Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor:Win32/IRCBot.gen!K


  • This topic is locked This topic is locked
3 replies to this topic

#1 the.analog.I

the.analog.I

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 18 August 2009 - 06:17 PM

The last three or four times I have restarted my laptop, Windows Defender warns me of this infection and each time I have chosen to remove it only to be warned again upon restart. My computer seems to be running fine. I did a factory restore a few weeks ago so it ought to be. But needless to say this is somewhat alarming. This guide reiterates a few times that I should give as much detail as I can and I wish there was more I could offer but it is just this Windows Defender alert upon starting the computer.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Jerry at 18:38:02.76 on Tue 08/18/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1789 [GMT -4:00]

AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Internet Security 3-pack *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\crypserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\KeePass Password Safe 2\KeePass.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\Jerry\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [AdobeBridge]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [sysdiag64.exe] c:\windows\sysdiag64.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MicrosoftNAPC] c:\windows\sysdiag64.exe
mExplorerRun: [MicrosoftCorp] c:\windows\sysdiag64.exe
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} = 68.87.77.134,68.87.72.134
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jerry\appdata\roaming\mozilla\firefox\profiles\pas1nh69.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-7-29 12552]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-7-30 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-29 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-30 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-30 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-30 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-7-30 1370488]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]

=============== Created Last 30 ================

2009-08-18 18:21 <DIR> --d----- c:\program files\Trend Micro
2009-08-15 06:46 <DIR> --d----- c:\users\jerry\appdata\roaming\JGsoft
2009-08-15 00:15 <DIR> --d----- c:\program files\Expresso
2009-08-14 23:28 <DIR> --d----- c:\program files\SAPIEN Technologies, Inc
2009-08-14 23:21 <DIR> --d----- c:\program files\The Regex Coach
2009-08-14 23:19 <DIR> --d----- c:\program files\Creative Element Power Tools
2009-08-14 11:50 <DIR> --d----- c:\program files\Preview Handler Association Editor(Portable)
2009-08-13 23:01 <DIR> --d----- c:\program files\FileTypesManager(Portable)
2009-08-13 03:02 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-08-12 23:16 <DIR> --d----- c:\program files\Tag & Rename v3.5 (Portable)
2009-08-11 21:12 364,544 a------- c:\windows\system32\MACDll.dll
2009-08-11 21:12 246,424 a------- c:\windows\system32\unicows.dll
2009-08-11 21:12 <DIR> --d----- c:\program files\Monkey's Audio
2009-08-11 19:41 1,066,176 a------- c:\windows\system32\MSCOMCTL.OCX
2009-08-11 19:27 <DIR> --d----- c:\program files\FLAC
2009-08-09 21:40 <DIR> --d----- c:\users\jerry\appdata\roaming\Prish
2009-08-07 23:28 <DIR> --d----- c:\program files\Preview Config
2009-08-07 23:20 <DIR> --d----- c:\program files\PlayFLV
2009-08-07 00:54 57,436 a------- c:\windows\DASShp.dll
2009-08-07 00:54 <DIR> --d----- c:\program files\Microsoft Reader
2009-08-05 23:01 <DIR> --d----- c:\program files\Audacity
2009-08-05 20:19 <DIR> --d----- c:\program files\EXIF Tool
2009-08-05 20:07 <DIR> --d----- c:\users\jerry\appdata\roaming\Flickr
