|
#1
September 12th, 2009, 01:03 AM
|
|||
|
|||
Big infection (cant use any antispyware/virus programs)
Well, after a very crappy link on a blog, my computer did a little dance and shut down mozilla, then continued to freeze up my taskbar. I noticed a couple new processes (one being a.exe which i found in system32 and deleted) and i was able to run AVG and found one virus and some registry stuff and deleted those.. problem continued and didnt get better.
tried running Spybot, closed when i tried updating. Re-installed, got to the scan, closed when i hit scan.. tried ad-aware, scanned and then closed in the middle of the scan. tried using hijackthis to get a log, closes after finishing the scan and wont save the log before it closes.. oh, and all this even happens in safemode. ive tried googling, forum searching, the whole 9 yards.. (found a topic close to my problem on this forum but it was directed to another topic that had nothing to do with the initial problem) can anyone please help me get this thing fixed. im stumped. 
|
|
#2
September 12th, 2009, 01:32 AM
|
||||
|
||||
|
Hi JunkyJr. I need to see some logs but before you provide them, you need to know that I have made a personal decision not to help anyone who has peer to peer software installed on their computers (and this includes Bit Torrent software) so if you want my help, please uninstall any such programs now and reboot.
Go here and download OTL.exe to your Desktop and doubleclick on it to open it. Scroll down to Extra Registry and click on "Use Safelist" Next click on "Run Scan" When the scan has finished, two logs will open. Copy and paste both reports in this topic. The logs will be reasonably large so you may have to divide them into sections and make several posts to post them. Please do not run any programs other than those that I suggest or install any new software while I am helping you.
|
|
#3
September 12th, 2009, 01:49 AM
|
|||
|
|||
|
well.. already off to a great start. did what you said, program closes after i hit scan.. even in safemode.. then when i try to re-open OTL, this message follows:
"Windows can not access the specified device, path, or file. You may not have the appropriate permissions to access the item." and now i cant delete OTL.exe from the desktop. another error message that is now popping up on start up: "adobecollabsync.exe - The application failed to initialize properly (0xc000142)." *sigh*
|
|
#4
September 12th, 2009, 02:09 AM
|
||||
|
||||
|
Ok, well I dont know what you are infected with so I cant do much until I can determine what malware is causing the problem.
Let's try something else. Use Firefox if possible and go here and download Process Explorer to your Desktop. Rightclick on it and rename it to iexplore.exe and then doubleclick to run the program. Click on the View Menu and make sure that the following options are checked. Show Processes From All Users Show Fractional CPU Show New Processes Show Unnamed Handles and Mappings Now go to File > Save As and save Procexp.txt to your Desktop. Copy and paste it here please. Also tell me what operating system and service packs you have installed?
|
|
#5
September 12th, 2009, 02:23 AM
|
|||
|
|||
|
XP Pro with service pack 2
this worked, here is the log: Process PID CPU Description Company Name System Idle Process 0 89.06 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 smss.exe 496 Windows NT Session Manager Microsoft Corporation csrss.exe 544 3.13 Client Server Runtime Process Microsoft Corporation winlogon.exe 584 Windows NT Logon Application Microsoft Corporation services.exe 640 Services and Controller app Microsoft Corporation svchost.exe 852 Generic Host Process for Win32 Services Microsoft Corporation rapimgr.exe 2444 ActiveSync RAPI Manager Microsoft Corporation svchost.exe 980 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1052 Generic Host Process for Win32 Services Microsoft Corporation msa.exe 1752 wscntfy.exe 3464 Windows