kxvo.exe PLEASE HELP [RESOLVED]
Started by
amm007
, Mar 05 2008 08:19 AM
#301
Posted 19 August 2008 - 09:57 PM
#302
Posted 20 August 2008 - 02:43 AM
The only problem is whatever you had wasn't showing in the logs at all.
SInce you say that after reformatting the redirects were still present then I would have to say that it has to do with some of your backup files.
I would just bite the bullet and format all drives and reformat Computer 1 as well again since it is now reinfected..
Without plugging in your back up drive see if the redirects are still present.
You can let me know hen you are finished with it and I will give you a log to post.
SInce you say that after reformatting the redirects were still present then I would have to say that it has to do with some of your backup files.
I would just bite the bullet and format all drives and reformat Computer 1 as well again since it is now reinfected..
Without plugging in your back up drive see if the redirects are still present.
You can let me know hen you are finished with it and I will give you a log to post.
#303
Posted 20 August 2008 - 03:41 AM
Our last action in removing redirection did the trick. I suppose the only thing that made the virus resilient is that i plugged my removable hard disk after. could we give it one last try? my files are extremely important hence, i cannot format it right away.backing it up with cd's is impractical 'coz they are 30 GB in total. thanks!
#304
Posted 20 August 2008 - 05:07 AM
Do this first and then tell me if the redirects are still present.
Boot into Safe mode to run this after you download it.
Download the HostsXpert 4.2 - Hosts File Manager.
Then::
Please download Runscanner to your desktop and run it.
Boot into Safe mode to run this after you download it.
Download the HostsXpert 4.2 - Hosts File Manager.
- Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
- Run HostsXpert 4.2 - Hosts File Manager from its new home
- Click on "File Handling".
- Click on "Restore MS Hosts File".
- Click OK on the Confirmation box.
- Click on "Make Read Only?"
- Click the X to exit the program.
- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Then::
Please download Runscanner to your desktop and run it.
- When the first page comes up select Beginner Mode
- On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
- At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
- On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
- Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Upload that file here.
#305
Posted 24 August 2008 - 08:13 AM
Runscanner logfile http://www.runscanner.net
* = signed file
- = file not found
General info
------------
Computer name : OFFICE
Creation time : 8/24/2008 10:03:26 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.7.0.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS
Running processes
-----------------
* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
* C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
* C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
* C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
C:\Program Files\ChikkaV4\ChikkaLauncher.exe
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
* C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
C:\Documents and Settings\Adrian\Desktop\HostsXpert.exe (funkytoad.com)
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE (Microsoft Corporation)
* C:\Documents and Settings\Adrian\Desktop\RunScanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)
* C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
Unrated items
-------------
003 * C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
003 * C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
010 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe LM Service)
010 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
010 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (InCD Helper)
011 C:\WINDOWS\system32\drivers\InCDRm.sys (InCD Reader)
011 C:\WINDOWS\system32\drivers\InCDPass.sys (InCDPass)
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
031 C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL (Microsoft Corporation) {B0D92A71-886B-453B-A649-1B91F93801E7}
031 C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
035 C:\WINDOWS\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
042 GUID / CLSID not found {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
052 * C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.) {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
061 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
061 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3}
061 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8}
061 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
061 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
062 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882}
069 C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)
100 Default_Search_URL HKLM : http://us.rd.yahoo.c...//www.yahoo.com
100 Search Page HKCU : http://us.rd.yahoo.c...//www.yahoo.com
100 Search Page HKLM : http://us.rd.yahoo.c...//www.yahoo.com
100 SearchUrl HKCU : http://us.rd.yahoo.c...//www.yahoo.com
102 GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
102 C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL (Microsoft Corporation) {9455301C-CF6B-11D3-A266-00C04F689C50}
104 * C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Yahoo! Inc.) {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
173 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
173 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
173 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
221 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
221 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
221 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
231 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) NeroDigitalExt.NeroDigitalColumnHandler
Missing files
-------------
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\hpt3xx.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 deskpan.dll
* = signed file
- = file not found
General info
------------
Computer name : OFFICE
Creation time : 8/24/2008 10:03:26 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.7.0.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS
Running processes
-----------------
* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
* C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
* C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
* C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
C:\Program Files\ChikkaV4\ChikkaLauncher.exe
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
* C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
C:\Documents and Settings\Adrian\Desktop\HostsXpert.exe (funkytoad.com)
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE (Microsoft Corporation)
* C:\Documents and Settings\Adrian\Desktop\RunScanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)
* C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
Unrated items
-------------
003 * C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
003 * C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
010 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe LM Service)
010 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
010 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (InCD Helper)
011 C:\WINDOWS\system32\drivers\InCDRm.sys (InCD Reader)
011 C:\WINDOWS\system32\drivers\InCDPass.sys (InCDPass)
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
031 C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL (Microsoft Corporation) {B0D92A71-886B-453B-A649-1B91F93801E7}
031 C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
035 C:\WINDOWS\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
042 GUID / CLSID not found {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
052 * C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.) {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
061 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
061 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3}
061 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8}
061 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
061 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
062 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882}
069 C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)
100 Default_Search_URL HKLM : http://us.rd.yahoo.c...//www.yahoo.com
100 Search Page HKCU : http://us.rd.yahoo.c...//www.yahoo.com
100 Search Page HKLM : http://us.rd.yahoo.c...//www.yahoo.com
100 SearchUrl HKCU : http://us.rd.yahoo.c...//www.yahoo.com
102 GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
102 C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL (Microsoft Corporation) {9455301C-CF6B-11D3-A266-00C04F689C50}
104 * C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Yahoo! Inc.) {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
173 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
173 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
173 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
221 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
221 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
221 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
231 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) NeroDigitalExt.NeroDigitalColumnHandler
Missing files
-------------
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\hpt3xx.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 deskpan.dll
Attached Files
#306
Posted 24 August 2008 - 08:57 AM
Hi please e-mail me this following file and save it as an attachment please in the e-mail.
