|
#1
July 28th, 2009, 01:52 PM
|
|||
|
|||
|
c.exe, d.exe, msa.exe all at once...
Seems we have a nasty little infection on my XP Home desktop.
AVG caught it when it installed, and Spybot denied it registry changes requested in the name of Cognac, but clearly some parts got through. It turned off Windows firewall when it arrived (back on now), it fires up IE (I use Firefox, never IE) and so I disconnected it from the web, but every time I boot it delivers that work offline/re-connect message window, and every time I dismiss it I go to task manager and IE is running unprompted. I did a bit of googling, and I have stopped and deleted c.exe, d.exe and msa.exe. What I have now is a PC that still asks to be connected to the net, and will not allow me to start Spybot (nothing happens at all) and which won't let AVG complete a scan because it just freezes solid after about 5 minutes. I'd rather not have to re-install XP, and i don't really want to wait for Windows 7, so any help/advice etc would make my life a lot happier. 
|
|
#2
July 29th, 2009, 03:14 AM
|
||||
|
||||
|
Welcome to CTH dealtime,
Let's take a look and see what all is there. To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan. If necessary allow it to locate or download a copy of HijackThis as needed. Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt. RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt). You can break logs into parts and use separate posts here when replying and posting the log files, if needed. -------------- Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer. If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things. If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
|
|
#3
July 29th, 2009, 09:19 PM
|
|||
|
|||
|
thanks, and next step
Jingan thanks for coming to the rescue, and your help so far.
Here are the logs - first rsit, part 1, part 2 follows, gmer in the next post Logfile of random's system information tool 1.06 (written by random/random) Run by Rich at 2009-07-29 20:49:38 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 27 GB (35%) free of 76 GB Total RAM: 1006 MB (52% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:50:04, on 29/07/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\DNA\btdna.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Real\RealPlayer\RealPlay.exe H:\RSIT.exe C:\Program Files\trend micro\Rich.exe C:\Program Files\Mozilla Firefox\firefox.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1178999939046 O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://blondelucy38.spaces.live.com/...d/MsnPUpld.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 7547 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\Google Software Updater.job C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-07-18 1111320] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll [2009-03-25 668656] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run] "BluetoothAuthenticationAgent"=bthprops.cpl,,Bluet oothAuthenticationAgent [] "nwiz"=nwiz.exe /install [] "Media Codec Update Service"=C:\Program Files\Essentials Codec Pack\update.exe -silent [] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.d ll [2009-02-18 86016] "QuickTime Task"=C:\Program Files\QuickTime Alternative\QTTask.exe [2009-01-05 413696] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312] "WinampAgent"=C:\Program Files\Winamp\winampa.exe [] "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-06-12 1948440] "HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\ 3\hpztsb07.exe [2003-05-14 188416] "BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-07-01 623960] ""= [] "RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-04-11 236016] "TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-07-20 198160] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run] "ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112] "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296] "BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-02-07 342848] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [2009-03-12 342312] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-04-11 236016] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk] C:\PROGRA~1\FINEPI~1\QuickDCF.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UleadBurningHelper"=2 "Bonjour Service"=2 C:\Documents and Settings\Rich\Start Menu\Programs\Startup OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter] C:\WINDOWS\system32\avgrsstx.dll [2009-05-04 11952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\network\UploadMgr] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\explorer] "HonorAutoRunSetting"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox.exe" "C:\Program Files\PMAIL\Programs\winpm-32.exe"="C:\Program Files\PMAIL\Programs\winpm-32.exe:*:Enabled:winpm-32.exe" "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Pro gram Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enable d:YahooMessenger.exe" "C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\syst em32\sessmgr.exe:*  isabled:@xpsp2res.dll,-22019""C:\Program Files\Morpheus\Morpheus.exe"="C:\Program Files\Morpheus\Morpheus.exe:*:Enabled:Morpheus" "C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo ! FT Server" "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger" "C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled NA""C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorre nt" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\system32\sessmgr.exe"="%windir%\system32 \sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe"="C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe:* isabled:Anapod Xtreamer""C:\Program Files\DAP\DAP.exe"="C:\Program Files\DAP\DAP.exe:* isabledownload Accelerator Plus (DAP)""C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe"="C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:* isabled:Nokia Service Layer Host Process ""C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe"="C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:* isabled:Nokia Software Updater""C:\Program Files\Qnext\qnext.exe"="C:\Program Files\Qnext\qnext.exe:* isabled:qnext.exe""C:\Program Files\Qnext\qnextclient.exe"="C:\Program Files\Qnext\qnextclient.exe:* isabled:qnextclient ""C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\sys tem32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test" "C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled elivery Manager Service""C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe" "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe" "C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe" "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"="C:\Program Files\Mozilla Thunderbird\thunderbird.exe:*:Enabled:Mozilla Thunderbird"