Security Center Notification App Microsoft Corporation svchost.exe 1124 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1196 Generic Host Process for Win32 Services Microsoft Corporation spoolsv.exe 1404 Spooler SubSystem App Microsoft Corporation AppleMobileDeviceService.exe 236 Apple Mobile Device Service Apple Inc. avgwdsvc.exe 372 AVG Watchdog Service AVG Technologies CZ, s.r.o. avgrsx.exe 2244 AVG Resident Shield Service AVG Technologies CZ, s.r.o. avgnsx.exe 2260 AVG Network scanner Service AVG Technologies CZ, s.r.o. mDNSResponder.exe 388 Bonjour Service Apple Inc. nvsvc32.exe 1136 NVIDIA Driver Helper Service, Version 91.31 NVIDIA Corporation PnkBstrA.exe 1268 svchost.exe 1316 Generic Host Process for Win32 Services Microsoft Corporation ViewpointService.exe 1400 ViewMgr Viewpoint Corporation iPodService.exe 3488 iPodService Module Apple Inc. lsass.exe 652 LSA Shell (Export Version) Microsoft Corporation explorer.exe 1764 Windows Explorer Microsoft Corporation avgtray.exe 2084 AVG Tray Monitor AVG Technologies CZ, s.r.o. Monitor.exe 2108 Registry Monitor PixArt Imaging Incorporation iTunesHelper.exe 2116 iTunesHelper Module Apple Inc. RTHDCPL.EXE 2128 Realtek HD Audio Control Panel Realtek Semiconductor Corp. wcescomm.exe 2180 ActiveSync Connection Manager Microsoft Corporation btdna.exe 2264 DNA BitTorrent, Inc. ctfmon.exe 2296 CTF Loader Microsoft Corporation Monitor.exe 2716 firefox.exe 3512 Firefox Mozilla Corporation iexplore.exe 1456 7.81 Sysinternals Process Explorer Sysinternals - www.sysinternals.com rundll32.exe 2096 Run a DLL as an App Microsoft Corporation oh and p.s. did uninstall the bit torrent junk before starting this like you asked, just noticed the btdna.exe still running though, is this normal? Last edited by JunkyJr; September 12th, 2009 at 02:28 AM.
|
|
#6
September 12th, 2009, 02:31 AM
|
||||
|
||||
|
Ok, rightclick on msa.exe and choose Kill Process. Make sure you do this everytime you reboot until we get rid of it.
Hopefully you will be able to run your utilities now but hold off on running OTL.exe. I want you to download different utilities and post those logs. Go here and download DDS to your Desktop and doubleclick on DDs.scr to run it. If your security software includes script blocking features, please disable these before you run this utility. When the scan has finished, two logs will open. Copy and paste both reports in this topic. The logs will be reasonably large so you may have to divide them into sections and make several posts to post them. Also go here and download RootRepeal (the zipped version) and save it to your Desktop. Doubleclick to extract the compressed file to it's own folder and then rightclick on RootRepeal.exe and choose "Run as Administrator" Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok. Drivers Files Processes SSDT Stealth Objects Hidden Services You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.
|
|
#7
September 12th, 2009, 02:35 AM
|
||||
|
||||
|
Quote:
|
|
#9
September 12th, 2009, 02:47 AM
|
|||
|
|||
|
thank you. my computer gave me a great present, eh?
ok, disabled msa.exe like asked. taskbar still locked up and i cant get into AVG (which is running) to disable the script blocking.. tried to just close it all by ending all AVG related processes, but avgrsx.exe isnt ending completely or something... any idea how to get dds.scr to work? should i move on to the rootrepeal step? missed that DNA thing in the add/remove, removing now.
|
|
#11
September 12th, 2009, 03:06 AM
|
|||
|
|||
|
once again.. kill msa.exe, double click dds.pif, opens command prompt window, displays a little message:
"As per the instructions you would have received, kindly ensure any onboard script blocking tools have been disabled for they shall interfere with DDS. DDS is a non-invasive... blah blah blah" I actually had to hit "Print Screen" when this pops up, because the program closes before i can read the first word.. and nothing else pops up.
