mj12 Posted February 24, 2014 Posted February 24, 2014 I've noticed lately that my laptop is showing multiple instances of explorer.exe in the task manager. I've run MB and MS Essentials, everything is now coming back "clean", but still seeing this issue. Usually CPU usage % for 1 or 2 will hit 25-30%. Here's the content of the HJT log: Logfile of Trend Micro HijackThis v2.0.5 Scan saved at 12:52:42 PM, on 2014-02-24 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16533) Boot mode: Normal Running processes: C:Program Files (x86)GoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe C:Program Files (x86)Hewlett-PackardMediaDVDDVDAgent.exe C:Program Files (x86)Hewlett-PackardTouchSmartMediaTSMAgent.exe C:Program Files (x86)Hewlett-PackardTouchSmartMediaKernelCLMLCLMLSvc.exe C:Program Files (x86)Hewlett-PackardMediaTVTVAgent.exe C:Program Files (x86)HpHP Software Updatehpwuschd2.exe C:Program Files (x86)AdobeAcrobat 9.0Acrobatacrotray.exe C:Program Files (x86)Hewlett-PackardHP Quick Launch ButtonsQLBCTRL.exe C:Program Files (x86)Hewlett-PackardSharedhpqToaster.exe C:Program Files (x86)Internet Exploreriexplore.exe C:Program Files (x86)Internet Exploreriexplore.exe C:Program Files (x86)GoogleGoogle ToolbarGoogleToolbarUser_32.exe C:Program Files (x86)Malwarebytes' Anti-Malwarembam.exe C:Program Files (x86)Internet Exploreriexplore.exe C:Program Files (x86)Internet Exploreriexplore.exe C:UsersPatrickDownloadsHijackThis (1).exe R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WindowsSysWOW64blank.htm R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file) O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:Program Files (x86)TechSmithSnagit 10SnagitBHO.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~2MICROS~2Office14GROOVEEX.DLL O2 - BHO: (no name) - {95CFEC51-7780-FC20-7EBA-2921A87886E3} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program Files (x86)GoogleGoogle ToolbarGoogleToolbar_32.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:PROGRA~2MICROS~2Office14URLREDIR.DLL O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:Program Files (x86)MicrosoftInternet Explorer Developer ToolbarIEDevToolbar.dll O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:Program Files (x86)MSNToolbar3.0.0541.0msneshellx.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program Files (x86)Javajre6binjp2ssv.dll O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - d:Program Files (x86)Microsoft Visual Studio 10.0Common7IDEPrivateAssembliesMicrosoft.VisualStudio.QualityTools.RecorderBarBHO100.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:Program Files (x86)MSNToolbar3.0.0541.0msneshellx.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:Program Files (x86)TechSmithSnagit 10SnagitIEAddin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program Files (x86)GoogleGoogle ToolbarGoogleToolbar_32.dll O4 - HKLM..Run: [startCCC] "C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticCLIStart.exe" MSRun O4 - HKLM..Run: [DVDAgent] "C:Program Files (x86)Hewlett-PackardMediaDVDDVDAgent.exe" O4 - HKLM..Run: [TSMAgent] "C:Program Files (x86)Hewlett-PackardTouchSmartMediaTSMAgent.exe" O4 - HKLM..Run: [CLMLServer for HP TouchSmart] "C:Program Files (x86)Hewlett-PackardTouchSmartMediaKernelCLMLCLMLSvc.exe" O4 - HKLM..Run: [TVAgent] "C:Program Files (x86)Hewlett-PackardMediaTVTVAgent.exe" O4 - HKLM..Run: [uCam_Menu] "C:Program Files (x86)Hewlett-PackardMediaWebcamMUITransferMUIStartMenu.exe" "C:Program Files (x86)Hewlett-PackardMediaWebcam" update "SoftwareHewlett-PackardMediaWebcam" O4 - HKLM..Run: [updateLBPShortCut] "C:Program Files (x86)CyberLinkLabelPrintMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkLabelPrint" UpdateWithCreateOnce "SoftwareCyberLinkLabelPrint2.5" O4 - HKLM..Run: [updatePSTShortCut] "C:Program Files (x86)CyberLinkDVD SuiteMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkDVD Suite" UpdateWithCreateOnce "SoftwareCyberLinkPowerStarter" O4 - HKLM..Run: [updateP2GoShortCut] "C:Program Files (x86)CyberLinkPower2GoMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkPower2Go" UpdateWithCreateOnce "SOFTWARECyberLinkPower2Go6.0" O4 - HKLM..Run: [updatePDIRShortCut] "C:Program Files (x86)CyberLinkPowerDirectorMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkPowerDirector" UpdateWithCreateOnce "SOFTWARECyberLinkPowerDirector7.0" O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program Files (x86)Javajre6binjusched.exe" O4 - HKLM..Run: [WirelessAssistant] C:Program Files (x86)Hewlett-PackardHP Wireless AssistantHPWAMain.exe O4 - HKLM..Run: [HP Software Update] C:Program Files (x86)HpHP Software UpdateHPWuSchd2.exe O4 - HKLM..Run: [Adobe Acrobat Speed Launcher] "C:Program Files (x86)AdobeAcrobat 9.0AcrobatAcrobat_sl.exe" O4 - HKLM..Run: [Acrobat Assistant 8.0] "C:Program Files (x86)AdobeAcrobat 9.0AcrobatAcrotray.exe" O4 - HKLM..Run: [QlbCtrl.exe] "C:Program Files (x86)Hewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe" /Start O4 - HKLM..Run: [bCSSync] "C:Program Files (x86)Microsoft OfficeOffice14BCSSync.exe" /DelayServices O4 - HKLM..Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Clientvpnui.exe" -minimized O4 - HKLM..RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAQQBFAEEAWQAtAFQAMwBMAFUARQAtAE4ATAAzAEQAQQAtAEMAQgBVAEsASAAtAEoARgA3AE0AOQA"&"inst=NwA3AC0ANAAzADAAOQAwADUAMgAwADIALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AVAAzAC0ARgBQADkAKwA2AC0AQgBBAFIAOQBHACsAMQAtAFQAQgA5ACsAMgAtAEYATAArADkALQBYAE8AMwA2ACsAMQAtAEYAOQBNADcAQwArADUALQBGADkATQAxADAAQgArADIALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsANAAyADIAMgAzAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEQARAA5ADAARgArADEALQBGADkAMABNADEAMgBBAFQAKwAxAC0ARgA5ADAATQAxADIAQQArADEALQBGADkAMABNADEAMgBBAEIAKwAxAC0AVQA5ADUAKwAxAC0ARgA5ADAATQAxADIAQQBUAEIATgArADEA"&"prod=90"&"ver=9.0.894 O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe O4 - HKCU..Run: [swg] "C:Program Files (x86)GoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" O4 - HKCU..Run: [AWZworks] regsvr32.exe C:UsersPatrickAppDataLocalAWZworksfftpigbnhowpkfe.dll O4 - HKCU..RunOnce: [CryptoUpdate] C:Windowssystem32rundll32.exe "C:UsersPatrickAppDataRoamingMicrosoftCryptoRSAcert_v42_0.tpl",Crypt O4 - HKUSS-1-5-19..Run: [sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUSS-1-5-20..Run: [sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program Files (x86)Common FilesAdobeCalibrationAdobe Gamma Loader.exe O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~2MICROS~2Office14EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:PROGRA~2MICROS~2Office14ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:Program Files (x86)MicrosoftInternet Explorer Developer ToolbarIEDevToolbar.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "d:Program Files (x86)Fiddler2Fiddler.exe" (file missing) O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "d:Program Files (x86)Fiddler2Fiddler.exe" (file missing) O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted Zone: http://reviews.cnet.com O15 - Trusted Zone: http://www.vonage.com O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E3372C1F-AFE6-4A3B-90F9-83B2E9B42C82} (ADTCKS.KSLauncher) - http://online.appdev.com/inline/ADTCKS.CAB O18 - Protocol: a5res - (no CLSID) - (no file) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~2COMMON~1SkypeSKYPE4~1.DLL O18 - Protocol: XBasic - (no CLSID) - (no file) O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:Program Files (x86)Common FilesMicrosoft SharedOFFICE14MSOXMLMF.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:Windowssystem32browseui.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:Windowssystem32agr64svc.exe (file missing) O23 - Service: @%SystemRoot%system32Alg.exe,-112 (ALG) - Unknown owner - C:WindowsSystem32alg.exe (file missing) O23 - Service: Ati External Event Utility - Unknown owner - C:Windowssystem32Ati2evxx.exe (file missing) O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:Program Files (x86)Hewlett-PackardHP Quick Launch ButtonsCom4QLBEx.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:Windowssystem32DFSR.