|
|
#4
July 29th, 2009, 09:20 PM
|
|||
|
|||
|
rsit log /2
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32 \sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" ======List of files/folders created in the last 1 months====== 2009-07-29 20:45:26 ----D---- C:\WINDOWS\LastGood 2009-07-29 20:43:06 ----D---- C:\rsit 2009-07-29 20:43:06 ----D---- C:\Program Files\trend micro 2009-07-28 20:54:57 ----A---- C:\WINDOWS\ntbtlog.txt 2009-07-22 10:11:33 ----D---- C:\WINDOWS\Minidump 2009-07-18 05:45:13 ----D---- C:\Program Files\Common Files\Sonic Shared 2009-07-18 05:45:12 ----D---- C:\Program Files\Roxio 2009-07-17 05:50:48 ----D---- C:\univers 2009-07-16 03:03:48 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$ 2009-07-16 03:03:30 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$ 2009-07-16 03:00:54 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$ 2009-07-02 17:31:06 ----D---- C:\Documents and Settings\Rich\Application Data\Yahoo! 2009-07-02 17:31:06 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion ======List of files/folders modified in the last 1 months====== 2009-07-29 20:49:57 ----D---- C:\Program Files\Mozilla Firefox 2009-07-29 20:46:40 ----D---- C:\WINDOWS\system32 2009-07-29 20:46:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-07-29 20:45:46 ----HD---- C:\WINDOWS\inf 2009-07-29 20:45:28 ----HD---- C:\WINDOWS\$hf_mig$ 2009-07-29 20:45:26 ----D---- C:\WINDOWS\system32\CatRoot2 2009-07-29 20:45:26 ----D---- C:\WINDOWS 2009-07-29 20:44:59 ----D---- C:\WINDOWS\Temp 2009-07-29 20:43:06 ----RD---- C:\Program Files 2009-07-29 20:42:04 ----D---- C:\Documents and Settings\Rich\Application Data\OpenOffice.org2 2009-07-29 20:41:55 ----SD---- C:\WINDOWS\Tasks 2009-07-29 20:41:40 ----D---- C:\Program Files\DNA 2009-07-29 20:41:40 ----D---- C:\Documents and Settings\Rich\Application Data\DNA 2009-07-27 18:24:11 ----D---- C:\WINDOWS\Prefetch 2009-07-27 18:01:57 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater 2009-07-22 10:35:46 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-07-22 10:22:38 ----HD---- C:\$AVG8.VAULT$ 2009-07-22 09:58:58 ----D---- C:\WINDOWS\system32\drivers 2009-07-22 09:20:52 ----A---- C:\WINDOWS\CANOPUS.INI 2009-07-21 17:41:12 ----D---- C:\Program Files\Mozilla Thunderbird 2009-07-20 17:55:21 ----D---- C:\Program Files\Common Files\xing shared 2009-07-20 17:55:13 ----D---- C:\Program Files\Common Files\Real 2009-07-20 17:55:11 ----A---- C:\WINDOWS\system32\rmoc3260.dll 2009-07-20 17:54:57 ----A---- C:\WINDOWS\system32\pndx5032.dll 2009-07-20 17:54:57 ----A---- C:\WINDOWS\system32\pndx5016.dll 2009-07-20 17:54:54 ----A---- C:\WINDOWS\system32\msvcr71.dll 2009-07-20 17:54:54 ----A---- C:\WINDOWS\system32\msvcp71.dll 2009-07-20 17:54:53 ----A---- C:\WINDOWS\system32\pncrt.dll 2009-07-20 17:37:14 ----D---- C:\Config.Msi 2009-07-18 05:47:37 ----SHD---- C:\WINDOWS\Installer 2009-07-18 05:46:28 ----SD---- C:\WINDOWS\Downloaded Program Files 2009-07-18 05:46:18 ----D---- C:\Program Files\Common Files\Roxio Shared 2009-07-18 05:46:14 ----RSD---- C:\WINDOWS\Fonts 2009-07-18 05:45:13 ----D---- C:\Program Files\Common Files 2009-07-18 05:45:13 ----D---- C:\Documents and Settings\All Users\Application Data\Roxio 2009-07-18 05:35:48 ----D---- C:\WINDOWS\system32\ReinstallBackups 2009-07-18 05:35:07 ----D---- C:\Program Files\Common Files\Research In Motion 2009-07-18 05:34:56 ----D---- C:\WINDOWS\WinSxS 2009-07-16 03:03:45 ----A---- C:\WINDOWS\imsins.BAK 2009-07-16 03:03:35 ----RSHDC---- C:\WINDOWS\system32\dllcache 2009-07-14 07:24:56 ----D---- C:\Documents and Settings\Rich\Application Data\LimeWire 2009-07-07 16:10:56 ----A---- C:\WINDOWS\system32\MRT.exe 2009-07-02 17:31:23 ----D---- C:\Program Files\Yahoo! 2009-07-02 17:31:08 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! 2009-07-02 06:34:58 ----D---- C:\Program Files\Flickr Uploadr 2009-07-02 06:34:23 ----D---- C:\Program Files\Real 2009-07-02 06:34:10 ----D---- C:\Program Files\hjsplit 2009-07-02 06:33:33 ----D---- C:\Program Files\Media Player Classic 2009-07-02 06:32:58 ----D---- C:\Program Files\Total Video Converter 2009-07-02 06:32:45 ----D---- C:\Program Files\TrueCrypt 2009-07-02 06:32:26 ----D---- C:\Program Files\Twins Software ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-07-02 335752] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-06-18 27784] R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-04 108552] R1 cdrblock;cdrblock; C:\WINDOWS\system32\DRIVERS\cdrblock.sys [2005-06-14 10368] R1 cdrport;cdrport; C:\WINDOWS\system32\DRIVERS\cdrport.sys [2005-03-11 4608] R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352] R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2007-05-03 188672] R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys [] R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys [] R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800] R3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\System32\DRIVERS\BthEnum.sys [2008-04-13 17024] R3 BTHMODEM;Bluetooth Modem Communications Driver; C:\WINDOWS\system32\DRIVERS\bthmodem.sys [2008-04-13 37888] R3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120] R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944] R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys [2003-09-22 130192] R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e1e5132.sys [2006-07-19 230400] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-01-15 23848] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2005-01-07 138752] R3 HECI;Intel(R) Management Engine Interface; C:\WINDOWS\System32\DRIVERS\HECI.sys [2006-07-29 43392] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver; C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 21632] R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160] R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224] R3 ossrv;Creative OS Services Driver; C:\WINDOWS\System32\DRIVERS\ctoss2k.sys [2003-09-22 178672] R3 P17;Sound Blaster Live! 24-bit; C:\WINDOWS\system32\drivers\P17.sys [2004-06-04 840960] R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-04-01 10368] R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136] R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136] R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2003-03-31 5888] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608] S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-13 48128] S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-13 38912] S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024] S3 FINEPIX_PCC;FinePix Digital Camera 020523; C:\WINDOWS\System32\Drivers\V4CB0115.SYS [2001-11-25 81924] S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-13 51200] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248] S3 NAL;Nal Service ; \??