Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many programs corrupted


  • This topic is locked This topic is locked
73 replies to this topic

#1 snowblind

snowblind

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 17 July 2009 - 02:02 AM

Hi

I seem to have a trojan/malware (?) problem that is corrupting many programs. My AVG didn't remove it/them; Ccleaner is corrupted, as is Spybot (I get "the file or directory is corrupted and unreadable". I couldn't even run the backup program after I downloaded it.

Random web pages open in IE. Even when running the DDS I got the following message: "Sort Utility has encountered a problem and needs to close. We are sorry for the inconvenience." and the "attach.txt" file was never generated. So I just included the DDS below, not sure if that's enough...

Thanks!



DDS (Ver_09-06-26.01) - FAT32x86
Run by DEFAULT at 2:43:14.95 on Fri 07/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.139 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\DEFAULT\LOCALS~1\Temp\c.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\DEFAULT\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.superwebsearch.com/ie/
uSearch Bar = hxxp://www.superwebsearch.com/ie/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.superwebsearch.com/ie/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.superwebsearch.com/ie/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Cognac] c:\docume~1\default\locals~1\temp\c.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [Motive SmartBridge] c:\progra~1\netass~1\smartb~1\MotiveSB.exe
mRun: [StandardInstall]
mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netass~1.lnk - c:\program files\netassistant\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: TruePass EPF 7,0,100,739 - hxxps://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\default\applic~1\mozilla\firefox\profiles\mgrmghro.default\
FF - prefs.js: browser.search.selectedEngine - Google

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-28 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-28 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-16 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-10 298776]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-24 935208]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-16 1174152]


=============== Created Last 30 ================

2009-07-17 02:11 <DIR> --d----- c:\program files\Cobian Backup 8
2009-07-16 23:09 <DIR> --d----- c:\documents and settings\default\.housecall6.6
2009-07-15 22:25 138,752 a------- c:\windows\msa.exe

==================== Find3M ====================

2009-07-17 00:39 42,522 a------- c:\docume~1\default\applic~1\wklnhst.dat
2009-07-02 09:37 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-11 22:13 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-27 05:17 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2006-10-01 19:56 54 a------- c:\documents and settings\default\test.dat
2006-02-07 22:51 62,200 a------- c:\docume~1\default\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 2:45:00.23 ===============

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 26 July 2009 - 05:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 snowblind

snowblind
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 July 2009 - 08:28 PM

Hi Guys,

Below is the new DDS log. Need anything else?

Haven't used the PC much since the "attack". Can browse with IE only and the machine often needs to be restarted a few times to run at all. Also getting a lot of script error messages and run chckdsk, etc.

Thanks!


DDS (Ver_09-06-26.01) - FAT32x86
Run by DEFAULT at 21:20:56.81 on Mon 07/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.121 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\DOCUME~1\DEFAULT\LOCALS~1\Temp\c.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\DEFAULT\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.superwebsearch.com/ie/
uSearch Bar = hxxp://www.superwebsearch.com/ie/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.superwebsearch.com/ie/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.superwebsearch.com/ie/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

Attached Files



#4 snowblind

snowblind
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 July 2009 - 08:33 PM

Is it okay if not zipped?

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/13/2005 7:29:07 AM
System Uptime: 7/27/2009 9:00:38 PM (0 hours ago)

Motherboard: Intel Corporation | | D915GAV
Processor: Intel® Pentium® 4 CPU 2.93GHz | J2E1 | 2933/133mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 149 GiB total, 101.206 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP571: 7/15/2009 10:26:12 PM - Avg8 Update
RP572: 7/15/2009 10:26:13 PM - Software Distribution Service 3.0
RP573: 7/15/2009 10:26:15 PM - System Checkpoint
RP574: 7/15/2009 10:26:16 PM - System Checkpoint
RP575: 7/15/2009 10:26:16 PM - System Checkpoint
RP576: 7/15/2009 10:26:17 PM - System Checkpoint
RP577: 7/15/2009 10:26:17 PM - System Checkpoint
RP578: 7/15/2009 10:26:19 PM - System Checkpoint
RP579: 7/15/2009 10:26:20 PM - Avg8 Update
RP580: 7/15/2009 10:26:20 PM - Avg8 Update
RP581: 7/15/2009 10:26:21 PM - System Checkpoint
RP582: 7/15/2009 10:26:21 PM - Avg8 Update
RP583: 7/15/2009 10:26:22 PM - Avg8 Update
RP584: 7/15/2009 10:26:22 PM - System Checkpoint
RP585: 7/15/2009 10:26:23 PM - System Checkpoint
RP586: 7/15/2009 10:26:23 PM - System Checkpoint
RP587: 7/15/2009 10:26:25 PM - System Checkpoint
RP588: 7/15/2009 10:26:26 PM - Software Distribution Service 3.0
RP589: 7/15/2009 10:26:26 PM - Avg8 Update
RP590: 7/15/2009 10:26:27 PM - Avg8 Update
RP591: 7/15/2009 10:26:27 PM - Installed iTunes
RP592: 7/15/2009 10:26:28 PM - Avg8 Update
RP593: 7/15/2009 10:26:29 PM - Avg8 Update
RP594: 7/15/2009 10:26:29 PM - Avg8 Update
RP595: 7/15/2009 10:26:29 PM - System Checkpoint
RP596: 7/15/2009 10:26:30 PM - System Checkpoint
RP597: 7/15/2009 10:26:30 PM - System Checkpoint
RP598: 7/15/2009 10:26:31 PM - Avg8 Update
RP599: 7/15/2009 10:26:31 PM - Avg8 Update
RP600: 7/15/2009 10:26:32 PM - System Checkpoint
RP601: 7/15/2009 10:26:32 PM - Avg8 Update
RP602: 7/15/2009 10:26:33 PM - System Checkpoint
RP603: 7/15/2009 10:26:34 PM - System Checkpoint

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========

7/22/2009 9:02:09 AM, error: ati2mtag [45062] - CRT invalid display type
7/20/2009 8:26:37 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:03 PM

Posted 29 July 2009 - 08:30 PM

Hello snowblind :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries








Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 snowblind

snowblind
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 29 July 2009 - 10:25 PM

Hi thewall,

Thanks for your help. As requested, here is the GMER log....


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-29 23:21:22
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 82BE40B0 ZwEnumerateKey
Code 82BA9E80 ZwFlushInstructionCache
Code 82BA943E IofCallDriver
Code 82BDE0AE IofCompleteRequest
Code 82C56E25 ZwSaveKey
Code 82C22CCD ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACprjvekknruktyogln.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [868] 0x01230000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:03 PM

Posted 30 July 2009 - 07:03 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 snowblind

snowblind
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 30 July 2009 - 12:10 PM

Hi thewall,

I downloaded combofix and attempted to run it but it wouldn't open. After restarting the pc it still wouldn't open, nor would internet explorer (so I'm writing from another computer).

I tried starting in safe mode but my pc refuses to cooperate and won't open in safe mode.

?

thanks,

snowblind

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:03 PM

Posted 30 July 2009 - 06:57 PM

I am working on what we need to do next and will return as soon as possible. In the meantime from what I see already on your computer I believe you need to consider your security as being compromised. You have an infection that connects to other sites without your knowledge amongst other things.

Here is LINK to more information on the file msa.exe which has been installed. I know you really can't use the computer now but you need to keep it in mind for the future. Some people choose to do a reformat once their computer has been compromised in this manner. I'll go on the assumption you wish to continue with cleanup if we can but if you should decide differently let me know and I will give you the information I have on how to go about doing so.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:03 PM

Posted 31 July 2009 - 07:20 AM

Do you have a flash drive or a CD you can use to transfer some programs from your clean computer to the infected one?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 snowblind

snowblind
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 02 August 2009 - 02:29 PM

Okay, I will only have access to my computer next Sunday. At that time I will be able to transfer the necessary files via a flash drive, if you let me know which ones to install.