2009-08-05 20:01 <DIR> --d----- c:\program files\Flickr Uploadr
2009-08-05 18:58 <DIR> --d----- c:\users\jerry\Places
2009-08-05 17:00 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-05 17:00 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-05 17:00 <DIR> --d----- c:\program files\iPod
2009-08-05 17:00 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 17:00 <DIR> --d----- c:\program files\iTunes
2009-08-05 17:00 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 16:59 <DIR> --d----- c:\program files\Bonjour
2009-08-05 16:59 <DIR> --d----- c:\programdata\Apple Computer
2009-08-05 16:57 <DIR> --d----- c:\programdata\Apple
2009-08-04 21:31 <DIR> --d----- c:\users\jerry\appdata\roaming\AccurateRip
2009-08-04 21:27 <DIR> --d----- c:\program files\Exact Audio Copy
2009-08-04 02:52 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-08-04 02:52 <DIR> --d----- c:\program files\Xvid
2009-08-03 16:12 <DIR> --d----- c:\users\jerry\Tracing
2009-08-03 16:07 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-08-03 16:06 <DIR> --d----- c:\program files\Microsoft
2009-08-03 16:06 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-08-03 16:05 <DIR> --d----- c:\windows\PCHEALTH
2009-08-03 16:01 <DIR> --d----- c:\program files\common files\Windows Live
2009-08-03 03:40 68,232 a------- c:\windows\UnDeployV.exe
2009-08-03 03:40 <DIR> --d----- c:\program files\RegexBuddy3
2009-08-03 03:37 <DIR> --d----- c:\program files\NFO Preview Handler
2009-08-03 03:35 <DIR> --d----- c:\program files\DAMN NFO Viewer
2009-08-01 17:16 157,441 a------- c:\windows\sysdiag64.rar
2009-08-01 16:06 <DIR> --d----- c:\windows\system32\eu-ES
2009-08-01 16:06 <DIR> --d----- c:\windows\system32\ca-ES
2009-08-01 16:06 <DIR> --d----- c:\windows\system32\vi-VN
2009-08-01 15:57 <DIR> --d----- c:\windows\system32\EventProviders
2009-08-01 15:55 2,926,592 a------- c:\windows\explorer.exe
2009-08-01 10:43 14,848 a------- c:\windows\system32\Interop.MSScriptControl.dll
2009-08-01 10:43 <DIR> --d----- c:\program files\Minesweeper Clone 2007
2009-08-01 08:58 <DIR> --d----- c:\programdata\FLEXnet
2009-08-01 08:37 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-08-01 00:17 <DIR> --d----- c:\program files\uTorrent
2009-08-01 00:16 <DIR> --d----- c:\users\jerry\appdata\roaming\uTorrent
2009-08-01 00:16 <DIR> --d----- c:\program files\PeerGuardian2
2009-07-31 21:43 8 a------- c:\windows\system32\DROPPEDFILEOK.tmp
2009-07-31 13:15 <DIR> --d----- c:\users\jerry\appdata\roaming\StoryLines
2009-07-31 13:12 <DIR> --d----- c:\program files\Luxor 3
2009-07-31 13:06 <DIR> --d----- c:\program files\Bookworm Deluxe
2009-07-31 12:34 <DIR> --d----- c:\users\jerry\appdata\roaming\EditPlus 3
2009-07-31 12:22 <DIR> --d----- c:\program files\BootDeleter
2009-07-31 11:41 37 a------- c:\windows\Crypkey.ini
2009-07-31 11:41 27,648 a----r-- c:\windows\Setup_ck.exe
2009-07-31 11:41 165,888 a------- c:\windows\Ckconfig.exe
2009-07-31 11:41 52,224 a------- c:\windows\system32\Crypserv.exe
2009-07-31 11:41 24,608 a------- c:\windows\system32\Ckldrv.sys
2009-07-31 11:41 18,432 a------- c:\windows\Setup_ck.dll
2009-07-31 11:41 11,776 a------- c:\windows\Ckrfresh.exe
2009-07-31 11:41 <DIR> --d----- c:\program files\Style Writer
2009-07-31 11:40 304,128 a------- c:\windows\IsUninst.exe
2009-07-31 11:39 <DIR> --d----- c:\program files\Regulazy.103(Portable)
2009-07-31 11:37 <DIR> --d----- c:\program files\QuickREx(Portable)
2009-07-31 11:36 <DIR> a-d----- c:\program files\The Regulator 2.0(Portable)
2009-07-31 11:25 <DIR> --d----- c:\program files\ShellMenuView v1.07(Portable)
2009-07-31 11:25 <DIR> --d----- c:\program files\ShellExView v1.37(Portable)
2009-07-31 11:22 <DIR> --d----- c:\program files\Moon Software
2009-07-31 11:04 <DIR> --d----- c:\program files\ProcessExplorer(Portable)
