Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG reports Win32/Patched.DX virus/rootkit/malware, Do not know how to remove it.


  • This topic is locked This topic is locked
2 replies to this topic

#1 gabygaby

gabygaby

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 22 July 2010 - 04:15 AM

Hello,

I have a rootkit or malware or virus. I try a lot of things but the rootkit/virus desappear never. .. And I'm not an expert. Could you help me ?

I use AVG for protection. I notice that has been very slow lately and sometimes it redirects her browser requests to other pages.

I scanned the computer with AVG : infected with the "Win32/Patched.DX" virus and it cannot be removed.

I run combofix, it's alert me there is a rootkit, it suppress some files, but the matter (redirect browser) is always.

Thank You for any help in removing this !

Gaby

Here : my Combofix log and My HiJackThis log

------------------------------

Combofix report :

ComboFix 10-07-21.02 - Gabrielle 22/07/2010 10:15:27.24.2 - x86 NETWORK
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1270.980 [GMT 2:00]
Lancé depuis: d:\_programmes\avast\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\driVERs\aculp.sys
c:\windows\system32\egypack.dll

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_aculp
-------\Service_aculp


((((((((((((((((((((((((((((( Fichiers créés du 2010-06-22 au 2010-07-22 ))))))))))))))))))))))))))))))))))))
.

2010-07-22 07:24 . 2010-07-22 07:24 -------- d-----w- c:\program files\Sophos
2010-07-21 21:56 . 2010-05-31 14:34 702120 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\wurinhwc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-07-21 21:56 . 2010-05-31 14:34 868456 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\wurinhwc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-07-20 19:01 . 2010-07-20 19:01 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-20 19:01 . 2010-07-20 19:01 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-20 19:01 . 2010-07-20 19:01 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-20 19:00 . 2010-07-20 19:00 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-20 19:00 . 2010-07-20 19:00 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-20 19:00 . 2010-07-20 19:00 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-20 19:00 . 2010-07-20 19:00 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-20 12:45 . 2010-07-20 12:46 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\C872823DD684626BD31C1A8FB9EB26BE
2010-07-02 11:28 . 2010-07-02 11:19 204800 ----a-w- c:\windows\system32\ioncube_loader_win_5.0.dll
2010-07-02 11:19 . 2010-07-02 11:19 -------- d-----w- c:\program files\ioncube
2010-06-25 07:37 . 2010-06-25 07:37 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 07:43 . 2010-05-27 09:44 -------- d-----w- c:\program files\Fichiers communs\Akamai
2010-07-22 06:56 . 2004-08-10 12:00 3717954 ----a-w- c:\windows\system32\perfh00C.dat
2010-07-22 06:56 . 2004-08-10 12:00 1808188 ----a-w- c:\windows\system32\perfc00C.dat
2010-07-21 22:00 . 2009-12-25 20:24 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\QuickScan
2010-07-21 21:34 . 2004-08-10 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-07-20 21:47 . 2009-12-13 10:44 -------- d-----w- c:\program files\Navilog1
2010-07-20 19:51 . 2008-09-12 20:38 -------- d-----w- c:\program files\Fichiers communs\Adobe
2010-07-20 19:01 . 2010-01-01 19:58 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-20 19:01 . 2010-01-01 19:58 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-10 11:03 . 2008-10-29 14:32 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\FileZilla
2010-07-07 15:25 . 2008-10-02 12:21 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 07:37 . 2010-01-01 19:58 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-22 14:19 . 2008-09-12 21:48 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\OpenOffice.org2
2010-06-22 14:19 . 2008-09-12 21:49 1 ----a-w- c:\documents and settings\Gabrielle\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-06-08 09:24 . 2010-06-08 09:24 7031 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\wurinhwc.default\ScrapBook\data\20100608112452\mrgeorge.blogspot.com
2010-05-27 16:48 . 2010-05-27 16:48 503808 ----a-w- c:\documents and settings\Gabrielle\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7fa67273-n\msvcp71.dll
2010-05-27 16:48 . 2010-05-27 16:48 499712 ----a-w- c:\documents and settings\Gabrielle\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7fa67273-n\jmc.dll
2010-05-27 16:48 . 2010-05-27 16:48 348160 ----a-w- c:\documents and settings\Gabrielle\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7fa67273-n\msvcr71.dll
2010-05-27 11:49 . 2008-09-13 14:06 37816 ----a-w- c:\documents and settings\Gabrielle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-27 11:22 . 2010-05-27 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-05-27 11:15 . 2010-05-27 11:15 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2010-05-27 09:30 . 2010-05-27 09:30 -------- d-----w- c:\program files\Jasc Software Inc
2009-03-05 16:08 . 2009-08-16 20:25 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-07-20_14.08.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-11 09:42 . 2009-05-11 09:42 59888 c:\windows\system32\pxwma.dll
+ 2009-04-17 10:28 . 2009-04-17 10:28 68080 c:\windows\system32\pxinsa64.exe
+ 2009-04-17 10:28 . 2009-04-17 10:28 68080 c:\windows\system32\pxcpya64.exe
+ 2009-04-17 01:00 . 2009-04-17 01:00 44944 c:\windows\system32\drivers\pxhelp20.sys
+ 2008-03-12 01:00 . 2008-03-12 01:00 9200 c:\windows\system32\drivers\cdralw2k.sys
+ 2008-03-12 01:00 . 2008-03-12 01:00 9072 c:\windows\system32\drivers\cdr4_xp.sys
+ 2009-03-23 23:01 . 2009-03-23 23:01 100848 c:\windows\system32\vxblock.dll
+ 2009-05-11 09:42 . 2009-05-11 09:42 440816 c:\windows\system32\PxWave.dll
+ 2009-05-11 09:42 . 2009-05-11 09:42 219632 c:\windows\system32\PxMas.dll
+ 2009-04-17 10:28 . 2009-04-17 10:28 125424 c:\windows\system32\pxinsi64.exe
+ 2009-04-08 23:02 . 2009-04-08 23:02 559600 c:\windows\system32\pxdrv.dll
+ 2009-04-17 10:28 . 2009-04-17 10:28 123888 c:\windows\system32\pxcpyi64.exe
+ 2009-05-11 09:42 . 2009-05-11 09:42 678384 c:\windows\system32\Px.dll
+ 2010-07-20 21:48 . 2010-07-20 21:48 212992 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2010-07-20 21:48 . 2008-08-07 13:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-05-11 09:42 . 2009-05-11 09:42 2083312 c:\windows\system32\PxSFS.DLL
+ 2004-08-10 12:00 . 2010-07-22 06:56 2269856 c:\windows\system32\perfh009.dat
+ 2004-08-10 12:00 . 2010-07-22 06:56 1627972 c:\windows\system32\perfc009.dat
+ 2010-07-20 21:48 . 2010-07-20 21:48 18698240 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-20 2065760]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"AdobeAAMUpdater-1.0"="c:\program files\Fichiers communs\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Fichiers communs\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-20 19:01 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 08:21 153136 ----a-w- c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 13:57 153136 ----a-w- c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 13:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Fichiers communs\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2563:TCP"= 2563:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/01/2010 21:58 243024]
S0 virq;virq;c:\windows\system32\drivers\zuxvh.sys --> c:\windows\system32\drivers\zuxvh.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/01/2010 21:58 216400]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/08/2004 14:00 14336]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [20/07/2010 21:01 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [20/07/2010 21:01 308136]
S2 gupdate1c98394c3fa3d08;Google Update Service (gupdate1c98394c3fa3d08);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2009 13:12 133104]
S2 nscpjapu;Synaptics TouchPad Controller;c:\windows\System32\svchost.exe -k netsvcs [10/08/2004 14:00 14336]
S3 DOSMEMIO;MEMIO;\??\e:\memio.sys --> e:\MEMIO.SYS [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1A.tmp --> c:\windows\system32\1A.tmp [?]
S3 SwitchBoard;SwitchBoard;c:\program files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nscpjapu
.
Contenu du dossier 'Tâches planifiées'