|
|
#12
September 12th, 2009, 03:14 AM
|
||||
|
||||
|
Ok. Run Process Explorer again and kill the below process too:
Monitor.exe 2716 and try again. If this doesnt help, you may have also have a rootkit infection. Go here and download Win32kDiag.exe to your Desktop. Doubleclick on the file to run it. It will generate a log (Win32kDiag.txt). Post the log in your next reply
|
|
#13
September 12th, 2009, 03:18 AM
|
|||
|
|||
|
Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB944533-IE7\KB944533-IE7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Tem p\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F98 62C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Installe dSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6 de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9489e810b c136788bfeb9b68b0d7dfee\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registe red\Registered Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\382077\382077 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1935655697-1979792683-725345543-1003\S-1-5-21-1935655697-1979792683-725345543-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Applicati on Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Applicati on Data\Microsoft\SystemCertificates\My\Certificates\ Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Applicati on Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Applicati on Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\D esktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites \Favorites Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\N etHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood \PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Re cent Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\dumprep.exe [1] 2006-02-28 05:00:00 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation) [1] 2006-02-28 05:00:00 10752 C:\WINDOWS\system32\dumprep.exe () Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2006-02-28 05:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation) [1] 2006-02-28 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll () [2] 2006-02-28 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Lang\Lang Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Finished!
|
|
#14
September 12th, 2009, 03:28 AM
|
||||
|
||||
|
Ah yes, I see the problem and it is a rootkit infection.
Please follow the next set of instructions very carefully and ask first if you are not sure of anything. Before you start, make sure that you can view hidden files and folders, uncheck "Hide Extensions for Known File Types" and "Hide Protected Operating System Files". Navigate to C:\Windows and create a new folder and call it lastgood. If lastgood or lastgood.tmp folders already exists, please rename the folder to oldlastgood. When you have done this, open the lastgood folder and create a folder called System32. Navigate to C:\WINDOWS\system32\dllcache and copy eventlog.dll (rightclick on it and choose "Copy"). Go back and paste the file inside the C:\Windows\lastgood\System32 folder. When you have done this. restart your computer and tap F8 continuously as it restarts. When the Startup Menu appears, choose "Last Known Good Configuration". Now try running DDS please. Also run Win32kDiag.exe and post a new log.
|
|
#15
September 12th, 2009, 03:42 AM
|
|||
|
|||
|
DDS.txt
DDS (Ver_09-07-30.01) - NTFSx86 Run by Owner at 19:38:55.07 on Fri 09/11/2009 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.522 [GMT -7:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\msa.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\PixArt\PAC207\Monitor.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = *.local uURLSearchHooks: H - No File uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: {08f87808-7459-46e5-97b8-101bd01c49fc} - c:\windows\system32\xxyvwtTn.dll BHO: {1C5580AB-93AD-41FF-BC8F-E3E8197CFA33} - No File BHO: {53fe12c2-4429-488f-847b-7b285f8f6778} - c:\windows\system32\pmnoPfCv.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll BHO: {85557894-b387-4493-b32f-fb40dcea282c} - c:\windows\system32\iifcDvTj.dll BHO: {980aa828-a620-4642-b6b0-f83c4c584492} - c:\windows\system32\wvUnOGaY.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\s wg.dll BHO: {fa18bedd-cec5-4ba5-a9c4-384a511af150} - c:\windows\system32\ssqOGxUm.dll BHO: {feb1a869-c53e-48bc-8959-883af3332c62} - c:\windows\system32\defefawu.