\C:\WINDOWS\System32\Drivers\iqvw32.sys [] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880] S3 PciCon;PciCon; \??\E:\PciCon.sys [] S3 qxqaoica;qxqaoica; \??\C:\DOCUME~1\Rich\LOCALS~1\Temp\qxqaoica.sys [] S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys [] S3 sfng32;Sonic Focus Plugin for Sigmatel HDA; C:\WINDOWS\system32\drivers\sfng32.sys [2005-12-02 41728] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136] S3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-07-27 1171464] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232] S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service; C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-05-29 346432] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424] R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-07-02 907032] R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-04 298776] R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.EXE [1999-12-13 44032] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908] R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520] R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-03-12 656168] S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 183280] S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-12-06 362992] S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2009-04-11 313840] S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2009-04-11 170480] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe [2007-10-24 70144] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-12-06 88560] S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2009-04-11 1108464] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328] S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] -----------------EOF-----------------
|
|
#5
July 29th, 2009, 09:23 PM
|
|||
|
|||
|
gmer /1
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-29 20:47:04 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- Code 862A6170 ZwEnumerateKey Code 86A670C0 ZwFlushInstructionCache Code 868DDB0E IofCallDriver Code 862A60E6 IofCompleteRequest Code 86A674C5 ZwSaveKey Code 862A61F5 ZwSaveKeyEx ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 868DDB13 .text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 862A60EB .text ntkrnlpa.exe!ZwSaveKey 80500D68 5 Bytes JMP 86A674CA .text ntkrnlpa.exe!ZwSaveKeyEx 80500D7C 5 Bytes JMP 862A61FA PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 86A670C4 PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 862A6174 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[108] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A .text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[128] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009E000A .text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[128] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A0000A .text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[156] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009C000A .text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[156] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009E000A .text C:\WINDOWS\system32\rundll32.exe[400] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\rundll32.exe[400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A .text C:\WINDOWS\system32\RUNDLL32.EXE[476] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\RUNDLL32.EXE[476] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A .text C:\Program Files\iTunes\iTunesHelper.exe[568] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C2000A .text C:\Program Files\iTunes\iTunesHelper.exe[568] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C3000A .text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe[608] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C2000A .text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe[608] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C3000A .text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[636] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C7000A .text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[636] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C8000A .text C:\WINDOWS\system32\NOTEPAD.EXE[692] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\NOTEPAD.EXE[692] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A .text C:\WINDOWS\system32\winlogon.exe[740] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007D000A .text C:\WINDOWS\system32\winlogon.exe[740] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 007F000A .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008F000A .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0091000A .text C:\WINDOWS\system32\lsass.exe[796] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A .text C:\WINDOWS\system32\lsass.exe[796] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009A000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[864] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[864] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A .text C:\Program Files\DNA\btdna.exe[980] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C9000A .text C:\Program Files\DNA\btdna.exe[980] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CA000A .text C:\WINDOWS\system32\rundll32.exe[1136] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\rundll32.exe[1136] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A .text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[1312] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E0000A .text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[1312] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E2000A .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1448] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C6000A .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1448] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C8000A .text C:\WINDOWS\system32\spoolsv.exe[1488] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\spoolsv.exe[1488] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A .text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[1600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 020B000A .text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[1600] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 020C000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1668] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1668] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0098000A .text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1680] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0099000A .text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1680] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009B000A .text C:\WINDOWS\System32\CTsvcCDA.EXE[1712] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0093000A .text C:\WINDOWS\System32\CTsvcCDA.EXE[1712] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0095000A .text H:\z15g69pz.exe[1784] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C7000A .text H:\z15g69pz.exe[1784] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C9000A .text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C8000A .text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C9000A .text C:\WINDOWS\system32\nvsvc32.exe[1864] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0095000A .text C:\WINDOWS\system32\nvsvc32.exe[1864] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0097000A .text C:\WINDOWS\system32\NOTEPAD.EXE[1920] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\NOTEPAD.EXE[1920] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A .text C:\WINDOWS\System32\MsPMSPSv.exe[2320] ntdll.dll!LdrLoadDll 7C9163C3 3 Bytes JMP 0092000A .text C:\WINDOWS\System32\MsPMSPSv.exe[2320] ntdll.dll!LdrLoadDll + 4 7C9163C7 1 Byte [84] .text C:\WINDOWS\System32\MsPMSPSv.exe[2320] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0094000A .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2356] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B5000A .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2356] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B6000A .text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2396] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A4000A .text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2396] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A6000A .text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2444] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009F000A .text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2444] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A1000A .text C:\WINDOWS\system32\wuauclt.exe[2772] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0097000A .text C:\WINDOWS\system32\wuauclt.exe[2772] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0098000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2832] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2832] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AA000A .text C:\Program Files\iPod\bin\iPodService.exe[3252] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009E000A .text C:\Program Files\iPod\bin\iPodService.exe[3252] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A0000A .text C:\WINDOWS\System32\alg.exe[3796] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009A000A .text C:\WINDOWS\System32\alg.exe[3796] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009B000A
|
|
#6
July 29th, 2009, 09:23 PM
|
|||
|
|||
|
gmer / 2
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\UACjxqlpmogrq.d ll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [960] 0x02D50000 GMER 1.0.1 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 01: copy of MBR Disk \Device\Harddisk0\DR0 sector 02: copy of MBR Disk \Device\Harddisk0\DR0 sector 03: copy of MBR Disk \Device\Harddisk0\DR0 sector 04: copy of MBR Disk \Device\Harddisk0\DR0 sector 05: copy of MBR Disk \Device\Harddisk0\DR0 sector 06: copy of MBR Disk \Device\Harddisk0\DR0 sector 07: copy of MBR Disk \Device\Harddisk0\DR0 sector 08: copy of MBR Disk \Device\Harddisk0\DR0 sector 09: copy of MBR Disk \Device\Harddisk0\DR0 sector 10: copy of MBR Disk \Device\Harddisk0\DR0 sector 11: copy of MBR Disk \Device\Harddisk0\DR0 sector 12: copy of MBR Disk \Device\Harddisk0\DR0 sector 13: copy of MBR Disk \Device\Harddisk0\DR0 sector 14: copy of MBR Disk \Device\Harddisk0\DR0 sector 15: copy of MBR Disk \Device\Harddisk0\DR0 sector 16: copy of MBR Disk \Device\Harddisk0\DR0 sector 17: copy of MBR Disk \Device\Harddisk0\DR0 sector 18: copy of MBR Disk \Device\Harddisk0\DR0 sector 19: copy of MBR Disk \Device\Harddisk0\DR0 sector 20: copy of MBR Disk \Device\Harddisk0\DR0 sector 21: copy of MBR Disk \Device\Harddisk0\DR0 sector 22: copy of MBR Disk \Device\Harddisk0\DR0 sector 23: copy of MBR Disk \Device\Harddisk0\DR0 sector 24: copy of MBR Disk \Device\Harddisk0\DR0 sector 25: copy of MBR Disk \Device\Harddisk0\DR0 sector 26: copy of MBR Disk \Device\Harddisk0\DR0 sector 27: copy of MBR Disk \Device\Harddisk0\DR0 sector 28: copy of MBR Disk \Device\Harddisk0\DR0 sector 29: copy of MBR Disk \Device\Harddisk0\DR0 sector 30: copy of MBR Disk \Device\Harddisk0\DR0 sector 31: copy of MBR Disk \Device\Harddisk0\DR0 sector 32: copy of MBR Disk \Device\Harddisk0\DR0 sector 33: copy of MBR Disk \Device\Harddisk0\DR0 sector 34: copy of MBR Disk \Device\Harddisk0\DR0 sector 35: copy of MBR Disk \Device\Harddisk0\DR0 sector 36: copy of MBR Disk \Device\Harddisk0\DR0 sector 37: copy of MBR Disk \Device\Harddisk0\DR0 sector 38: copy of MBR Disk \Device\Harddisk0\DR0 sector 39: copy of MBR Disk \Device\Harddisk0\DR0 sector 40: copy of MBR Disk \Device\Harddisk0\DR0 sector 41: copy of MBR Disk \Device\Harddisk0\DR0 sector 42: copy of MBR Disk \Device\Harddisk0\DR0 sector 43: copy of MBR Disk \Device\Harddisk0\DR0 sector 44: copy of MBR Disk \Device\Harddisk0\DR0 sector 45: copy of MBR Disk \Device\Harddisk0\DR0 sector 46: copy of MBR Disk \Device\Harddisk0\DR0 sector 47: copy of MBR Disk \Device\Harddisk0\DR0 sector 48: copy of MBR Disk \Device\Harddisk0\DR0 sector 49: copy of MBR Disk \Device\Harddisk0\DR0 sector 50: copy of MBR Disk \Device\Harddisk0\DR0 sector 51: copy of MBR Disk \Device\Harddisk0\DR0 sector 52: copy of MBR Disk \Device\Harddisk0\DR0 sector 53: copy of MBR Disk \Device\Harddisk0\DR0 sector 54: copy of MBR Disk \Device\Harddisk0\DR0 sector 55: copy of MBR Disk \Device\Harddisk0\DR0 sector 56: copy of MBR Disk \Device\Harddisk0\DR0 sector 57: copy of MBR Disk \Device\Harddisk0\DR0 sector 58: copy of MBR Disk \Device\Harddisk0\DR0 sector 59: copy of MBR Disk \Device\Harddisk0\DR0 sector 60: copy of MBR Disk \Device\Harddisk0\DR0 sector 61: copy of MBR Disk \Device\Harddisk0\DR0 sector 62: copy of MBR Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR ---- EOF - 5 ----
|
|
#7
July 30th, 2009, 02:10 AM
|
||||
|
||||
|
Since having it as a running process is akin to standing at the site of a burning house lighting fireworks, be sure to disable that DNA torrent software. The smartest move, based on the realities of issues like this, is to just uninstall it and let go of such high risk taking softwares. A tough rootkit infection is showing here, so let's start some repairs.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
|
|
#8
July 30th, 2009, 06:14 AM
|
|||
|
|||
|
Torrent
Quote:
|
|
#9
July 30th, 2009, 07:11 AM
|
|||
|
|||
|
combofix log
Found DNA btw -no idea what or where it came from, so it's gone, along with BitTorrent, since I can't remember why i had it in the first place. Here's the log...