2010-07-15 c:\windows\Tasks\AdobeAAMUpdater-1.0-INSPIRON-Gabrielle.job
- c:\program files\Fichiers communs\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-05-27 01:44]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-31 11:12]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-31 11:12]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.fr/s/v/61.11/uploader2.cab
FF - ProfilePath - c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\wurinhwc.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\wurinhwc.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHELINS SUPPRIMES - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 10:28
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8963FB4C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75adcb8
\Driver\atapi -> atapi.sys @ 0xf749f852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7858bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7847a0d
SendHandler -> NDIS.sys @ 0xf785bb40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1A.tmp"
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Heure de fin: 2010-07-22 10:37:01 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-07-22 08:36
ComboFix2.txt 2010-07-20 21:27
ComboFix3.txt 2010-07-20 16:19
ComboFix4.txt 2010-07-20 14:17
ComboFix5.txt 2010-07-22 08:09

Avant-CF: 4 984 152 064 octets libres
Après-CF: 4 997 554 176 octets libres

- - End Of File - - 8D3EA7AE40E76BFC0DC7A494FBA8F4F9


------------------------------------------


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:55, on 22/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\_Programmes\avast\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Fichiers communs\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Fichiers communs\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.fr/s/v/61.11/uploader2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1262347440647
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1262347418694
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6D48CC-8C3C-464E-92EF-E14DF38BB340}: Domain = localhost.localdomain
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Service de planification Media Center (ehSched) - Unknown owner - C:\WINDOWS\eHome\ehSched.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Update Service (gupdate1c98394c3fa3d08) (gupdate1c98394c3fa3d08) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: wampapache - Apache Software Foundation - C:\Program Files\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\bin\mysql\mysql5.1.32\bin\mysqld.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 7268 bytes


----------------------------------------------------------

Many thanks,
Gaby


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 AM

Posted 28 July 2010 - 06:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 AM

Posted 02 August 2010 - 06:42 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users