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program Files (x86)Common FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:Program Files (x86)GoogleCommonGoogle UpdaterGoogleUpdaterService.exe O23 - Service: HP Health Check Service - Unknown owner - C:Program Files (x86)Hewlett-PackardHP Health Checkhphc_service.exe (file missing) O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:Program Files (x86)Hewlett-PackardSharedhpqwmiex.exe O23 - Service: HP Service (hpsrv) - Unknown owner - C:Windowssystem32Hpservice.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program Files (x86)Common FilesInstallShieldDriver1050Intel 32IDriverT.exe O23 - Service: @%windir%system32inetsrviisres.dll,-30007 (IISADMIN) - Unknown owner - C:Windowssystem32inetsrvinetinfo.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program Files (x86)Common FilesLightScribeLSSrvc.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:Program Files (x86)Malwarebytes' Anti-Malwarembamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:Program Files (x86)Malwarebytes' Anti-Malwarembamservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:WindowsSystem32msdtc.exe (file missing) O23 - Service: @%SystemRoot%System32netlogon.dll,-102 (Netlogon) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: NMSAccessU - Unknown owner - C:Program Files (x86)CDBurnerXPNMSAccessU.exe O23 - Service: Norton Internet Security - Unknown owner - C:Program Files (x86)Norton Internet SecurityEngine16.0.0.125ccSvcHst.exe (file missing) O23 - Service: @%systemroot%system32psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: Recovery Service for Windows - Unknown owner - C:Program Files (x86)SMINSTBLService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:Program Files (x86)CyberLinkShared filesRichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:Program Files (x86)WinPcaprpcapd.exe O23 - Service: @%systemroot%system32Locator.exe,-2 (RpcLocator) - Unknown owner - C:Windowssystem32locator.exe (file missing) O23 - Service: @%SystemRoot%system32samsrv.dll,-1 (SamSs) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:Program Files (x86)SkypeUpdaterUpdater.exe O23 - Service: @%SystemRoot%system32SLsvc.exe,-101 (slsvc) - Unknown owner - C:Windowssystem32SLsvc.exe (file missing) O23 - Service: @%SystemRoot%system32snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:WindowsSystem32snmptrap.exe (file missing) O23 - Service: @%systemroot%system32spoolsv.exe,-1 (Spooler) - Unknown owner - C:WindowsSystem32spoolsv.exe (file missing) O23 - Service: Audio Service (STacSV) - Unknown owner - C:WindowsSystem32DriverStoreFileRepositorystwrt64.inf_1b06afceSTacSV64.exe (file missing) O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:Program Files (x86)Hewlett-PackardMediaTVKernelTVTVCapSvc.exe O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:Program Files (x86)Hewlett-PackardMediaTVKernelTVTVSched.exe O23 - Service: @%SystemRoot%system32ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:Windowssystem32UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%system32vds.exe,-100 (vds) - Unknown owner - C:WindowsSystem32vds.exe (file missing) O23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Clientvpnagent.exe O23 - Service: @%systemroot%system32vssvc.exe,-102 (VSS) - Unknown owner - C:Windowssystem32vssvc.exe (file missing) O23 - Service: @%Systemroot%system32wbemwmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:Windowssystem32wbemWmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%Windows Media Playerwmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:Program Files (x86)Windows Media Playerwmpnetwk.exe (file missing) -- End of file - 17906 bytes
Administrator Tarun Posted February 24, 2014 Administrator Posted February 24, 2014 Please post your Malwarebytes Anti-Malware and SuperAntiSpyware logs. Also, as they may be lengthy please wrap them in Code tags (the < > button).
mj12 Posted February 24, 2014 Author Posted February 24, 2014 Please post your Malwarebytes Anti-Malware and SuperAntiSpyware logs. Also, as they may be lengthy please wrap them in Code tags (the < > button). I'm running a full scan MB right now. When it's finished I'll post the contents. Thanks!
