Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winupgro.exe Winword.exe auto-start


  • This topic is locked This topic is locked
2 replies to this topic

#1 happynut

happynut

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 25 December 2008 - 04:54 PM

A couple days ago, I downloaded some software online. Now I realize the auto-protection of my Symantec is blocked, i.e., I cannot see the icon in the task tray. In the task manager process list, winupgro.exe and winword.exe takes a lot of CPU usage. But I never auto-start winword.exe. I end these two processes and search for winupgro.exe in my C: drive. I find in "C:\Documents and Settings\wangxian1\Application Data\drivers", there are 3 items-winupgro.exe, srosa2.sys, and a folder called downld. further, in folder downld, there are many .exe files. The following is my Hijackthis result. Thank you very much for your help.


DDS (Version 1.1.0) - NTFSx86
Run by wangxian1 at 13:34:25.18 on Thu 12/25/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.412 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
F:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\JWPack\ScreenMark.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\Pen_Tablet.exe
E:\Acrobat\Acrobat\Acrotray.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\lxcgcoms.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\wangxian1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.zhidao.la
mDefault_Page_URL = www.zhidao.la
mStart Page = www.zhidao.la
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.search.msn.com
mCustomizeSearch = hxxp://ie.search.msn.com
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - e:\program files\flashget\jccatch.dll
BHO: Microsoft Web Test Recorder Helper: {62355041-605d-4469-84fd-5d66ed67a7e3} - e:\program files\common7

\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_14\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} -

e:\acrobat\acrobat\AcroIEFavClient.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - e:\program files\flashget\getflash.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\acrobat\acrobat\AcroIEFavClient.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {89FDCC4B-8D91-49B0-81A6-18BCFF582735} - No File
uRun: [PPS Accelerator] c:\program files\ppstream\ppsap.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Lite] "f:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Universal Installer] "c:\program files\comcastui\universal installer\uinstaller.exe" /fromrun /starthidden
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [drvsyskit] c:\documents and settings\wangxian1\application data\drivers\winupgro.exe
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_14\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [Adobe Photo Downloader] "f:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [SMKRun] c:\jwpack\ScreenMark.exe -i
mRun: [JWOSetup] JWOSetup.exe -en
mRun: [LogMeIn GUI] "e:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [RegistryMechanic]
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "e:\acrobat\acrobat\Acrotray.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [NGServer] c:\program files\symantec\ghost\ngserver.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop

messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a

-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Access Internet Keyword - c:\program files\ocins\cnrbtn.html
IE: &Download All with FlashGet - e:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - e:\program files\flashget\jc_link.htm
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Append to existing PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\acrobat\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: ??-??MP3 - c:\program files\baidu\bar\BaiduBar.DLL/BAIDUMP3.HTM
IE: ??-???? - c:\program files\baidu\bar\BaiduBar.DLL/BAIDUIMG.HTM
IE: ??-???? - c:\program files\baidu\bar\BaiduBar.DLL/BAIDUNEWS.HTM
IE: ??-???? - c:\program files\baidu\bar\BaiduBar.DLL/BAIDULYRIC.HTM
IE: ??-???? - c:\program files\baidu\bar\BaiduBar.DLL/BAIDUSEARCH.HTM
IE: ??-???? - c:\program files\baidu\bar\BaiduBar.DLL/BAIDUPOST.HTM
IE: ??-???? - c:\program files\baidu\bar\BaiduBar.DLL/BAIDU_DIC.HTM
IE: ?????? - c:\program files\cnnic\cdn\cnnic.htm
IE: ????? PDF
IE: ???????? Adobe PDF
IE: ?????????? PDF
IE: ????? Adobe PDF
IE: ??????? PDF
IE: ??????? Adobe PDF
IE: ????????? PDF
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - e:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC} - c:\program

files\java\jre1.5.0_14\bin\ssv.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - f:\program

files\qualcomm\eudora\EuShlExt.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;f:\program files\adobe\photoshop elements 6.0

\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\e:\program files\logmein\x86\RaInfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-11

47640]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-17 3032360]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-12-22 1373480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec

shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081219.005\naveng.sys [2008-12-19 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081219.005\navex15.sys [2008-12-19 876112]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-17 15144]
S1 sK9Ou0s;sK9Ou0s;\??\c:\documents and settings\wangxian1\application data\drivers\srosa2.sys [2008-12-25 7168]
S1 srosa;srosa;\??\c:\documents and settings\wangxian1\application data\drivers\srosa.sys []
S2 aawservice;Lavasoft Ad-Aware Service;"f:\program files\lavasoft\ad-aware\aawservice.exe" [2008-6-2 611664]
S2 MATLAB License Server;MATLAB License Server;"c:\matlab7\flexlm\lmgrd.exe" [2005-10-20 659456]
S2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-3-14 1816768]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\NSDriver.sys [2008-4-29

15648]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-3-14 116416]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 VSPerfDrv;Performance Tools Driver;\??\e:\program files\team tools\performance tools\VSPerfDrv.sys [2006-12-2

48128]
S4 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-11-21

192104]
S4 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-11-21

169576]
S4 LMIRfsClientNP;LMIRfsClientNP; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"e:\program files\common7\ide\remote debugger\x86\msvsmon.exe"

/service msvsmon80 [2006-12-2 2805000]