ComboFix 09-07-29.03 - Rich 30/07/2009 6:54.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.660 [GMT 1:00] Running from: c:\documents and settings\Rich\Desktop\456out.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\\setup.exe c:\windows\run.log c:\windows\system32\Data c:\windows\system32\drivers\UACetqgxursuo.sys c:\windows\system32\drivers\vsfocejibojals.sys c:\windows\system32\net.net c:\windows\system32\skinboxer43.dll c:\windows\system32\UACicoivnceow.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACjxqlpmogrq.dll c:\windows\system32\UACkpertkcxgd.dll c:\windows\system32\UACpvouuajeck.db c:\windows\system32\UACqjupsdekya.dll c:\windows\system32\UACqykxgvvsay.dll c:\windows\system32\UACvptotlajnl.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 ))))))))))))))))))))))))))))))) . 2009-07-29 19:43 . 2009-07-29 19:50 -------- d-----w- c:\program files\trend micro 2009-07-29 19:43 . 2009-07-29 19:43 -------- d-----w- C:\rsit 2009-07-18 04:45 . 2009-07-18 04:45 -------- d-----w- c:\program files\Common Files\Sonic Shared 2009-07-18 04:45 . 2009-07-18 04:46 -------- d-----w- c:\program files\Roxio 2009-07-17 04:50 . 2009-07-17 04:50 -------- d-----w- C:\univers 2009-07-02 16:33 . 2009-07-02 16:33 -------- d-----w- c:\documents and settings\Rich\Local Settings\Application Data\Yahoo 2009-07-02 16:31 . 2009-07-02 16:31 -------- d-----w- c:\docume~1\Rich\APPLIC~1\Yahoo! 2009-07-02 16:31 . 2009-07-02 16:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! Companion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-07-30 06:01 . 2007-07-25 07:17 -------- d-----w- c:\docume~1\Rich\APPLIC~1\OpenOffice.org2 2009-07-30 05:30 . 2007-12-23 08:32 -------- d-----w- c:\program files\DNA 2009-07-29 19:51 . 2007-12-09 10:46 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-07-27 17:01 . 2008-06-07 06:17 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater 2009-07-21 04:25 . 2007-05-13 06:52 57976 ----a-w- c:\documents and settings\Rich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-20 16:55 . 2007-07-18 17:11 -------- d-----w- c:\program files\Common Files\xing shared 2009-07-20 16:55 . 2007-07-18 17:10 -------- d-----w- c:\program files\Common Files\Real 2009-07-20 16:54 . 2007-05-12 18:13 499712 ----a-w- c:\windows\system32\msvcp71.dll 2009-07-20 16:54 . 2007-05-12 18:13 348160 ----a-w- c:\windows\system32\msvcr71.dll 2009-07-18 04:46 . 2007-10-10 19:57 -------- d-----w- c:\program files\Common Files\Roxio Shared 2009-07-18 04:45 . 2007-10-10 19:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Roxio 2009-07-18 04:35 . 2008-10-21 16:51 -------- d-----w- c:\program files\Common Files\Research In Motion 2009-07-14 06:24 . 2007-10-23 12:05 -------- d-----w- c:\docume~1\Rich\APPLIC~1\LimeWire 2009-07-06 16:16 . 2007-07-02 17:34 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-07-05 13:32 . 2007-10-10 20:02 256 ----a-w- c:\windows\system32\pool.bin 2009-07-02 16:31 . 2007-05-12 18:14 -------- d-----w- c:\program files\Yahoo! 2009-07-02 16:31 . 2007-05-13 08:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! 2009-07-02 05:34 . 2008-12-02 19:06 -------- d-----w- c:\program files\Flickr Uploadr 2009-07-02 05:34 . 2007-07-18 17:10 -------- d-----w- c:\program files\Real 2009-07-02 05:34 . 2008-07-10 07:16 -------- d-----w- c:\program files\hjsplit 2009-07-02 05:33 . 2008-12-02 19:16 -------- d-----w- c:\program files\Media Player Classic 2009-07-02 05:32 . 2007-10-13 11:52 -------- d-----w- c:\program files\Total Video Converter 2009-07-02 05:32 . 2007-12-06 19:42 -------- d-----w- c:\program files\TrueCrypt 2009-07-02 05:32 . 2008-10-29 17:45 -------- d-----w- c:\program files\Twins Software 2009-07-02 01:15 . 2009-04-06 16:51 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-26 16:50 . 2006-06-23 10:33 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll 2009-06-18 02:53 . 2008-04-11 09:32 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-17 16:56 . 2009-06-17 16:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Panasonic 2009-06-17 16:53 . 2009-06-17 16:53 -------- d-----w- c:\program files\Common Files\CNC 2009-06-17 16:52 . 2009-06-17 16:52 -------- d-----w- c:\program files\Common Files\Panasonic 2009-06-17 16:52 . 2009-06-17 16:52 -------- d-----w- c:\program files\Panasonic 2009-06-17 16:52 . 2007-05-12 19:30 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 19:09 . 2005-08-30 08:14 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-04 05:23 . 2009-04-06 16:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-04 05:23 . 2009-04-06 16:51 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2008-09-05 19:43 . 2008-09-05 19:43 860391 ----a-w- c:\program files\7z457.exe 2008-04-28 17:20 . 2007-08-01 06:39 7168 --sha-w- c:\program files\Thumbs.db 2008-01-08 04:06 . 2008-01-08 04:06 7168 --sha-w- c:\program files\Common Files\Thumbs.db 2009-07-22 07:11 . 