Administrator Tarun Posted February 28, 2014 Administrator Posted February 28, 2014 Hi mj12, any luck with those logs?
mj12 Posted February 28, 2014 Author Posted February 28, 2014 Hi mj12, any luck with those logs? Still working on them. My laptop has a button to disable the WiFi and I've noticed that this issue happens only when there's an active connection to the internet. For example, I disable WiFi and kill all the explorer.exe processes except the one for the desktop. I start up the task manager and monitor the processes that are running, at this point there's only explorer.exe process. When I enable the WiFi, within a couple of minutes the number explorer.exe processes start stacking up, eventually eating up 100% of the CPU. Back to the HJT log... notice this suspicious line: O4 - HKCU..Run: [AWZworks] regsvr32.exe C:Users<my user name>AppDataLocalAWZworksfftpigbnhowpkfe.dll A Google search for the name of that dll turned up nothing... quite odd And this one: O4 - HKCU..RunOnce: [CryptoUpdate] C:Windowssystem32rundll32.exe "C:Users<my user name>AppDataRoamingMicrosoftCryptoRSAcert_v42_0.tpl",Crypt A Google search for the name of that file found nothing as well. I don't know much about crypto or RSA, but putting this sort of thing in a user's %appdata% folder seems suspicious as well. Hopefully I'll get those logs posted this weekend. Thanks for the follow-up.
Administrator Tarun Posted February 28, 2014 Administrator Posted February 28, 2014 Both of those entries are indeed malicious. If Malwarebytes, SUPERANtiSpyware and other anti-malware softwares are unable to remove them then we can remove them manually.
mj12 Posted March 1, 2014 Author Posted March 1, 2014 Here's the MalwareBytes log: Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.02.24.05 Windows Vista Service Pack 2 x64 NTFS Internet Explorer 9.0.8112.16421 <user name> :: <user name>-PC [administrator] 2014-02-24 09:03:04 AM mbam-log-2014-02-24 (09-03-04).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 323820 Time elapsed: 1 hour(s), 35 minute(s), 23 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:Users<user name>AppDataLocalAWZworksfftpigbnhowpkfe.dll (VirTool.Vbcrypt) -> Delete on reboot. Registry Keys Detected: 1 HKLMSOFTWAREMicrosoftInternet ExplorerAdvancedOptionsTBH (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Detected: 1 HKCUControl Paneldon't load|wscui.cpl (Hijack.SecurityCenter) -> Data: No -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 3 C:Users<user name>AppDataLocalAWZworksfftpigbnhowpkfe.dll (VirTool.Vbcrypt) -> Delete on reboot. C:Users<user name>AppDataLocalTemp11392585335196.exe (Trojan.Happili) -> Quarantined and deleted successfully. C:Users<user name>AppDataLocalTempcbbvevwq.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully. (end) The fftpigbnhowpkfe.dll & cert_v42_0.tpl files have been manually removed. I suspect that something else has been infected causing the virus/malware to reload after numerous restarts. Subsequent runs of MalwareBytes and SUPERAntiSpyware aren't finding anything.The SUPERAntiSpyware log is too large to post, so I've attached the file to this reply. Only ad tracking cookes were found by SUPERAntiSpyware. SUPERAntiSpyware Scan Log - 03-01-2014 - 09-44-38.txt
Administrator Tarun Posted March 3, 2014 Administrator Posted March 3, 2014 It may be worth trying Malwarebytes Anti-Rootkit, to see what it finds and if it removes anything.
mj12 Posted March 5, 2014 Author Posted March 5, 2014 It may be worth trying Malwarebytes Anti-Rootkit, to see what it finds and if it removes anything. It didn't find anything.
