\ui\avoidcrackplugin.dll
scanner sequence 3.CP.11
----- EOF -----
GeoForce
Active Member
 
Posts: 13
Joined: September 21st, 2009, 8:02 pm

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby deltalima » October 7th, 2009, 1:17 pm

Hi GeoForce,

Create a batch file
  1. Open Notepad.
  2. Copy/paste the following text into the empty Notepad window.
    Code: Select all
    @echo off
    Del c:\documents and settings\administrador\os meus documentos\os meus ficheiros recebidos\garena.crack.2.4.0.1239(1)(1).rar >> results.txt 2>>&1
    Rd /s /q c:\programas\garena >> results.txt 2>>&1
    start notepad results.txt
  3. Save the file as xxx.bat on your desktop. Save it with the file type... all types *.*.
  4. Double click the file xxx.bat to execute.

results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response.

Please now create a LIST OF PROGRAMS USING HIJACKTHIS as described in my first post and post that list along with a new HijackThis log and the contents of results.txt.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Multiple processes of iexplorer.exe and svchost.exe

Unread postby GeoForce » October 7th, 2009, 7:41 pm

results.txt

O sistema não conseguiu localizar o caminho especificado. --> "System couldn't find the specified path"

HijackThis programs:

Actualização Crítica para o Windows Media Player 11 (KB959772)
Actualização de Segurança para o Windows Media Player (KB952069)
Actualização de Segurança para o Windows Media Player (KB968816)
Actualização de Segurança para o Windows Media Player (KB973540)
Actualização de Segurança para o Windows Media Player 11 (KB936782)
Actualização de Segurança para o Windows Media Player 11 (KB954154)
Actualização de segurança para Windows Internet Explorer 7 (KB938127)
Actualização de segurança para Windows Internet Explorer 7 (KB944533)
Actualização de segurança para Windows Internet Explorer 7 (KB950759)
Actualização de segurança para Windows Internet Explorer 7 (KB953838)
Actualização de segurança para Windows Internet Explorer 7 (KB956390)
Actualização de segurança para Windows Internet Explorer 7 (KB958215)
Actualização de segurança para Windows Internet Explorer 7 (KB960714)
Actualização de segurança para Windows Internet Explorer 7 (KB961260)
Actualização de segurança para Windows Internet Explorer 7 (KB963027)
Actualização de segurança para Windows Internet Explorer 7 (KB969897)
Actualização de segurança para Windows Internet Explorer 8 (KB969897)
Actualização de segurança para Windows Internet Explorer 8 (KB971961)
Actualização de segurança para Windows Internet Explorer 8 (KB972260)
Actualização de segurança para Windows XP (KB923561)
Actualização de segurança para Windows XP (KB923789)
Actualização de segurança para Windows XP (KB938464)
Actualização de Segurança para Windows XP (KB941569)
Actualização de segurança para Windows XP (KB946648)
Actualização de segurança para Windows XP (KB950759)
Actualização de segurança para Windows XP (KB950760)
Actualização de segurança para Windows XP (KB950762)
Actualização de segurança para Windows XP (KB950974)
Actualização de segurança para Windows XP (KB951066)
Actualização de segurança para Windows XP (KB951376)
Actualização de segurança para Windows XP (KB951376-v2)
Actualização de segurança para Windows XP (KB951698)
Actualização de segurança para Windows XP (KB951748)
Actualização de segurança para Windows XP (KB952004)
Actualização de segurança para Windows XP (KB952954)
Actualização de segurança para Windows XP (KB953839)
Actualização de segurança para Windows XP (KB954211)
Actualização de segurança para Windows XP (KB954459)
Actualização de segurança para Windows XP (KB954600)
Actualização de segurança para Windows XP (KB955069)
Actualização de segurança para Windows XP (KB956391)
Actualização de segurança para Windows XP (KB956572)
Actualização de segurança para Windows XP (KB956744)
Actualização de segurança para Windows XP (KB956802)
Actualização de segurança para Windows XP (KB956803)
Actualização de segurança para Windows XP (KB956841)
Actualização de segurança para Windows XP (KB956844)
Actualização de segurança para Windows XP (KB957095)
Actualização de segurança para Windows XP (KB957097)
Actualização de segurança para Windows XP (KB958644)
Actualização de segurança para Windows XP (KB958687)
Actualização de segurança para Windows XP (KB958690)
Actualização de segurança para Windows XP (KB959426)
Actualização de segurança para Windows XP (KB960225)
Actualização de segurança para Windows XP (KB960715)
Actualização de segurança para Windows XP (KB960803)
Actualização de segurança para Windows XP (KB960859)
Actualização de segurança para Windows XP (KB961371)
Actualização de segurança para Windows XP (KB961373)
Actualização de segurança para Windows XP (KB961501)
Actualização de segurança para Windows XP (KB968537)
Actualização de segurança para Windows XP (KB969898)
Actualização de segurança para Windows XP (KB970238)
Actualização de segurança para Windows XP (KB971557)
Actualização de segurança para Windows XP (KB971633)
Actualização de segurança para Windows XP (KB971657)
Actualização de segurança para Windows XP (KB973346)
Actualização de segurança para Windows XP (KB973354)
Actualização de segurança para Windows XP (KB973507)
Actualização de segurança para Windows XP (KB973869)
Actualização para Windows Internet Explorer 8 (KB971180)
Actualização para Windows XP (KB942763)
Actualização para Windows XP (KB951072-v2)
Actualização para Windows XP (KB951978)
Actualização para Windows XP (KB955839)
Actualização para Windows XP (KB967715)
Actualização para Windows XP (KB968389)
Actualização para Windows XP (KB973815)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Shockwave Player 11
Avira AntiVir Personal - Free Antivirus
Belkin Wireless G Plus MIMO USB Network Adapter
CCleaner (remove only)
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Correcção para o Windows Media Player 11 (KB939683)
Counter-Strike: Source
Foxit Reader
Garena
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix para Windows Internet Explorer 7 (KB947864)
Hotfix para Windows XP (KB952287)
Hotfix para Windows XP (KB961118)
Hotfix para Windows XP (KB970653-v3)
Java(TM) 6 Update 15
K-Lite Codec Pack 3.2.5 Standard
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - PTG
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - PTG
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Language Pack - ptg
Microsoft .NET Framework 3.5 Language Pack - PTG
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Need for Speed™ SHIFT
Nero Suite
NVIDIA Drivers
NVIDIA PhysX
OpenAL
Outpost Firewall 2009
PC Connectivity Solution
PowerArchiver 2006 v9.62
Pro Evolution Soccer 2009
Realtek AC'97 Audio
RivaTuner v2.09
Samsung Master
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Silkroad
SpywareBlaster 4.2
Steam
TeamSpeak 2 RC2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Warcraft III 1.22 Patch
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Language Pack 1.0
XP Codec Pack
XviD MPEG-4 Video Codec
GeoForce
Active Member
 
Posts: 13
Joined: September 21st, 2009, 8:02 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware