Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Constant Hard Drive Activity

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Constant Hard Drive Activity

Unread postby Timmy » January 11th, 2008, 1:59 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:36 PM, on 1/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=ML3109
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=ML3109
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... B&M=ML3109
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Vanguard\AppData\Local\Temp\ssqrp.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Vanguard\AppData\Local\Temp\ddccy.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Vanguard\AppData\Local\Temp\ssqrp.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 7642 bytes
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top
Advertisement
Register to Remove

Re: Constant Hard Drive Activity

Unread postby Katana » January 11th, 2008, 10:09 am

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.

@echo off
if exist C:\Katanalook*.txt del /q C:\Katanalook*.txt
if exist C:\Katanaresults.txt del /q C:\Katanaresults.txt
regedit /e C:\Katanalook.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping"
regedit /e C:\Katanalook1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
regedit /e C:\Katanalook2.txt "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run"
cd C:\Users\Vanguard\AppData\Local\Temp\
dir /S /D > C:\Katanalook6.txt
type C:\Katanalook*.txt >> C:\Katanaresults.txt
start notepad C:\Katanaresults.txt
del /q C:\Katanalook*.txt
del /q look.bat

Right-click on look.bat and run as Administrator

Notepad will open, please copy/paste the contents in your reply
A copy will be saved at C:\Katanaresults.txt
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Constant Hard Drive Activity