2009-07-31 10:59 <DIR> --d----- c:\users\jerry\appdata\roaming\Thinstall
2009-07-31 10:31 <DIR> --d----- c:\program files\WirelessNetview
2009-07-31 10:23 167,936 a------- c:\windows\system32\SendToToys.cpl
2009-07-31 10:23 90,112 a------- c:\windows\SendToClip.exe
2009-07-31 10:23 <DIR> --d----- c:\program files\Send To Toys
2009-07-31 09:57 <DIR> --d----- c:\program files\Preview Handlers
2009-07-31 09:52 <DIR> --d-h--- c:\windows\PIF
2009-07-31 09:44 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-31 09:39 <DIR> --d----- c:\program files\Prish Image Resizer
2009-07-31 09:34 1,056,768 a------- c:\windows\system32\RoboEx32.dll
2009-07-31 09:34 995,384 a------- c:\windows\system32\temp.001
2009-07-31 09:34 995,383 a------- c:\windows\system32\temp.000
2009-07-31 09:34 266,293 a------- c:\windows\system32\temp.002
2009-07-31 09:34 <DIR> --d----- c:\program files\Page 2 Stage
2009-07-31 09:27 <DIR> --d----- c:\users\jerry\appdata\roaming\Writer's Cafe
2009-07-31 09:22 1,073,152 a----r-- c:\windows\system32\cdintf210.dll
2009-07-31 09:22 <DIR> --d----- c:\programdata\Final Draft
2009-07-31 09:22 <DIR> --d----- c:\progra~2\Final Draft
2009-07-31 09:22 <DIR> --d----- c:\program files\Final Draft Tagger
2009-07-31 09:22 <DIR> --d----- c:\program files\Final Draft 7
2009-07-31 09:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-31 09:20 1,017 a------- c:\windows\User64_Binder.cfg
2009-07-31 09:19 <DIR> --d----- c:\program files\Liquid Story Binder 3
2009-07-31 09:08 <DIR> --d----- c:\programdata\PhotoStitch
2009-07-31 09:08 <DIR> --d----- c:\progra~2\PhotoStitch
2009-07-31 09:06 <DIR> --d----- c:\program files\WriteItNow3
2009-07-31 08:58 <DIR> --d----- c:\program files\common files\Canon
2009-07-31 08:23 <DIR> --d-h--- c:\program files\Zero G Registry
2009-07-31 08:15 1,024 a------- c:\windows\jx4i6rdh.cfg
2009-07-31 08:15 <DIR> --d----- c:\program files\Book Writer
2009-07-31 08:03 <DIR> --d----- c:\program files\PowerISO
2009-07-31 07:19 <DIR> --d----- c:\program files\Auslogics Duplicate File Finder
2009-07-30 22:42 <DIR> --dsh--- c:\windows\ftpcache
2009-07-30 22:34 <DIR> --d----- c:\programdata\MumboJumbo
2009-07-30 22:34 <DIR> --d----- c:\progra~2\MumboJumbo
2009-07-30 22:30 <DIR> --d----- c:\programdata\Trymedia
2009-07-30 22:30 <DIR> --d----- c:\progra~2\Trymedia
2009-07-30 22:28 <DIR> --d----- c:\program files\MumboJumbo
2009-07-30 22:25 <DIR> --d----- c:\program files\Hide and Secret
2009-07-30 21:47 <DIR> --d----- c:\program files\Funkitron
2009-07-30 21:30 <DIR> --d----- c:\programdata\SpinTop Games
2009-07-30 21:30 <DIR> --d----- c:\progra~2\SpinTop Games
2009-07-30 21:29 <DIR> --d----- c:\programdata\PopCap Games
2009-07-30 21:29 <DIR> --d----- c:\program files\PopCap Games
2009-07-30 21:29 <DIR> --d----- c:\progra~2\PopCap Games
2009-07-30 19:39 <DIR> --d----- c:\program files\VideoLAN
2009-07-30 19:31 <DIR> --d----- c:\users\jerry\appdata\roaming\OpenOffice.org
2009-07-30 19:28 41,984 a------- c:\windows\system32\netfxperf.dll
2009-07-30 19:25 <DIR> --d----- c:\program files\MSXML 4.0
2009-07-30 19:24 156,160 a------- c:\windows\system32\msls31.dll
2009-07-30 19:16 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-07-30 19:16 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-30 19:16 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-30 19:16 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-30 19:16 34,304 a------- c:\windows\system32\atmlib.dll
2009-07-30 19:16 23,552 a------- c:\windows\system32\lpk.dll
2009-07-30 19:16 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-30 19:16 2,034,688 a------- c:\windows\system32\win32k.sys
2009-07-30 19:15 623,616 a------- c:\windows\system32\localspl.dll
2009-07-30 15:37 <DIR> --d----- c:\program files\JRE