2008-06-22 17:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640] "NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-02-18 86016] "QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2003-05-14 188416] "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-01 623960] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-20 198160] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376] c:\documents and settings\Rich\Start Menu\Programs\Startup\ OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-04 05:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk backup=c:\windows\pss\Exif Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UleadBurningHelper"=2 (0x2) "Bonjour Service"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "DownloadAccelerator"="c:\program files\DAP\DAP.EXE" /STARTUP "QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" -atboottime "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" "SigmatelSysTrayApp"=sttray.exe "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot "UpdReg"=c:\windows\UpdReg.EXE "WinampAgent"="c:\program files\Winamp\winampa.exe" "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup "REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" BOOT [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/04/2009 17:51 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/04/2009 17:51 108552] R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrb lock.sys [12/06/2007 20:09 10368] R1 cdrport;cdrport;c:\windows\system32\drivers\cdrpor t.sys [12/06/2007 20:09 4608] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [06/04/2009 17:50 907032] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [06/04/2009 17:50 298776] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632] S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?] S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [29/05/2005 18:00 346432] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Media Codec Update Service - c:\program files\Essentials Codec Pack\update.exe HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm IE: &Download with &DAP - c:\program files\DAP\dapextie.htm IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm FF - ProfilePath - c:\docume~1\Rich\APPLIC~1\Mozilla\Firefox\Profiles \hcn90o0a.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-30 07:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1756) c:\windows\system32\nview.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\windows\system32\nvsvc32.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\OpenOffice.org 2.2\program\soffice.exe c:\program files\OpenOffice.org 2.2\program\soffice.bin c:\windows\system32\MsPMSPSv.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************** ************************ . Completion time: 2009-07-30 7:06 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-30 06:06 Pre-Run: 27,710,484,480 bytes free Post-Run: 28,218,667,008 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 219 --- E O F --- 2009-07-30 05:29
|
|
#10
July 31st, 2009, 02:32 AM
|
||||
|
||||
|
Looks like you just disabled that DNA startup, and not uninstalled DNA. And disabled quite a few others, which wil now mask log verification of orphaned entries. Using SpyBot or whatever you just disabled startups with, re-enable all startups for now please.
ComboFix did a very good job of removing some tough malware. Let's follow up with a scan to check what else might still be there. Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes: Remove found threats Scan unwanted applications Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please. Post that log and a new RSIT log. Also post the second RSIT log you left out earlier - it is located at C:\rsit\info.txt.
|
|
#11
July 31st, 2009, 06:16 AM
|
|||
|
|||
|
Hmmm
Hi Jintan
Perhaps there's a bit more going on here than it seems? If you recall, I didn't install DNA in the first place and was surprised by its presence. All I did (other than the installs and scans you requested) was remove it (and BitTorrent) using the Windows Add/Remove Programs. If the Startup list has been modified, it wasn't me that did it. I could probably find out how to do that, but at the moment it's not a process I'm familiar with. In addition the PC has been switched off ever since this began, except to perform the tasks listed on here; apart from that I've been using a laptop, as I am now. I don't know if that affects your thinking on this or not, so I think I'll hold fire on going to the next step until you've had a chance to form an opinion on this and let me know. Thanks for your continuing support btw; I really do appreciate what you're doing. One other thing: you asked for the second rsit log I missed out earlier. Checked back on the thread and I'll go find it. Last edited by dealtime; July 31st, 2009 at 06:32 AM.
|
|
#12
July 31st, 2009, 12:31 PM
|
||||
|
||||
|
The ComboFix log shows some startups as disabled using a method SpyBot uses often. I have not used that recently, but recall it is under Mode - Advanced Mode - Tools, likely listed as Startups or something similar. So whatever is unchecked there needs to be rechecked again. If not, they do not show in logs that also check their current status.