Unread postby Timmy » January 11th, 2008, 11:26 pm

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini]
"Color Schemes"="#USR:Control Panel\\Color Schemes"
"Current"="#USR:Control Panel\\Current"
"Custom Colors"="#USR:Control Panel\\Custom Colors"
"don't load"="USR:Control Panel\\don't load"
"drivers.desc"="SYS:Microsoft\\Windows NT\\CurrentVersion\\drivers.desc"
"MMCPL"="USR:Control Panel\\MMCPL"
"Patterns"="#USR:Control Panel\\Patterns"
"related.desc"="SYS:Microsoft\\Windows NT\\CurrentVersion\\related.desc"
"Screen Saver.3DText"="USR:Control Panel\\Screen Saver.3DText"
"Userinstallable.drivers"="SYS:Microsoft\\Windows NT\\CurrentVersion\\Userinstallable.drivers"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\KeyboardLayout.ini]
@=""
"Preload"="USR:Keyboard Layout\\Preload"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\KeyboardLayout.ini\Keyboard Layout]
@="\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Keyboard Layout"
"Active"="USR:Keyboard Layout"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\KeyboardLayout.ini\Substitutes]
@="USR:Keyboard Layout\\Substitutes"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\regedt32.ini]
@="USR:Software\\Microsoft\\RegEdt32"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini]
"boot.description"="SYS:Microsoft\\Windows NT\\CurrentVersion\\WOW\\boot.description"
"keyboard"="SYS:Microsoft\\Windows NT\\CurrentVersion\\WOW\\keyboard"
"msacm.drv"="USR:Software\\Microsoft\\Multimedia\\Sound Mapper"
"NonWindowsApp"="SYS:Microsoft\\Windows NT\\CurrentVersion\\WOW\\NonWindowsApp"
"standard"="SYS:Microsoft\\Windows NT\\CurrentVersion\\WOW\\standard"
"Drivers"="SYS:Microsoft\\Windows NT\\CurrentVersion\\Drivers"
"drivers32"="SYS:Microsoft\\Windows NT\\CurrentVersion\\Drivers32"
"MCI"="SYS:Microsoft\\Windows NT\\CurrentVersion\\MCI"
"MCI32"="SYS:Microsoft\\Windows NT\\CurrentVersion\\MCI32"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot]
@="SYS:Microsoft\\Windows NT\\CurrentVersion\\WOW\\boot"
"ScreenSaverActive"="USR:Control Panel\\Desktop"
"ScreenSaverIsSecure"="USR:Control Panel\\Desktop"
"SCRNSAVE.EXE"="USR:Control Panel\\Desktop"
"Shell"="SYS:Microsoft\\Windows NT\\CurrentVersion\\Winlogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini]
"Intl"="#USR:Control Panel\\International"
"Compatibility"="#SYS:Microsoft\\Windows NT\\CurrentVersion\\Compatibility"
"Fonts"="#SYS:Microsoft\\Windows NT\\CurrentVersion\\Fonts"
"FontSubstitutes"="#SYS:Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
"Winlogon"="SYS:Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
"AeDebug"="SYS:Microsoft\\Windows NT\\CurrentVersion\\AeDebug"
"Ports"="SYS:Microsoft\\Windows NT\\CurrentVersion\\Ports"
"PrinterPorts"="USR:Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts"
"Devices"="USR:Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices"
"MODULECOMPATIBILITY"="SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\MODULECOMPATIBILITY"
"TRUETYPE"="#USR:SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\TRUETYPE"
"NWCS"="SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\NWCS"
"EXTENSIONS"="#USR:SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\EXTENSIONS"
"TWAIN"="#USR:SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\TWAIN"
"MSCHARMAP"="#USR:SOFTWARE\\\\MICROSOFT\\\\CHARMAP"
"CONSOLE"="USR:CONSOLE"
"CURSORS"="#USR:CONTROL PANEL\\\\CURSORS"
"NET_FILES"="USR:SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\NETWORK\\\\PERSISTENT CONNECTIONS"
"EMBEDDING"="!#SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\EMBEDDING"
"WINDOWS HELP"="USR:SOFTWARE\\\\MICROSOFT\\\\WINDOWS HELP"
"IOPROCS"="#USR:CONTROL PANEL\\\\IOPROCS"
"COLORS"="#USR:CONTROL PANEL\\\\COLORS"
"GRE_INITIALIZE"="SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\GRE_INITIALIZE"
"DESKTOP"="#USR:CONTROL PANEL\\\\DESKTOP"
"SOUNDS"="#USR:CONTROL PANEL\\\\SOUNDS"
"MCI EXTENSIONS"="SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\MCI EXTENSIONS"
"CLOCK"="#USR:SOFTWARE\\\\MICROSOFT\\\\CLOCK"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\NETWORK]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows]
"MouseSpeed"="#USR:Control Panel\\Mouse"
"MouseThreshold1"="#USR:Control Panel\\Mouse"
"MouseThreshold2"="#USR:Control Panel\\Mouse"
"SwapMouseButtons"="#USR:Control Panel\\Mouse"
"Beep"="#USR:Control Panel\\Sound"
"CursorBlinkRate"="#USR:Control Panel\\Desktop"
"DoubleClickSpeed"="#USR:Control Panel\\Mouse"
"CoolSwitch"="USR:Control Panel\\Desktop"
"DoubleClickHeight"="#USR:Control Panel\\Mouse"
"DoubleClickWidth"="#USR:Control Panel\\Mouse"
"DragFullWindows"="USR:Control Panel\\Desktop"
"InitialKeyboardIndicators"="USR:Control Panel\\Keyboard"
"KeyboardDelay"="#USR:Control Panel\\Keyboard"
"KeyboardSpeed"="#USR:Control Panel\\Keyboard"
"LowPowerActive"="#USR:Control Panel\\Desktop"
"LowPowerTimeOut"="#USR:Control Panel\\Desktop"
"PowerOffActive"="#USR:Control Panel\\Desktop"
"PowerOffTimeOut"="#USR:Control Panel\\Desktop"
"ScreenSaveActive"="#USR:Control Panel\\Desktop"
"ScreenSaveTimeOut"="#USR:Control Panel\\Desktop"
"SnapToDefaultButton"="#USR:Control Panel\\Mouse"
@="USR:Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"Spooler"="#SYS:Microsoft\\Windows NT\\CurrentVersion\\Windows"
"TRANSMISSIONRETRYTIMEOUT"="#SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\WINDOWS"
"DEFAULTSEPARATEVDM"="\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\CURRENTCONTROLSET\\\\CONTROL\\\\WOW"
"APPINIT_DLLS"="SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\WINDOWS"
"DEVICENOTSELECTEDTIMEOUT"="#SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\WINDOWS"
"SWAPDISK"="SYS:MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\WINDOWS"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,\
00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,\
73,00,20,00,44,00,65,00,66,00,65,00,6e,00,64,00,65,00,72,00,5c,00,4d,00,53,\
00,41,00,53,00,43,00,75,00,69,00,2e,00,65,00,78,00,65,00,20,00,2d,00,68,00,\
69,00,64,00,65,00,00,00
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"MSConfig"="\"C:\\Windows\\system32\\msconfig.exe\" /auto"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@=""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"MSServer"="rundll32.exe C:\\Users\\Vanguard\\AppData\\Local\\Temp\\mlljg.dll,#1"
"cmds"="rundll32.exe C:\\Users\\Vanguard\\AppData\\Local\\Temp\\ssqrp.dll,c"