Administrator Tarun Posted March 6, 2014 Administrator Posted March 6, 2014 Please post a new HijackThis log. We'll see if anything the scans found was successfully removed.
mj12 Posted March 6, 2014 Author Posted March 6, 2014 Please post a new HijackThis log. We'll see if anything the scans found was successfully removed. I'll get it posted in the next day or two. I've got another laptop to hold me over until then. Thanks!
mj12 Posted March 11, 2014 Author Posted March 11, 2014 Please post a new HijackThis log. We'll see if anything the scans found was successfully removed. Here is the latest HijackThis log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 16:25:24 PM, on 2014-03-11 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16533) Boot mode: Safe mode with network support Running processes: C:UsersPatrickDownloadsHijackThis.exe R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WindowsSysWOW64blank.htm R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file) O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:Program Files (x86)TechSmithSnagit 10SnagitBHO.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~2MICROS~2Office14GROOVEEX.DLL O2 - BHO: (no name) - {95CFEC51-7780-FC20-7EBA-2921A87886E3} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program Files (x86)GoogleGoogle ToolbarGoogleToolbar_32.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:PROGRA~2MICROS~2Office14URLREDIR.DLL O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:Program Files (x86)MicrosoftInternet Explorer Developer ToolbarIEDevToolbar.dll O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:Program Files (x86)MSNToolbar3.0.0541.0msneshellx.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program Files (x86)Javajre6binjp2ssv.dll O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - d:Program Files (x86)Microsoft Visual Studio 10.0Common7IDEPrivateAssembliesMicrosoft.VisualStudio.QualityTools.RecorderBarBHO100.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:Program Files (x86)MSNToolbar3.0.0541.0msneshellx.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:Program Files (x86)TechSmithSnagit 10SnagitIEAddin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program Files (x86)GoogleGoogle ToolbarGoogleToolbar_32.dll O4 - HKLM..Run: [StartCCC] "C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticCLIStart.exe" MSRun O4 - HKLM..Run: [DVDAgent] "C:Program Files (x86)Hewlett-PackardMediaDVDDVDAgent.exe" O4 - HKLM..Run: [TSMAgent] "C:Program Files (x86)Hewlett-PackardTouchSmartMediaTSMAgent.exe" O4 - HKLM..Run: [CLMLServer for HP TouchSmart] "C:Program Files (x86)Hewlett-PackardTouchSmartMediaKernelCLMLCLMLSvc.exe" O4 - HKLM..Run: [TVAgent] "C:Program Files (x86)Hewlett-PackardMediaTVTVAgent.exe" O4 - HKLM..Run: [UCam_Menu] "C:Program Files (x86)Hewlett-PackardMediaWebcamMUITransferMUIStartMenu.exe" "C:Program Files (x86)Hewlett-PackardMediaWebcam" update "SoftwareHewlett-PackardMediaWebcam" O4 - HKLM..Run: [UpdateLBPShortCut] "C:Program Files (x86)CyberLinkLabelPrintMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkLabelPrint" UpdateWithCreateOnce "SoftwareCyberLinkLabelPrint2.5" O4 - HKLM..Run: [UpdatePSTShortCut] "C:Program Files (x86)CyberLinkDVD SuiteMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkDVD Suite" UpdateWithCreateOnce "SoftwareCyberLinkPowerStarter" O4 - HKLM..Run: [UpdateP2GoShortCut] "C:Program Files (x86)CyberLinkPower2GoMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkPower2Go" UpdateWithCreateOnce "SOFTWARECyberLinkPower2Go6.0" O4 - HKLM..Run: [UpdatePDIRShortCut] "C:Program Files (x86)CyberLinkPowerDirectorMUITransferMUIStartMenu.exe" "C:Program Files (x86)CyberLinkPowerDirector" UpdateWithCreateOnce "SOFTWARECyberLinkPowerDirector7.0" O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program Files (x86)Javajre6binjusched.exe" O4 - HKLM..Run: [WirelessAssistant] C:Program Files (x86)Hewlett-PackardHP Wireless AssistantHPWAMain.exe O4 - HKLM..Run: [HP Software Update] C:Program Files (x86)HpHP Software UpdateHPWuSchd2.exe O4 - HKLM..Run: [Adobe Acrobat Speed Launcher] "C:Program Files (x86)AdobeAcrobat 9.0AcrobatAcrobat_sl.exe" O4 - HKLM..Run: [Acrobat Assistant 8.0] "C:Program Files (x86)AdobeAcrobat 9.0AcrobatAcrotray.exe" O4 - HKLM..Run: [QlbCtrl.exe] "C:Program Files (x86)Hewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe" /Start O4 - HKLM..Run: [BCSSync] "C:Program Files (x86)Microsoft OfficeOffice14BCSSync.exe" /DelayServices O4 - HKLM..Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Clientvpnui.exe" -minimized O4 - HKLM..RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAQQBFAEEAWQAtAFQAMwBMAFUARQAtAE4ATAAzAEQAQQAtAEMAQgBVAEsASAAtAEoARgA3AE0AOQA"&"inst=NwA3AC0ANAAzADAAOQAwADUAMgAwADIALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AVAAzAC0ARgBQADkAKwA2AC0AQgBBAFIAOQBHACsAMQAtAFQAQgA5ACsAMgAtAEYATAArADkALQBYAE8AMwA2ACsAMQAtAEYAOQBNADcAQwArADUALQBGADkATQAxADAAQgArADIALQBYAE8AOQArADEALQBGADkATQAyACsAMQAtAEQARABUACsANAAyADIAMgAzAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEQARAA5ADAARgArADEALQBGADkAMABNADEAMgBBAFQAKwAxAC0ARgA5ADAATQAxADIAQQArADEALQBGADkAMABNADEAMgBBAEIAKwAxAC0AVQA5ADUAKwAxAC0ARgA5ADAATQAxADIAQQBUAEIATgArADEA"&"prod=90"&"ver=9.0.894 O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe O4 - HKCU..Run: [swg] "C:Program Files (x86)GoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program Files (x86)Common FilesAdobeCalibrationAdobe Gamma Loader.exe O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~2MICROS~2Office14EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:PROGRA~2MICROS~2Office14ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIE.dll O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:Program Files (x86)MicrosoftInternet Explorer Developer ToolbarIEDevToolbar.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "d:Program Files (x86)Fiddler2Fiddler.exe" (file missing) O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "d:Program Files (x86)Fiddler2Fiddler.exe" (file missing) O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted Zone: http://reviews.cnet.com O15 - Trusted Zone: http://www.vonage.com O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E3372C1F-AFE6-4A3B-90F9-83B2E9B42C82} (ADTCKS.KSLauncher) - http://online.appdev.com/inline/ADTCKS.CAB O18 - Protocol: a5res - (no CLSID) - (no file) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~2COMMON~1SkypeSKYPE4~1.DLL O18 - Protocol: XBasic - (no CLSID) - (no file) O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:Program Files (x86)Common FilesMicrosoft SharedOFFICE14MSOXMLMF.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:Windowssystem32browseui.dll O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:Program FilesSUPERAntiSpywareSASCORE64.EXE O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:Windowssystem32agr64svc.exe (file missing) O23 - Service: @%SystemRoot%system32Alg.exe,-112 (ALG) - Unknown owner - C:WindowsSystem32alg.exe (file missing) O23 - Service: Ati External Event Utility - Unknown owner - C:Windowssystem32Ati2evxx.exe (file missing) O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:Program Files (x86)Hewlett-PackardHP Quick Launch ButtonsCom4QLBEx.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:Windowssystem32DFSR.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program Files (x86)Common FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:Program Files (x86)GoogleUpdateGoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:Program Files (x86)GoogleCommonGoogle UpdaterGoogleUpdaterService.exe O23 - Service: HP Health Check Service - Unknown owner - C:Program Files (x86)Hewlett-PackardHP Health Checkhphc_service.exe (file missing) O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:Program Files (x86)Hewlett-PackardSharedhpqwmiex.exe O23 - Service: HP Service (hpsrv) - Unknown owner - C:Windowssystem32Hpservice.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program Files (x86)Common FilesInstallShieldDriver1050Intel 32IDriverT.exe O23 - Service: @%windir%system32inetsrviisres.dll,-30007 (IISADMIN) - Unknown owner - C:Windowssystem32inetsrvinetinfo.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program Files (x86)Common FilesLightScribeLSSrvc.