|
|
#13
July 31st, 2009, 01:06 PM
|
|||
|
|||
|
missing log / 1
OK here's part one of the missing rsit log:
info.txt logfile of random's system information tool 1.06 2009-07-29 20:43:36 ======Uninstall list====== -->"C:\Program Files\Creative\SB Live! 24-bit\Program\Ctzapxx.EXE" /U /S -->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 -->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095} -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe" Ad-Aware SE Personal-->MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747} Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plug in.exe Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_acti veX.exe Apple Mobile Device Support-->MsiExec.exe /I{162B71B8-8464-4680-A086-601D555B331D} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL AVS Update Manager 1.0-->"C:\Program Files\AVS4YOU\AVSUpdateManger\unins000.exe" AVS Video Converter 6-->"C:\Program Files\AVS4YOU\AVSVideoConverter6\unins000.exe" AVS4YOU Software Navigator 1.3-->"C:\Program Files\AVS4YOU\AVSSoftwareNavigator\unins000.exe" BlackBerry Desktop Software 5.0-->MsiExec.exe /i{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10} BlackBerry Desktop Software 5.0-->MsiExec.exe /I{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10} Bulk Rename Utility-->MsiExec.exe /I{CB48E66B-2B62-4669-89B3-2C5E907222EA} Canopus DV Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\070 1\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72196DB6-2C04-4303-808B-0B57A4383179}\setup.exe" -l0x9 Canopus ProCoder Express For EDIUS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D438FA08-515F-41DD-BBDC-AC3428AE9754}\Setup.exe" -l0x9 CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe" ConvertHelper 2.1-->"C:\Program Files\ConvertHelper\unins000.exe" Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 /remove Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\s puninst.exe" DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe" EDIUS4(SetupManager)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\070 1\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F28111F1-8DCC-4E3C-A6D4-5E1D05F28300}\setup.exe" -l0x9 ffdshow (remove only)-->"C:\Program Files\K-Lite Codec Pack\ffdshow\uninstall.exe" FinePixViewer Ver.3.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\I Driver.exe /M{24ED4D80-8294-11D5-96CD-0040266301AD} /l1033 Flickr Uploadr 2.5.0.15-->"C:\Program Files\Flickr Uploadr\uninstall.exe" FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe FUJIFILM USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE" Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3} Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spunin st.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spunin st.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spunin st.exe" hp deskjet 3420 series (Remove only)-->C:\Program Files\hp deskjet 3420 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=3420 -huninstall HX-E1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD3C2328-EDD2-4B63-9C19-9D53FFACD544}\Setup.exe" -l0x9 -uninstall IKEA Home Planner-->MsiExec.exe /I{AFA9D219-A7FD-4240-8793-E5C7C9D715F4} Indeo® software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Indeo\Uninst.isu" -c"C:\Program Files\Intel\Indeo\SavedSystemFiles\indounin.dll" Intel Audio Studio 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2205E3A5-DCDC-461D-8ED6-D6F2341D3B64}\setup.exe" -l0x9 Intel(R) Management Engine Interface-->C:\WINDOWS\System32\heciudlg.exe -uninstall Intel(R) PRO Network Connections-->MsiExec.exe /I{9628389F-8CDE-4D3E-9E06-27CC780E0A6E} iTunes-->MsiExec.exe /I{C26B06A9-27BB-45B0-9873-9C623EC2BA38} Jasc Animation Shop 3-->MsiExec.exe /I{7C4196CA-CA41-4F34-9C08-7724E7705D52} Jasc Paint Shop Pro 9-->MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} K-Lite Codec Pack 4.7.5 (Basic)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe" LimeWire 4.18.3-->"C:\Program Files\LimeWire\uninstall.exe" ManyCam 2.3 (remove only)-->"C:\Program Files\ManyCam 2.3\uninstall.exe" Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28} Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\sp uninst.exe" Microsoft User-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuni nst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} MotionDV STUDIO 5.6E LE for DV-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\ 00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E07C71A6-1576-4F7F-8856-B1C439E669AC}\Setup.exe" -l0x9 UNINSTALL Mozilla Firefox (3.0.12)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe Mozilla Thunderbird (2.0.0.22)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27} MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F} MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC} NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI OpenOffice.org 2.2-->MsiExec.exe /I{A1C8D94A-4303-4489-B585-4B6E6CD408CB} PENTAX USB DISK Device-->MsiExec.exe /X{AEE9ABDF-CFFD-4CC2-8519-E8ECEB5A2AAF} QuickTime Alternative 1.81-->"C:\Program Files\QuickTime Alternative\unins000.exe" QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
|
|
#14
July 31st, 2009, 01:07 PM
|
|||
|
|||
|
rsit log / 2
and part 2:
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Roxio Media Manager-->MsiExec.exe /X{4D612FB2-1AE7-4E46-9377-35BB2F06A787} RX-E1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{49493B6A-60F9-417E-81A3-AC755D1DE0E0}\Setup.exe" -l0x9 -uninstall Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\sp uninst.exe" Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\ spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\s puninst.exe" Security Update for Windows Media Player 8 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP8$\spuninst\s puninst.exe" Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\s puninst.exe" Security Update for Windows XP (KB913433)-->C:\WINDOWS\System32\MacroMed\Flash\genuinst.exe C:\WINDOWS\System32\MacroMed\Flash\KB913433.inf Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spunin st.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spunin st.exe" Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spunin st.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spunin st.exe" Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spunin st.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spunin st.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spunin st.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spunin st.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spunin st.exe" Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spunin st.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spunin st.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spunin st.exe" Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spunin st.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spunin st.exe" Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spunin st.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spunin st.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spunin st.exe" Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spunin st.exe" Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spunin st.exe" Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spunin st.exe" Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spunin st.exe" Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spunin st.exe" Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spunin st.exe" Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spunin st.