Thanks!

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:03 PM

Posted 08 August 2009 - 09:09 AM

OK, I'm back. Below is a list of programs I would like for you to download to your flash drive. We may not need them all but if we don't then we'll still have them.


Go HERE and download SysProt AntiRootkit. Unzip it to your flash drive



Download RootRepeal from the following location and save it to your flash drive.





Download Combofix from any of the links below. You must rename it before saving it. Save it to your flash drive with a name you can remember such as snow.exe.

Link 1
Link 2
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 snowblind

snowblind
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 10 August 2009 - 02:27 PM

Okay, the programs are now on my flash drive.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:03 PM

Posted 10 August 2009 - 04:23 PM

See if you can get the SysProt AntiRootkit loaded onto the Desktop and then get it to run.

  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section. Also tick the "Hidden Objects Only" options
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and post the log here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 snowblind

snowblind
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 11 August 2009 - 08:43 AM

It worked when I logged in as another user. When I log in as myself, no programs open. Can't even open files to back them up.

Here's the log. I ran SysProt directly from my USB key without saving it to desktop. Hope that's okay.



SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\UACqxufuvmdwnumkntxo.sys
Service Name: UACd.sys
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF854000
Module End: EF86C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8AFA000
Module End: F8AFC000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwFlushInstructionCache
At Address: 805B528A
Jump To: 82C66B0C
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 8062296E
Jump To: 82C6E76C
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804EF14C
Jump To: 82C97563
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804EF0BC
Jump To: 82C5DA8B
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: COMP-DEFAULT:27015
Remote Address: LOCALHOST:1035
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\BIN\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: COMP-DEFAULT:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\BIN\AppleMobileDeviceService.exe
State: LISTENING

Local Address: COMP-DEFAULT:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: COMP-DEFAULT:1051
Remote Address: LOCALHOST:1037
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1050
Remote Address: LOCALHOST:1037
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1049
Remote Address: LOCALHOST:1039
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1048
Remote Address: LOCALHOST:1038
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1047
Remote Address: LOCALHOST:1036
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1043
Remote Address: LOCALHOST:1036
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1042
Remote Address: LOCALHOST:1036
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1041
Remote Address: LOCALHOST:1037
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1040
Remote Address: LOCALHOST:1036
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1039
Remote Address: LOCALHOST:1049
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1039
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: LISTENING

Local Address: COMP-DEFAULT:1038
Remote Address: LOCALHOST:1048
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1038
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: LISTENING

Local Address: COMP-DEFAULT:1037
Remote Address: LOCALHOST:1051
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1037
Remote Address: LOCALHOST:1050
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1037
Remote Address: LOCALHOST:1041
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1037
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: LISTENING

Local Address: COMP-DEFAULT:1036
Remote Address: LOCALHOST:1047
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1036
Remote Address: LOCALHOST:1043
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1036
Remote Address: LOCALHOST:1042
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1036
Remote Address: LOCALHOST:1040
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: ESTABLISHED

Local Address: COMP-DEFAULT:1036
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
State: LISTENING

Local Address: COMP-DEFAULT:1035
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: COMP-DEFAULT:1029
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\ALG.EXE
State: LISTENING

Local Address: COMP-DEFAULT:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: COMP-DEFAULT:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING

Local Address: COMP-DEFAULT:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMP-DEFAULT:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMP-DEFAULT:1034
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMP-DEFAULT:1030
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\IEXPLORE.EXE
State: NA

Local Address: COMP-DEFAULT:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMP-DEFAULT:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA

Local Address: COMP-DEFAULT:1028
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMP-DEFAULT:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA

Local Address: COMP-DEFAULT:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\system32\drivers\UACqxufuvmdwnumkntxo.sys
Status: Hidden

Object: C:\WINDOWS\system32\uacinit.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACjlhkmwaqoqespnyja.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACfrbptgwffmqfwsnus.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACwpkeogwohplgaqtig.dat
Status: Hidden