My e-mail address is kahdah at aol.com replace at with @
====================================================
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.
My e-mail address is kahdah at aol.com replace at with @
====================================================
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
- Close ALL OTHER PROGRAMS.
- Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
- In the Drivers section click on Non-Microsoft.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Reg - BotCheck
File - Additional Folder Scans
Rootkit Search -Yes
Drivers -Non Microsoft
- Reg - BotCheck
- Do not change any other settings.
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.
#307
Posted 25 August 2008 - 03:21 AM
attached
Attached Files
Edited by amm007, 25 August 2008 - 03:23 AM.
#308
Posted 25 August 2008 - 05:32 PM
Can you send it to me in an e-mail as an attachment?
The format is messed up when it is attached here.
My e-mail address is kahdah at aol.com replace at with @
The format is messed up when it is attached here.
My e-mail address is kahdah at aol.com replace at with @
#309
Posted 26 August 2008 - 08:39 AM
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
==============
After that Download the HostsXpert 4.2 - Hosts File Manager.
Then let me know about any redirects again please.
Also how things are running?
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Registry - Non-Microsoft Only] < Drives - Autoruns > -> NY -> autorun.inf [] -> F:\autorun.inf [ NTFS ] [Empty Temp Folders]
The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
==============
After that Download the HostsXpert 4.2 - Hosts File Manager.
- Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
- Run HostsXpert 4.2 - Hosts File Manager from its new home
- Click on "File Handling".
- Click on "Restore MS Hosts File".
- Click OK on the Confirmation box.
- Click on "Make Read Only?"
- Click the X to exit the program.
- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Then let me know about any redirects again please.
Also how things are running?
#310
Posted 31 August 2008 - 04:43 AM
[Registry - Non-Microsoft Only]
Folder move failed. F:\autorun.inf scheduled to be moved on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\bundle1.exe scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\NSISdl.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\nsis_winamp.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\etilqs_o9a0ON974D97dK52eg8t scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\fla20.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsa19.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_c5c.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08312008_183038
Files moved on Reboot...
Folder move failed. F:\autorun.inf scheduled to be moved on reboot.
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\bundle1.exe not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\NSISdl.dll not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\nsis_winamp.dll not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\etilqs_o9a0ON974D97dK52eg8t not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\fla20.tmp not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsa19.tmp not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_c5c.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\XUL.mfl moved successfully.
Folder move failed. F:\autorun.inf scheduled to be moved on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\bundle1.exe scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\NSISdl.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\nsis_winamp.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\etilqs_o9a0ON974D97dK52eg8t scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\fla20.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsa19.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_c5c.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08312008_183038
Files moved on Reboot...
Folder move failed. F:\autorun.inf scheduled to be moved on reboot.
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\bundle1.exe not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\NSISdl.dll not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\nsis_winamp.dll not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\etilqs_o9a0ON974D97dK52eg8t not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\fla20.tmp not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsa19.tmp not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_c5c.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\XUL.mfl moved successfully.
#311
Posted 31 August 2008 - 04:49 AM
hi kahdah.unfortunately, redirects are still present.no flash drives are plugged yet except my removable hard disk
#312
Posted 31 August 2008 - 06:32 AM
That's ok it is because the offending file was not moved.
1. Please download The Avenger2 by Swandog46 to your Desktop.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
1. Please download The Avenger2 by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
Files to delete: F:\autorun.inf
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
#313
Posted 31 August 2008 - 06:48 AM
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open file "F:\autorun.inf"
Deletion of file "F:\autorun.inf" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Completed script processing.
*******************
Finished! Terminate.
btw, can u repost the link to where application for training is? I visited it previously but it is closed until September 1. I'd like to give it a try. Thanks!
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open file "F:\autorun.inf"
Deletion of file "F:\autorun.inf" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Completed script processing.
*******************
Finished! Terminate.
btw, can u repost the link to where application for training is? I visited it previously but it is closed until September 1. I'd like to give it a try. Thanks!
#314
Posted 31 August 2008 - 06:51 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:35 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1219513847656
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
--
End of file - 5934 bytes
Scan saved at 8:51:35 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1219513847656
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
--
End of file - 5934 bytes
#315
Posted 31 August 2008 - 06:54 AM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users