2009-07-30 15:37 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-07-30 12:15 0 a------- c:\users\jerry\appdata\roaming\wklnhst.dat
2009-07-30 12:10 <DIR> --d----- c:\programdata\Yahoo!
2009-07-30 12:10 <DIR> --d----- c:\program files\Yahoo!
2009-07-30 10:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-30 10:53 23,832 a------- c:\windows\system32\drivers\avgfwd6x.sys
2009-07-29 22:18 <DIR> --d----- c:\program files\Boot Deleter
2009-07-29 22:10 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-07-29 22:10 83,456 a------- c:\windows\system32\wudriver.dll
2009-07-29 22:10 162,064 a------- c:\windows\system32\wuwebv.dll
2009-07-29 22:10 31,232 a------- c:\windows\system32\wuapp.exe
2009-07-29 19:35 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-29 19:32 <DIR> --d----- c:\program files\muvee Technologies
2009-07-29 19:32 <DIR> --d----- c:\program files\common files\muvee Technologies
2009-07-29 19:26 82,432 a------- c:\windows\system32\msxml4r.dll
2009-07-29 19:26 44,544 a------- c:\windows\system32\msxml4a.dll
2009-07-29 19:26 89,088 -------- c:\windows\system32\atl71.dll
2009-07-29 19:25 16,072 a------- c:\windows\system32\results.xml
2009-07-29 19:23 5,430 a------- c:\windows\system\MyMulti.ico
2009-07-29 19:21 920,088 a------- c:\windows\system32\igxpun.exe
2009-07-29 19:21 319,456 a------- c:\windows\system32\difxapi.dll
2009-07-29 19:21 <DIR> --d----- c:\windows\system32\Lang
2009-07-29 19:21 <DIR> --d----- C:\Intel
2009-07-29 19:20 <DIR> --d----- c:\program files\CONEXANT
2009-07-29 19:19 <DIR> --d----- c:\program files\Realtek
2009-07-29 19:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-07-29 19:19 <DIR> --d----- c:\program files\Synaptics
2009-07-29 19:18 53,248 a------- c:\windows\system32\CSVer.dll
2009-07-29 19:17 909,824 a------- c:\windows\system32\drivers\athr.sys
2009-07-29 19:17 393,216 a------- c:\windows\system32\athihvs.dll
2009-07-29 19:17 376,832 a------- c:\windows\system32\S64CPA.exe
2009-07-29 19:17 53,248 a------- c:\windows\system32\athihvui.dll
2009-07-29 19:17 <DIR> --d----- c:\windows\system32\nn-NO
2009-07-29 19:17 <DIR> --d----- c:\program files\Atheros
2009-07-29 19:17 <DIR> --d----- c:\program files\Cisco
2009-07-29 19:17 <DIR> --d----- c:\programdata\Atheros
2009-07-29 19:17 <DIR> --d----- c:\progra~2\Atheros
2009-07-29 17:56 <DIR> --d----- c:\users\jerry\appdata\roaming\KeePass
2009-07-29 17:56 <DIR> --d----- c:\program files\KeePass Password Safe 2
2009-07-29 17:37 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-29 17:37 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-07-29 17:37 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-29 17:37 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-29 17:37 <DIR> --d----- c:\program files\AVG
2009-07-29 17:37 <DIR> --d----- c:\programdata\avg8
2009-07-29 17:37 <DIR> --d----- c:\progra~2\avg8
2009-07-29 17:13 <DIR> --d----- c:\program files\Revo Uninstaller
2009-07-29 17:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-29 16:59 <DIR> --d----- c:\programdata\McAfee
2009-07-29 16:44 <DIR> --d----- c:\users\jerry\appdata\roaming\HP TCS
2009-07-29 16:42 0 a--shr-- c:\windows\system32\drivers\103C_HP_cNB_G60 Notebook PC_Y5335KV_0U_Q2CE91119Q3_E508165-001_4A_I3612_SWistron_V09.54_F.3B_T090513_WV3-1_L409_M3003_J320_7Intel_867A_92.00_#090729_N10EC8136;168C001C_(NB042UA#ABA)_XMOBILE_CN10_Z_2F.3B.MRK
2009-07-29 16:42 <DIR> --d----- c:\users\Jerry
2009-07-29 15:04 <DIR> --d----- c:\program files\Types(Default Program and Icon Changer)
2009-07-29 15:04 <DIR> --d----- c:\program files\The Rename Program
2009-07-29 15:04 <DIR> --d----- c:\program files\Q-Jot
2009-07-29 15:04 <DIR> --d----- c:\program files\Oxford English Dictionary
2009-07-29 15:03 <DIR> --d----- c:\program files\HamanaGDI(Portable)
2009-07-28 05:26 229,414 ---shr-- c:\windows\sysdiag64.exe