Object: C:\WINDOWS\system32\UACvxwgbvpujyklomwpn.db
Status: Hidden

Object: C:\WINDOWS\system32\UACprjvekknruktyogln.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACnoenejabodabictwc.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACbrcpstuxcoixjprhk.dll
Status: Hidden

Object: C:\WINDOWS\Temp\UACd60c.tmp
Status: Hidden

Object: C:\WINDOWS\Temp\UAC9a5b.tmp
Status: Hidden

Object: C:\WINDOWS\Temp\UACb0ad.tmp
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\["sacand.aga
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\\u003e d.og
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\,0,"0"],.["s
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\candaga\.u00
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\u003c/b\.u00
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\a\u003cb.\u0
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\u003c/b\.u00
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\a\u003cb.\u0
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\003c/b\u.003
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\\u003cb\.u00
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\,0,"6"],.["s
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\ bible c.onf
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\,0,"7"],.["s
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\],["saca.nda
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\or cente.r\u
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\WPDNSE\]
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\ICD2.tmp\+
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\ICD2.tmp\
+.7 
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\ICD2.tmp\L0R8.
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\UAC1550.tmp
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q2PD01L3\click2,wNtKACaOBgCpMygAAAAAAPYTCwAAAAAAAgAAAAYAAAAAAP8AAAABD480CQAAAAAALfQFAAAAAACNyw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6jgMA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q2PD01L3\T2.punta_cana;pid=2056;price=upscale;PageType=Hotel_Review;pool=B;kw=Gran+Bahia+Principe+Ambar;pos=bottom;geo=1199681;u=Hotel_Review%7CB;abr=!webtv;sz=300X
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q2PD01L3\na.[1].punta_cana;pid=2056;price=upscale;PageType=ShowUserReviews;pool=B;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=ShowUserReviews%7CB;abr=!webtv;sz=300X2
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q2PD01L3\click2,wNtKAHKsBwDEMygAAAAAAN4TCwAAAAAAAgAAAAoAAAAAAP8AAAACFgH1CwAAAAAALfQFAAAAAABuyw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSAwQA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q2PD01L3\click2,wNtKAHesBwDU7ykAAAAAAOcWDAAAAAAAAgAAAAEAAAAAAP8AAAADDAH1CwAAAAAAmkUMAAAAAABoKBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSAwQA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q2PD01L3\na.car.dr[2].punta_cana;price=upscale;PageType=Hotel_Review;pool=R;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=Hotel_Review%7CR;abr=!webtv;sz=160X600;tile=1
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q2PD01L3\PSG3DL.punta_cana;price=upscale;PageType=ShowUserReviews;pool=R;kw=Gran+Bahia+Principe+Ambar;pos=bottom;geo=1199681;u=ShowUserReviews%7CR;abr=!webtv;sz=300
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\na.car[2].punta_cana;pid=2056;price=upscale;PageType=Hotel_Review;pool=B;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=Hotel_Review%7CB;abr=!webtv;sz=160X600;
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\na[2].punta_cana;pid=2056;price=upscale;PageType=ShowUserReviews;pool=B;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=ShowUserReviews%7CB;abr=!webtv;sz=160X80
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\click2,wNtKACuOBgD17ykAAAAAAOcWDAAAAAAAAgAAAAQAAAAAAP8AAAADDI80CQAAAAAAmkUMAAAAAABoKBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6jgMA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\click2,wNtKAPuNBgDU7ykAAAAAAOcWDAAAAAAAAgAAAAEAAAAAAP8AAAADDI80CQAAAAAAmkUMAAAAAABoKBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6jgMA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\na.car.dr[1].punta_cana;price=upscale;PageType=ShowUserReviews;pool=R;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=ShowUserReviews%7CR;abr=!webtv;sz=160X600;