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spunin st.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spunin st.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spunin st.exe" Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spunin st.exe" Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spunin st.exe" Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spunin st.exe" Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spunin st.exe" Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spunin st.exe" Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spunin st.exe" Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spunin st.exe" Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spunin st.exe" Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spunin st.exe" Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spunin st.exe" Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spunin st.exe" Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spunin st.exe" Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spunin st.exe" Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spunin st.exe" Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spunin st.exe" Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spunin st.exe" Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spunin st.exe" Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spunin st.exe" Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spunin st.exe" Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spunin st.exe" SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\Setup.exe" -l0x9 -remove -removeonly SmartSound Quicktracks Plugin-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\I Driver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E} Sound Blaster Live! 24-bit-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{734BB64A-5A3D-4624-867D-6358B7068496}\SETUP.EXE" -l0x9 Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe" TrueCrypt-->"C:\Program Files\TrueCrypt\TrueCrypt Setup.exe" /u C:\Program Files\TrueCrypt\ Twins video to iPod-Zune-PSP-3GP 1.1-->"C:\Program Files\Twins Software\Twins video to iPod-Zune-PSP-3GP\unins000.exe" Twins video to iPod-Zune-PSP-3GP Pro 1.1-->"C:\Program Files\Twins Software\Twins video to iPod-Zune-PSP-3GP\unins001.exe" Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spunin st.exe" Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spunin st.exe" Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spunin st.exe" Windows Driver Package - Nokia Modem (10/12/2007 3.6)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754 C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0} Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00} Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuni nst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst. exe" Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spu ninst.exe" Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG Yahoo! Search Protection-->C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE Yahoo! Software Update-->C:\PROGRA~1\Yahoo!\SOFTWA~1\UNINST~1.EXE Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE ======Hosts File====== 127.0.0.1 007guard.com 127.0.0.1 www.007guard.com 127.0.0.1 008i.com 127.0.0.1 008k.com 127.0.0.1 www.008k.com 127.0.0.1 00hq.com 127.0.0.1 www.00hq.com 127.0.0.1 010402.com 127.0.0.1 032439.com 127.0.0.1 www.032439.com ======Security center information====== AV: AVG Anti-Virus Free (outdated) ======System event log====== Computer Name: RICH-DESKTOP Event Code: 36 Message: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Record Number: 29653 Source Name: W32Time Time Written: 20090506073547.000000+060 Event Type: warning User: Computer Name: RICH-DESKTOP Event Code: 8021 Message: The browser was unable to retrieve a list of servers from the browser master \\JAMES on the network \Device\NetBT_Tcpip_{58C038B5-5E9F-4342-8C1F-8C101BAE92BE}. The data is the error code. Record Number: 29652 Source Name: BROWSER Time Written: 20090506000916.000000+060 Event Type: warning User: Computer Name: RICH-DESKTOP Event Code: 10000 Message: Unable to start a DCOM Server: {46986115-84D6-459C-8F95-52DD653E532E}. The error: "%3" Happened while starting this command: "C:\Program Files\Winamp\winamp.exe" -Embedding Record Number: 29649 Source Name: DCOM Time Written: 20090505194851.000000+060 Event Type: error User: RICH-DESKTOP\Rich Computer Name: RICH-DESKTOP Event Code: 10000 Message: Unable to start a DCOM Server: {46986115-84D6-459C-8F95-52DD653E532E}. The error: "%3" Happened while starting this command: "C:\Program Files\Winamp\winamp.exe" -Embedding Record Number: 29648 Source Name: DCOM Time Written: 20090505183819.000000+060 Event Type: error User: RICH-DESKTOP\Rich Computer Name: RICH-DESKTOP Event Code: 10000 Message: Unable to start a DCOM Server: {46986115-84D6-459C-8F95-52DD653E532E}. The error: "%3" Happened while starting this command: "C:\Program Files\Winamp\winamp.exe" -Embedding Record Number: 29647 Source Name: DCOM Time Written: 20090505181131.000000+060 Event Type: error User: RICH-DESKTOP\Rich =====Application event log===== Computer Name: RICH-DESKTOP Event Code: 3011 Message: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is the first DWORD in Data section. Record Number: 2832 Source Name: LoadPerf Time Written: 20081202183559.000000+000 Event Type: error User: Computer Name: RICH-DESKTOP Event Code: 3012 Message: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. BaseIndex value from Performance registry is the first DWORD in Data section, LastCounter value is the second DWORD in Data section, and LastHelp value is the third DWORD in Data section. Record Number: 2831 Source Name: LoadPerf Time Written: 20081202183559.000000+000 Event Type: error User: Computer Name: RICH-DESKTOP Event Code: 3011 Message: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is the first DWORD in Data section. Record Number: 2819 Source Name: LoadPerf Time Written: 20081202173537.000000+000 Event Type: error User: Computer Name: RICH-DESKTOP Event Code: 3012 Message: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. BaseIndex value from Performance registry is the first DWORD in Data section, LastCounter value is the second DWORD in Data section, and LastHelp value is the third DWORD in Data section. Record Number: 2818 Source Name: LoadPerf Time Written: 20081202173537.000000+000 Event Type: error User: Computer Name: RICH-DESKTOP Event Code: 1000 Message: Faulting application uvpl.exe, version 9.0.0.0, faulting module ffdshow.ax, version 1.0.0.1, fault address 0x00118bd8. Record Number: 2817 Source Name: Application Error Time Written: 20081202173216.000000+000 Event Type: error User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "FP_NO_HOST_CHECK"=NO "NUMBER_OF_PROCESSORS"=2 "OS"=Windows_NT "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemR oot%\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime Alternative\QTSystem\;C:\Program Files\Common Files\Roxio Shared\DLLShared\ "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;. WSF;.WSH "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 2, GenuineIntel "PROCESSOR_LEVEL"=6 "PROCESSOR_REVISION"=0f02 "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "windir"=%SystemRoot% "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip -----------------EOF-----------------
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 04:56 AM.