============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2008-12-25 12:49 <DIR> --d----- c:\program files\Trend Micro
2008-12-25 12:37 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 12:37 1,409 a------- c:\windows\QTFont.for
2008-12-24 19:46 <DIR> --d-h--- c:\windows\PIF
2008-12-24 16:57 <DIR> --d----- c:\program files\AskBarDis
2008-12-24 16:56 <DIR> --d----- c:\docume~1\wangxi~1\applic~1\Foxit
2008-12-24 15:52 <DIR> --d-h--- c:\docume~1\wangxi~1\applic~1\drivers
2008-12-23 00:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2008-12-23 00:21 <DIR> --d----- c:\windows\MSSecurityNS
2008-12-23 00:21 <DIR> --d----- c:\windows\MSSecurityNi
2008-12-23 00:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2008-12-22 20:34 1,910,035 -------- c:\windows\system32\WacomTablet.znc
2008-12-22 20:34 3,499,304 -------- c:\windows\system32\WacomTablet.cpl
2008-12-22 20:33 128,296 -------- c:\windows\system32\Wacom_Tablet.dll
2008-12-22 20:33 1,373,480 -------- c:\windows\system32\Wacom_Tablet.exe
2008-12-21 12:07 157,696 a------- c:\windows\system32\stikynot.exe
2008-12-21 12:06 <DIR> --d----- c:\program files\Windows Journal
2008-12-21 11:49 94,208 a------- c:\windows\system32\tabbtn.dll
2008-12-21 11:29 51,712 a------- c:\windows\system32\tabcal.exe
2008-12-20 22:48 1,690,112 a------- c:\windows\system32\inkball.exe
2008-12-20 22:34 34,304 a------- c:\windows\system32\tabsrv.dll
2008-12-20 22:34 6,144 a------- c:\windows\system32\softkbd.exe
2008-12-20 22:34 2,560 a------- c:\windows\system32\PipRes.dll
2008-12-20 22:34 207,360 a------- c:\windows\system32\InkEd.dll
2008-12-20 22:34 141,312 a------- c:\windows\system32\TipRes.dll
2008-12-20 22:34 293,376 a------- c:\windows\system32\wisptis.exe
2008-12-20 22:34 30,208 a------- c:\windows\system32\tpgwlnot.dll
2008-12-20 20:41 12,730 a------- C:\EXCEPTION_LOG.DOC
2008-12-17 23:42 492 a------- c:\windows\JustWrite.INI
2008-12-17 23:40 891 a------- c:\windows\ScreenMark.INI
2008-12-17 23:39 <DIR> --d----- c:\program files\Wintone
2008-12-17 23:36 <DIR> --d----- c:\docume~1\wangxi~1\applic~1\JustWrite Office
2008-12-17 23:36 2,076,672 a------- c:\windows\system32\CommandBars1030vc60.dll
2008-12-17 23:36 69,632 a------- c:\windows\system32\JWPath.dll
2008-12-17 23:36 184,320 a------- c:\windows\system32\JustWrite.dll
2008-12-17 23:35 168,448 a------- c:\windows\JwPackP2.ppa
2008-12-17 23:35 117,248 a------- c:\windows\JwPackP1.ppa
2008-12-17 23:35 43,016 a------- c:\windows\JwPackP.ppam
2008-12-17 23:35 90,112 a------- c:\windows\JWOSetup.exe
2008-12-17 22:01 <DIR> --d----- c:\docume~1\wangxi~1\applic~1\WTablet
2008-12-17 22:00 1,532,082 -------- c:\windows\system32\PenTablet.znc
2008-12-17 22:00 3,708,200 -------- c:\windows\system32\PenTablet.cpl
2008-12-17 22:00 11,440 a------- c:\windows\system32\drivers\WacomVKHid.sys
2008-12-17 22:00 12,848 a------- c:\windows\system32\drivers\wacomvhid.sys
2008-12-17 22:00 11,312 a------- c:\windows\system32\drivers\wacommousefilter.sys
2008-12-17 22:00 15,144 a------- c:\windows\system32\drivers\wacmoumonitor.sys
2008-12-17 22:00 <DIR> --d----- c:\windows\system32\WTablet
2008-12-17 22:00 181,544 -------- c:\windows\system32\Wintab32.dll
2008-12-17 22:00 128,296 -------- c:\windows\system32\Pen_Tablet.dll
2008-12-17 22:00 3,032,360 -------- c:\windows\system32\Pen_Tablet.exe
2008-12-17 21:59 <DIR> --d----- c:\program files\Tablet
2008-12-17 21:55 36,864 a------- c:\windows\system32\TaskKeyHook.dll
2008-12-17 21:55 25,088 a------- c:\windows\system32\Wintab10.ocx
2008-12-17 21:55 <DIR> --d----- C:\JWPack
2008-12-16 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2008-12-15 20:55 <DIR> --d----- c:\docume~1\wangxi~1\applic~1\DAEMON Tools Pro
2008-12-15 20:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2008-12-15 20:46 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-15 20:46 <DIR> --d----- c:\docume~1\wangxi~1\applic~1\DAEMON Tools Lite
2008-12-15 20:37 86,016 a------- c:\windows\unvise32qt.exe
2008-12-15 20:36 <DIR> --d----- c:\windows\system32\QuickTime
2008-12-10 10:48 <DIR> --d----- c:\docume~1\wangxi~1\applic~1\GrabPro

==================== Find3M ====================

2008-12-23 00:10 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-23 00:10 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-23 00:10 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-23 00:10 116,472 -------- c:\windows\system32\pxcpyi64.exe
2008-12-23 00:10 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-12-23 00:10 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2008-10-23 23:27 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-17 09:47 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-17 09:47 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-17 09:47 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-17 09:47 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-17 09:47 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-06-24 12:12 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-06-24 12:12 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-06-24 12:12 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:35:05.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:41 AM

Posted 30 December 2008 - 09:39 AM

Hello Happynut and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes'
    Anti-Malware
    , then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let
MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


3. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:41 AM

Posted 22 January 2009 - 05:22 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users