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\na.car.dr[2].punta_cana;price=upscale;PageType=Hotel_Review;pool=R;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=Hotel_Review%7CR;abr=!webtv;sz=160X80;tile=3;
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\na[2].punta_cana;price=upscale;PageType=Hotel_Review;pool=R;kw=Gran+Bahia+Principe+Ambar;pos=bottom;geo=1199681;u=Hotel_Review%7CR;abr=!webtv;sz=300X250;ti
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\VZWELGS1\site=ign&dechannel=ign&network=fim&random=1248959796209&ct=js&property=ign&channel_id=58&size=1x1&hosted_id=0&PageId=1248959796209&network_id=12[1].com&src
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\GX2NG1UN\na.car[2].punta_cana;pid=2056;price=upscale;PageType=Hotel_Review;pool=B;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=Hotel_Review%7CB;abr=!webtv;sz=300X250;
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\GX2NG1UN\click2,wNtKAJGQBgD17ykAAAAAAOcWDAAAAAAAAgAAAAQAAAAAAP8AAAADDK00CQAAAAAAmkUMAAAAAABoKBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIjgMA[1].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\GX2NG1UN\click2,wNtKALKLBgDU7ykAAAAAAOcWDAAAAAAAAgAAAAEAAAAAAP8AAAADDI80CQAAAAAAmkUMAAAAAABoKBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6jgMA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\GX2NG1UN\na.car.dr[2].punta_cana;price=upscale;PageType=ShowUserReviews;pool=R;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=ShowUserReviews%7CR;abr=!webtv;sz=160X80;t
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\GX2NG1UN\click2,PwQAAFkiCQCcwycAAAAAAM6nCwAAAAAAAgAAAAIAAAAAAP8AAAAEGE98DAAAAAAAqmQAAAAAAAB7kxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABrjgQA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\click2,mCtHADClCQCeryUAAAAAAGssCwAAAAAAAgAAAAIAAAAAAP8AAAAEC2q4DwAAAAAAiesPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX5gQA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\na.[1].punta_cana;pid=2056;price=upscale;PageType=ShowUserReviews;pool=B;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=ShowUserReviews%7CB;abr=!webtv;sz=160X6
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\ta_cana;pid=2056;price=upscale;PageType=ShowUserReviews;pool=B;kw=Gran+Bahia+Principe+Ambar;pos=bottom;geo=1199681;u=ShowUserReviews%7CB;abr=!webtv;sz=300X
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\na.car[2].punta_cana;pid=2056;price=upscale;PageType=Hotel_Review;pool=B;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=Hotel_Review%7CB;abr=!webtv;sz=160X80;t
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\click2,wNtKAPuNBgCpMygAAAAAAN4TCwAAAAAAAgAAAAYAAAAAAP8AAAACFo80CQAAAAAALfQFAAAAAABuyw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6jgMA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\click2,wNtKAPuNBgD17ykAAAAAAOcWDAAAAAAAAgAAAAQAAAAAAP8AAAADDI80CQAAAAAAmkUMAAAAAABoKBEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6jgMA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\na.car.dr[2].punta_cana;price=upscale;PageType=Hotel_Review;pool=R;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=Hotel_Review%7CR;abr=!webtv;sz=300X250;tile=2
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\na.car.dr[2].punta_cana;price=upscale;PageType=ShowUserReviews;pool=R;kw=Gran+Bahia+Principe+Ambar;geo=1199681;u=ShowUserReviews%7CR;abr=!webtv;sz=300X250;
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD2BWDIV\click2,PwQAAFkiCQAQwycAAAAAAN2nCwAAAAAAAgAAAAoAAAAAAP8AAAAEGE98DAAAAAAAqmQAAAAAAACOkxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABrjgQA[2].
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Local Settings\Temporary Internet Files\Content.IE5\ERKFSH69\["cannot. re
Status: Hidden

Object: C:\Documents and Settings\DEFAULT\Application Data\Mozilla\Firefox\Profiles\mgrmghro.default\minidumps\=
Status: Hidden

Object: C:\Program Files\Mozilla Firefox\modules\- a
Status: Hidden

Object: C:\Program Files\Mozilla Firefox\modules\.ISDv~.
Status: Hidden




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users