Joseph Paul

These two malware programs keep showing up in my Task Manager. New to Vista so I am at a bit of a loss in what to do. ark.txt and attach.txt are attached.

Thank you for any help that you can render.

Joseph Paul

Here is the DDS scan:

DDS (Ver_09-10-13.01) - NTFSx86
Run by Joseph Paul at 1741.16 on Sat 10/17/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1316 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agr64svc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\SysWOW64\ctfmon.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\taskeng.exe
C:\Windows\msb.exe
C:\Users\JOSEPH~1\AppData\Local\Temp\b.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Joseph Paul\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=92&bd=Presario&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=92&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=92&bd=Presario&pf=cndt
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files (x86)\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files (x86)\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton internet security\engine\16.7.2.11\coIEPlg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files (x86)\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [PopRock] c:\users\joseph~1\appdata\local\temp\b.exe
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [HP Health Check Scheduler] c:\program files (x86)\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\program files (x86)\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdateLBPShortCut] "c:\program files (x86)\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePDIRShortCut] "c:\program files (x86)\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files (x86)\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files (x86)\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files (x86)\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files (x86)\picturemover\bin\PictureMover.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\flvpla~1\flvpla~2.lnk - c:\program files (x86)\flv player\FLV Player.url
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\flvpla~1\flvpla~1.lnk - c:\program files (x86)\flv player\FLVPlayer.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\flvpla~1\uninst~1.lnk - c:\program files (x86)\flv player\uninst.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files (x86)\norton internet security\engine\16.7.2.11\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 nvstor64;nvstor64;c:\windows\system32\drivers\nvstor64.sys --> c:\windows\system32\drivers\nvstor64.sys [?]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nisx64\1007020.00b\symefa64.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\SYMEFA64.SYS [?]
R1 BHDrvx64;Symantec Heuristics Driver;c:\windows\system32\drivers\nisx64\1007020.00b\bhdrvx64.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\BHDrvx64.sys [?]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nisx64\1007020.00b\cchpx64.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\ccHPx64.sys [?]
R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSviA64.sys [2009-10-8 466480]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-10-13 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-12 132656]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nisx64\1007020.00b\symndisv.sys --> c:\windows\system32\drivers\nisx64\1007020.00b\SYMNDISV.SYS [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2008-1-20 93696]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S4 nvrd64;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd64.sys --> c:\windows\system32\drivers\nvrd64.sys [?]

=============== Created Last 30 ================

2009-10-17 14:37 <DIR> --d----- c:\program files (x86)\Trend Micro
2009-10-16 17:29 <DIR> --d----- c:\programdata\Symantec
2009-10-16 17:29 <DIR> --d----- c:\progra~3\Symantec
2009-10-16 01:26 83,456 a------- c:\windows\system32\wudriver.dll
2009-10-16 01:25 162,064 a------- c:\windows\system32\wuwebv.dll
2009-10-16 01:25 31,232 a------- c:\windows\system32\wuapp.exe
2009-10-12 20:00 151,040 a------- c:\windows\msb.exe
2009-10-12 13:22 151,040 a------- c:\windows\msa.exe
2009-10-09 22:50 <DIR> --d----- c:\users\joseph~1\appdata\roaming\SpaceMonger
2009-10-09 18:14 111 a------- c:\windows\REDEMUNINS.INI
2009-10-09 17:59 <DIR> --d----- c:\programdata\Adobe
2009-10-09 17:06 662,288 a------- c:\windows\system32\MSCOMCT2.OCX
2009-10-09 17:06 137,000 a------- c:\windows\system32\MSMAPI32.OCX
2009-10-09 17:06 23,552 a------- c:\windows\system32\MSMPIDE.DLL
2009-10-09 17:06 <DIR> --d----- c:\program files (x86)\PDFCreator
2009-10-09 13:33 <DIR> --d----- c:\users\joseph~1\appdata\roaming\WildTangent
2009-10-09 09:00 <DIR> --d----- c:\programdata\KingsIsle Entertainment
2009-10-09 09:00 <DIR> --d----- c:\progra~3\KingsIsle Entertainment
2009-10-08 14:13 <DIR> --d----- c:\programdata\SBT
2009-10-08 14:13 <DIR> --d----- c:\progra~3\SBT
2009-10-08 14:13 <DIR> --d----- c:\program files (x86)\Snapshot Viewer
2009-10-08 13:56 296,960 a------- c:\windows\winhlp32.exe
2009-10-08 13:56 194,560 a------- c:\windows\system32\ftsrch.dll
2009-10-08 13:56 9,728 a------- c:\windows\system32\ftlx041e.dll
2009-10-08 13:56 9,216 a------- c:\windows\system32\ftlx0411.dll
2009-10-08 10:48 376 a------- c:\windows\ODBC.INI
2009-10-08 00:52 <DIR> --d----- c:\program files (x86)\common files\Symantec Shared
2009-10-07 23:33 <DIR> --d----- c:\users\joseph~1\appdata\roaming\PictureMover
2009-10-07 23:10 <DIR> --d----- c:\users\joseph~1\appdata\roaming\HP TCS
2009-10-07 23:09 1,682 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_KY700AA-ABA SR5807c_YC_0Pres_QMXX915_E92NAv6PrA2_49_IIris8_SECS_V1.0_BV5.36_T081119_WUH1_L409_M2942_J250_7AMD_8Athlon Dual Core 4850e_92.5_#_N10DE03EF_Z11C10630_G10DE03D0.MRK
2009-10-07 23:08 <DIR> --d----- c:\users\Joseph Paul

==================== Find3M ====================

2009-10-16 05:52 143,360 a------- c:\windows\inf\infstrng.dat
2009-10-16 05:52 86,016 a------- c:\windows\inf\infstor.dat
2009-10-16 05:52 51,200 a------- c:\windows\inf\infpub.dat
2009-03-09 18:58 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 23:21 174 a--sh--- c:\program files (x86)\desktop.ini
2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-03-09 19:01 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:07:11.47 ===============

Attached Files

	Attach.zip (2.4 KB, 0 views)
	ark.zip (5.5 KB, 0 views)

Ried

Hello Joseph Paul,

If you still require assistance, please run a new scan with dds, post the fresh dds.txt , and we'll get started.

Joseph Paul

Thanks but no. A friend suggested getting the malaware bytes program and that seems to have handled it.

Ried

Thanks for responding, Joseph Paul.

I still think it would be prudent, and highly recommend posting new set dds.txt and performing an online scan to ensure it has all been removed.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.