==================== Find3M ====================

2009-08-05 16:58 86,016 a------- c:\windows\inf\infstor.dat
2009-08-05 16:58 51,200 a------- c:\windows\inf\infpub.dat
2009-08-05 16:58 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-04 03:17 353,840 a------- c:\windows\system32\msvcr71.dll
2009-08-04 03:17 1,053,232 a------- c:\windows\system32\MFC71u.dll
2009-08-04 03:17 505,392 a------- c:\windows\system32\msvcp71.dll
2009-08-04 03:17 1,066,544 a------- c:\windows\system32\MFC71.dll
2009-08-01 16:05 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 09:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 08:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 08:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 08:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-15 10:54 175,104 a------- c:\windows\system32\wdigest.dll
2009-06-15 10:53 72,704 a------- c:\windows\system32\secur32.dll
2009-06-15 10:53 270,848 a------- c:\windows\system32\schannel.dll
2009-06-15 10:53 218,624 a------- c:\windows\system32\msv1_0.dll
2009-06-15 10:52 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-06-15 10:52 499,712 a------- c:\windows\system32\kerberos.dll
2009-06-15 08:48 9,728 a------- c:\windows\system32\lsass.exe
2009-06-10 07:42 160,256 a------- c:\windows\system32\wkssvc.dll
2009-06-10 07:38 91,136 a------- c:\windows\system32\avifil32.dll
2009-06-07 16:16 819,200 a------- c:\windows\system32\xvidcore.dll
2009-06-04 08:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:38:27.58 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:26 AM

Posted 30 August 2009 - 07:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 the.analog.I

the.analog.I
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 31 August 2009 - 07:37 AM

Very sorry that I didn't post here that I fixed it and to disregard but I quite forgot that I had posted here.

I cannot remember the name of the file but shortly before I started getting those warnings from Windows Defender I noticed in the Processes tab of my Task Manager an exe that was appearing and disappearing. LoL, it didn't appear long enough for me to see what it was so I very stubbornly attempted about 15 times to capture it with a screenshot meeting eventually with success. I do not know why I am not remembering right now the name of the exe or any of the associated - oh wait! It was sysdiag64.exe. My research indicated that it was either a part of DriverMagician or an infection of some kind. Almost all of the search results I got indicated infection and I never installed a magician - driver or otherwise. I could find no reason to assume that it had been a surreptitious part of any other legit install I had done.

Anyway, I was getting more and more angry. I do not like things happening on my computer that I do not understand or initiate in some way and I really don't like the idea of some jerk and his software on my machine while I just sit there and take it. So I used a boot on delete app to get sysdiag64.exe out of the Windows directory (after taking ownership of it) and I recklessly deleted every registry key associated with it. I have not yet had a single ill effect from doing this though the other shoe may yet drop. I cannot remember what exactly my search string was in the registry but it wasn't just for "sysdiag64.exe" as I remember that in my poking around my computer I noticed something that clued me in to how it was getting started each time. I should have documented all of this to post for help to others (and for my own future reference) but, as I said, I had forgotten I posted here. But the warnings have stopped and she's running right. Again, sorry I didn't stop anyone from spending time on my problem and I hope the bit of vague info I gave helps you help others. You do here a thing as fine as the malicious programmers are foul.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:26 AM

Posted 02 September 2009 - 09:38 PM

Hello

Thank you for posting back. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users