Volume in drive C has no label.
Volume Serial Number is B4D7-6FBE

Directory of C:\Users\Vanguard\AppData\Local\Temp

[.]
[..]
b4f53fgc.exe
DivXInstaller.exe
dkc915ji.exe
[Low]
mlljg.dll
mod53CD.tmp
modB15F.tmp
sop_ad.jpg
ssqrp.dll
ssqrp.exe
stadistic.log
tmp0002f37e
tmp00030792
tmp0003372e
tmp000344da
tmp00034eae
tmp0004ecfc
tmp00105575
tmp001f3448
tmp0071c9d2
Vanguard.bmp
[WPDNSE]
xpinstall-1.inf
xpinstall-2.inf
xpinstall-3.inf
xpinstall.inf
[{7934b806-13ae-4220-be35-9aa157291720}]
~DF67C3.tmp
~DF98BB.tmp
~DFC62B.tmp

27 File(s) 8,126,734 bytes

Directory of C:\Users\Vanguard\AppData\Local\Temp\Low

[.] [..] mod63D1.tmp
1 File(s) 34 bytes

Directory of C:\Users\Vanguard\AppData\Local\Temp\WPDNSE

[.] [..]
0 File(s) 0 bytes

Directory of C:\Users\Vanguard\AppData\Local\Temp\{7934b806-13ae-4220-be35-9aa157291720}

[.] [..]
0 File(s) 0 bytes

Total Files Listed:
28 File(s) 8,126,768 bytes
11 Dir(s) 42,102,099,968 bytes free
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top

Re: Constant Hard Drive Activity

Unread postby Katana » January 12th, 2008, 11:55 am

For all Tools, Please RIGHT - CLICK and Run As Administrator

Download and Run Registry Search

Download LINK >>> Registry Search <<< LINK to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and Right-click on regsearch.exe
  • In the top window copy/paste the following line
      ssqrp
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please save the text file at you desktop and call it found-entries.
Paste the results in your reply


Please delete your copy of OTMoveIt as it has been updated

OTMoveIt
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please Right-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\*.* /s

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the results of both in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Constant Hard Drive Activity

Unread postby Timmy » January 12th, 2008, 1:25 pm

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 1/12/2008 9:06:47 AM for strings:
; 'ssqrp'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cmds"="rundll32.exe C:\\Users\\Vanguard\\AppData\\Local\\Temp\\ssqrp.dll,c"

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="C:\\Users\\Vanguard\\AppData\\Local\\Temp\\ssqrp.exe"

; End Of The Log...



OTMoveIt Log:
[Manual Searches]
< C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\*.* /s >
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\7q2omfm0.zip moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\b4f53fgc.exe moved successfully.
DllUnregisterServer procedure not found in C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\ddabb.dll
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\ddabb.dll NOT unregistered.
File move failed. C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\ddabb.dll scheduled to be moved on reboot.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\DivXInstaller.exe moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\dkc915ji.exe moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\Low moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\mod53CD.tmp moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\modB15F.tmp moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\prqss.ini moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\prqss.ini2 moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\sop_ad.jpg moved successfully.
DllUnregisterServer procedure not found in C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\ssqrp.dll
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\ssqrp.dll NOT unregistered.
File move failed. C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\ssqrp.dll scheduled to be moved on reboot.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\ssqrp.exe moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\stadistic.log moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\stutv.ini moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\stutv.ini2 moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp0002f37e moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp00030792 moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp00031ffc moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp0003372e moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp000344da moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp00034eae moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp0004ecfc moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp00105575 moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp001f3448 moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\tmp0071c9d2 moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\Vanguard.bmp moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\WPDNSE moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\xpinstall-1.inf moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\xpinstall-2.inf moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\xpinstall-3.inf moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\xpinstall.inf moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\{7934b806-13ae-4220-be35-9aa157291720} moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\~DF67C3.tmp moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\~DF98BB.tmp moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\~DFC62B.tmp moved successfully.