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:Program Files (x86)Malwarebytes' Anti-Malwarembamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:Program Files (x86)Malwarebytes' Anti-Malwarembamservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:WindowsSystem32msdtc.exe (file missing) O23 - Service: @%SystemRoot%System32netlogon.dll,-102 (Netlogon) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: NMSAccessU - Unknown owner - C:Program Files (x86)CDBurnerXPNMSAccessU.exe O23 - Service: Norton Internet Security - Unknown owner - C:Program Files (x86)Norton Internet SecurityEngine16.0.0.125ccSvcHst.exe (file missing) O23 - Service: @%systemroot%system32psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: Recovery Service for Windows - Unknown owner - C:Program Files (x86)SMINSTBLService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:Program Files (x86)CyberLinkShared filesRichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:Program Files (x86)WinPcaprpcapd.exe O23 - Service: @%systemroot%system32Locator.exe,-2 (RpcLocator) - Unknown owner - C:Windowssystem32locator.exe (file missing) O23 - Service: @%SystemRoot%system32samsrv.dll,-1 (SamSs) - Unknown owner - C:Windowssystem32lsass.exe (file missing) O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:Program Files (x86)SkypeUpdaterUpdater.exe O23 - Service: @%SystemRoot%system32SLsvc.exe,-101 (slsvc) - Unknown owner - C:Windowssystem32SLsvc.exe (file missing) O23 - Service: @%SystemRoot%system32snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:WindowsSystem32snmptrap.exe (file missing) O23 - Service: @%systemroot%system32spoolsv.exe,-1 (Spooler) - Unknown owner - C:WindowsSystem32spoolsv.exe (file missing) O23 - Service: Audio Service (STacSV) - Unknown owner - C:WindowsSystem32DriverStoreFileRepositorystwrt64.inf_1b06afceSTacSV64.exe (file missing) O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:Program Files (x86)Hewlett-PackardMediaTVKernelTVTVCapSvc.exe O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:Program Files (x86)Hewlett-PackardMediaTVKernelTVTVSched.exe O23 - Service: @%SystemRoot%system32ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:Windowssystem32UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%system32vds.exe,-100 (vds) - Unknown owner - C:WindowsSystem32vds.exe (file missing) O23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Clientvpnagent.exe O23 - Service: @%systemroot%system32vssvc.exe,-102 (VSS) - Unknown owner - C:Windowssystem32vssvc.exe (file missing) O23 - Service: @%Systemroot%system32wbemwmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:Windowssystem32wbemWmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%Windows Media Playerwmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:Program Files (x86)Windows Media Playerwmpnetwk.exe (file missing) -- End of file - 16915 bytes
Administrator Tarun Posted March 12, 2014 Administrator Posted March 12, 2014 Looking through I don't see anything malicious. If possible, provide a log from Normal Mode also. I'd also recommend switching away from AVG to something like Microsoft Security Essentials or avast.
mj12 Posted March 12, 2014 Author Posted March 12, 2014 Looking through I don't see anything malicious. If possible, provide a log from Normal Mode also. I'd also recommend switching away from AVG to something like Microsoft Security Essentials or avast. Will do. I no longer use AVG, but MS Security Essentials as you suggested. What you're seeing are artifacts left over from an AVG installation. Not sure why they didn't get cleaned out when AVG was uninstalled several months ago.
Administrator Tarun Posted March 13, 2014 Administrator Posted March 13, 2014 If you're using my Anti-Malware Toolkit, there is an AVG Uninstaller option towards the bottom.
mj12 Posted March 18, 2014 Author Posted March 18, 2014 I believe I've got this pesky thing whipped, but still monitoring things before I stick a fork in it and call it "done". This seems to have eliminated it: http://www.kaspersky.com/antivirus-removal-tool?form=1, and it's free.
Administrator Tarun Posted March 19, 2014 Administrator Posted March 19, 2014 Interesting find and good to hear it seems to be clean. Once you've got a clean bill of health, you may want to read the PC Security guide.
Administrator Tarun Posted April 7, 2014 Administrator Posted April 7, 2014 The issue this thread has been opened for has been resolved. If you need continued support, please start a new thread and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: PC Cleanup It is recommended that you review our PC Security wiki page to help secure your computer and protect it.
Recommended Posts