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe" uRun: [Tunebite] c:\program files\rapidsolution\tunebite\Tunebite.exe -tray uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe" uRun: [Aim6] uRun: [PopRock] c:\docume~1\owner\locals~1\temp\a.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [RTHDCPL] RTHDCPL.EXE mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k dRunOnce: [RunNarrator] Narrator.exe mExplorerRun: [xj4H7ANbwN] c:\documents and settings\all users\application data\idydavil\ktspqbgf.exe StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg ~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\owner\startm~1\programs\startup\umaxvi ~1.lnk - c:\vstascan\vsaccess.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ado ber~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ado ber~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\for tem~1.lnk - c:\program files\lg soft india\fortemanager\bin\Monitor.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} - hxxp://www.diskfaktory.com/create/01/SAXFile.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: pmnoPfCv - pmnoPfCv.dll AppInit_DLLs: avgrsstx.dll niohlv.dll,c:\windows\system32\mizijeva.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: KernelSrv - {253b5138-bc5a-4103-a50f-6cf36b134309} - c:\windows\resources\KernelSrv.dll SSODL: wdpoefan - {AD38D87B-47A5-4F21-871C-E1F6632827A0} - No File SSODL: vadokmxt - {7DBA1FB1-276C-4056-B147-5EDABC52FDE9} - No File SEH: {53fe12c2-4429-488f-847b-7b285f8f6778} - c:\windows\system32\pmnoPfCv.dll SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, LSA: Authentication Packages = msv1_0 c:\windows\system32\iifcDvTj LSA: Notification Packages = scecli c:\windows\system32\mizijeva.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profile s\ssw7a96m.default\ FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dl l FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-24 335752] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-21 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-24 108552] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776] R2 PPCLASS;PPCLASS;c:\windows\system32\drivers\ppclas s.sys [2008-6-4 85868] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-21 24652] R3 LGDDCDevice;LGDDCDevice;c:\program files\lg soft india\fortemanager\bin\I2CDriver.sys [2009-4-15 14336] S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-20 907032] S2 gupdate1c9e642fdfc165a;Google Update Service (gupdate1c9e642fdfc165a);c:\program files\google\update\GoogleUpdate.exe [2009-6-5 133104] S2 muhuxynouxz;muhuxynouxz;\??\c:\windows\system32\dr ivers\jjgjuy.sys --> c:\windows\system32\drivers\jjgjuy.sys [?] S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.s ys [2008-6-4 120544] S2 WMP55AGSVC;WMP55AGSVC;"c:\program files\dual-band wireless a+g pci network adapter\wlservice.exe" "wmp55ag.exe" --> c:\program files\dual-band wireless a+g pci network adapter\WLService.exe [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfil t.sys [2009-7-24 1684736] S3 LGII2CDevice;LGII2CDevice;c:\program files\lg soft india\fortemanager\bin\PII2CDriver.sys [2009-4-15 17408] S3 o1394bul;o1394bul;\??\c:\docume~1\owner\locals~1\t emp\o1394bul.sys --> c:\docume~1\owner\locals~1\temp\o1394bul.sys [?] S3 PAC207;CIF USB Camera;c:\windows\system32\drivers\PFC027.SYS [2008-6-1 505984] =============== Created Last 30 ================ 2009-09-11 19:31 55,808 a------- c:\windows\system32\eventlog.dll 2009-09-11 19:00 <DIR> --d-h--- c:\windows\PIF 2009-09-11 16:28 <DIR> --d----- c:\program files\Spybot2 2009-09-11 16:23 <DIR> --d----- c:\program files\Spybot 2009-09-11 13:24 157,184 a------- c:\windows\msa.exe 2009-09-11 13:24 <DIR> --d----- C:\spoolerlogs ==================== Find3M ==================== 2009-08-10 15:18 286,720 a------- c:\windows\iun505.exe 2009-08-07 19:51 15,308,424 a------- c:\windows\system32\xlive.dll 2009-08-07 19:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll 2009-07-26 09:07 335,752 a------- c:\windows\system32\drivers\avgldx86.sys 2009-07-20 19:08 5,795,328 a------- c:\windows\system32\drivers\RtkHDAud.sys 2009-07-20 11:12 18,670,592 a------- c:\windows\RTHDCPL.EXE 2009-07-08 11:29 41,472 a------- c:\windows\system32\RtkCoInstXP.dll 2009-06-24 10:43 831,488 a------- c:\windows\RtlExUpd.dll 2009-06-22 17:39 1,482,752 a------- c:\windows\RtlUpd.exe ============= FINISH: 19:40:24.18 ===============
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 05:07 AM.