OTMoveIt2 v1.0.6 log created on 01122008_091209



BTW: I looked into the appdata\local\temp directory after the reboot (OTMoveIT), and saw 2 files: prqss.ini and vanguard.bmp

-thanks
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top

Re: Constant Hard Drive Activity

Unread postby Timmy » January 12th, 2008, 1:28 pm

Also: my computer's hard drive is not running all the time now. !!!

I've also noticed when I was trying to use Firefox to click on the links to download the programs you had in your postings that I am getting "filepicker was unexpectedly closed by windows". THis does not happen on IE. This is probably a much smaller issue than my hard drive issue.
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top

Re: Constant Hard Drive Activity

Unread postby Katana » January 12th, 2008, 1:54 pm

Please can you post a fresh HJT log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Constant Hard Drive Activity

Unread postby Timmy » January 12th, 2008, 5:37 pm

When I log in, I get a couple of dialog boxes:
1) Could not load ssqrp.exe
2) RunDLL dialog box: error loading ddabb.dll, ssqrp.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:56 PM, on 1/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=ML3109
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=ML3109
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... B&M=ML3109
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Vanguard\AppData\Local\Temp\ssqrp.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Vanguard\AppData\Local\Temp\ddabb.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Vanguard\AppData\Local\Temp\ssqrp.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 7616 bytes
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top

Re: Constant Hard Drive Activity

Unread postby Katana » January 12th, 2008, 7:05 pm

Timmy wrote:When I log in, I get a couple of dialog boxes:
1) Could not load ssqrp.exe
2) RunDLL dialog box: error loading ddabb.dll, ssqrp.dll



GOOD !!!!!, that means we are getting somewhere :)

Again, Right click run as admin please

OTMoveIt
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\*.* /s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\cmds
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MSServer
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\\load

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post a fresh HJT along with the OTMI log.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Constant Hard Drive Activity

Unread postby Timmy » January 12th, 2008, 8:59 pm

OTMI Log:

[Manual Searches]
< C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\*.* /s >
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\Low moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\prqss.ini moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\Vanguard.bmp moved successfully.
C:\USERS\VANGUARD\APPDATA\LOCAL\TEMP\WPDNSE moved successfully.
< HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\cmds >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\cmds deleted successfully.
< HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MSServer >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
< HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\\load >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\\load deleted successfully.

OTMoveIt2 v1.0.6 log created on 01122008_165739
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top

Re: Constant Hard Drive Activity

Unread postby Timmy » January 12th, 2008, 9:04 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:16 PM, on 1/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=ML3109
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=ML3109
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... B&M=ML3109
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 7323 bytes
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top

Re: Constant Hard Drive Activity

Unread postby Katana » January 12th, 2008, 9:57 pm

Congratulations your logs look clean :D

Let’s see if I can help you keep it that way

First lets tidy up :D

Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.

Delete any logs we have produced and empty your recycle bin

Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,

Turn off System Restore.

Click the Vista/Start icon
Right Click Computer
Click Properties.
Click the System Protection tab.
Uncheck All drives
Click "Turn Off System Restore" at the prompt then click "Apply",
Restart your computer

Turn ON System Restore

Click the Vista/Start icon
Right Click Computer
Click Properties.
Click the System Protection tab.
Checkmark All drives that were selected previously
then click "Apply",
Restart your computer

The following is some info to help you stay safe and clean. ( Please check that any programs you choose are Vista compatible )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan ... ncipal.htm
http://www.kaspersky.com/virusscanner

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    All of the programs in this list have a free version,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • AVG Anti-Spyware 7.5 <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner
  • Ad-Aware 2007 Free <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 3.5.1
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Constant Hard Drive Activity

Unread postby Timmy » January 13th, 2008, 1:14 pm

Everything is OK.

Thanks for all your help
Timmy
Regular Member
 
Posts: 26
Joined: December 29th, 2007, 1:09 pm
Top

Re: Constant Hard Drive Activity

Unread postby Katana » January 13th, 2008, 1:26 pm

I'm glad we got it sorted :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: Constant Hard Drive Activity

Unread postby Gary R » January 16th, 2008, 5:27 am

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 213 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index