Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit virus remains after unsupervised removal of redirect virus


  • Please log in to reply
2 replies to this topic

#1 flaming crow

flaming crow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 31 December 2010 - 09:07 PM

Greetings,
One week ago our machine got infected by a version of the redirect virus. Before finding this forum I found instructions to remove it using "Hitman Pro", "TDSS Killer", and "ComboFix". Using these utilities it seems that the file "csrss.exe" was part of the problem, and that "winlogon.exe" and "explorer.exe" were both infected (reported by ComboFix and restored from servicepack). After using these utilities the immediate problems disappeared. However popup messages when accessing some webpages reporting that certain elements are not in someway proper have more recently appeared. Whether these are legitamate or not is not clear. They appear also on the bleepingcomputer website, so I suspect not. I have attempted to protect the machine from further infection by installing the latest edition of Acrobat, installing Foxit and using it as the default .pdf reader, and upgrading from AVGFree9 to the latest version. However, I am not sure in the first instance whether I have completely removed all problems from the machine, and in the second instance whether I have sufficiently protected the machine against futher infections. I suspect that a rootkit virus remains, as indicated by the log from AVG2011:
---
"Scan ""Anti-Rootkit scan"" completed."
"Rootkits";"2";"0";"2"
""
"Scan started:";"31 December 2010, 11:04:53 a.m."
"Scan finished:";"31 December 2010, 11:06:09 a.m. (1 minute(s) 16 second(s))"
"Total object scanned:";"85749"
"User who launched the scan:";"SYSTEM"
"Rootkits"
"";"File";"Infection";"Result"
"";"C:\WINDOWS\System32\drivers\sdcplh.sys";"IRP hook, \Driver\atapi IRP_MJ_DEVICE_CONTROL -> sdcplh.sys +0x7A08";"Object is hidden"
"";"C:\WINDOWS\System32\drivers\sdcplh.sys";"IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> sdcplh.sys +0x7684";"Object is hidden"
---
This may not be the only problem, because I made the change from AVG9 to AVG2011 sometime after the machine was affected, and AVG may only be detecting new infections (???).
I include below the log from DDS, and attach also the files "Attach.txt" and "ark.txt". Any advice and suggestions would be most welcome.

Attached File  Attach.txt   14.07KB   0 downloads
Attached File  ark.txt   11.33KB   2 downloads

===
DDS (Ver_10-12-12.02) - NTFSx86
Run by Reception at 10:38:04.53 on 01/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.163 [GMT 10:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Reception\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-1-17 251728]
R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-1-17 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-1-17 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S3 0b1e06d6-3480-4133-b760-9a1d20cd3600;0b1e06d6-3480-4133-b760-9a1d20cd3600;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-29 517448]

=============== Created Last 30 ================

2010-12-30 16:16:09 -------- d--h--w- C:\$AVG
2010-12-30 06:30:26 -------- d-----w- c:\docume~1\recept~1\applic~1\Foxit Software
2010-12-29 06:07:20 -------- d-----w- c:\docume~1\recept~1\applic~1\AVG10
2010-12-29 05:41:55 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-29 05:41:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-12-29 05:39:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-29 05:39:03 -------- d-----w- c:\program files\AVG
2010-12-29 05:31:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-29 02:21:53 -------- d-sha-r- C:\cmdcons
2010-12-29 02:20:25 98816 ----a-w- c:\windows\sed.exe
2010-12-29 02:20:25 89088 ----a-w- c:\windows\MBR.exe
2010-12-29 02:20:25 256512 ----a-w- c:\windows\PEV.exe
2010-12-29 02:20:25 161792 ----a-w- c:\windows\SWREG.exe
2010-12-29 00:05:19 -------- d-----w- c:\docume~1\recept~1\applic~1\AVG9
2010-12-28 14:12:09 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-28 14:11:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-28 01:02:37 3584 ----a-w- c:\windows\system32\ms2.dll
2010-12-28 01:02:25 3584 ----a-w- c:\windows\system32\ms.dll2
2010-12-28 01:02:00 3584 ----a-w- c:\windows\system32\ms.dll.sav
2010-12-28 00:44:52 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-28 00:44:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 17:37:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-27 11:43:29 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-27 11:43:06 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-27 11:38:52 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:38:22.84 ===============

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:39 AM

Posted 07 January 2011 - 09:34 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 flaming crow

flaming crow
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 08 January 2011 - 01:51 AM

Hi,
Thanks for your comments. In reply ...
I have not solved the original problem. I have taken the machine offline so that it remains in much the same state as before. I have rerun the scans as requested, and attach the latest logs below.
Please read my original post for a description of the problem. In addition I'd like to provide further information as follows: (1) The popup "errors" I am getting seem to be something to do with javascript (.js). I attach in files "jserror1.txt", "jserror2.txt" and "jserror3.txt" three example error messages which popup when using certain web pages. (2) The file "sdcplh.sys" noted by AVG as having a rootkit infection (see original post) looks like it has something to do with the hard disc driver. However its creation date (01/11/2005) appears to be original(??). It is unclear to me whether there is an infection there or not.
I appreciate your effort in looking at this problem.
Regards.

Attached File  jserror1.txt   263bytes   0 downloads
Attached File  jserror2.txt   313bytes   0 downloads
Attached File  jserror3.txt   306bytes   1 downloads
Attached File  Attach.txt   12.98KB   0 downloads
Attached File  ark.txt   5.34KB   0 downloads

===
DDS (Ver_10-12-12.02) - NTFSx86
Run by Reception at 14:30:54.34 on 08/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.205 [GMT 10:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Acer TV-FM\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Reception\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-1-17 251728]
R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-1-17 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-1-17 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S3 0b1e06d6-3480-4133-b760-9a1d20cd3600;0b1e06d6-3480-4133-b760-9a1d20cd3600;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-29 517448]

=============== Created Last 30 ================

2011-01-04 03:56:37 -------- d-----w- c:\docume~1\recept~1\locals~1\applic~1\Temp
2010-12-30 16:16:09 -------- d--h--w- C:\$AVG
2010-12-30 06:30:26 -------- d-----w- c:\docume~1\recept~1\applic~1\Foxit Software
2010-12-29 06:07:20 -------- d-----w- c:\docume~1\recept~1\applic~1\AVG10
2010-12-29 05:41:55 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-29 05:41:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-12-29 05:39:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-29 05:39:03 -------- d-----w- c:\program files\AVG
2010-12-29 05:31:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-29 02:21:53 -------- d-sha-r- C:\cmdcons
2010-12-29 02:20:25 98816 ----a-w- c:\windows\sed.exe
2010-12-29 02:20:25 89088 ----a-w- c:\windows\MBR.exe
2010-12-29 02:20:25 256512 ----a-w- c:\windows\PEV.exe
2010-12-29 02:20:25 161792 ----a-w- c:\windows\SWREG.exe
2010-12-29 00:05:19 -------- d-----w- c:\docume~1\recept~1\applic~1\AVG9
2010-12-28 14:12:09 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-28 14:11:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-28 01:02:25 3584 ----a-w- c:\windows\system32\ms.dll2
2010-12-28 01:02:00 3584 ----a-w- c:\windows\system32\ms.dll.sav
2010-12-28 00:44:52 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-28 00:44:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-27 17:37:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-27 11:43:29 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-27 11:43:06 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-27 11:38:52 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 14:31:06.65 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users