Stealth Intrusion

View previous topic View next topic Go down

Stealth Intrusion

Post by Vista on 18th February 2010, 8:05 pm

Keep getting an alert from XP Internet Security 2010 and I don't even have that... I have Free AVG 9.0. It won't let me go anywhere. Its stating an infection in the background with worms and trojans. It is attacked by spyware and rogue software. They want me to purchase to clean. Please advise... Thank You.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:04 PM, on 2/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgr.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Valerie\Local Settings\Application Data\av.exe
C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\X0Y3WV9V\winlogon[1].scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - [You must be registered and logged in to see this link.]
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - [You must be registered and logged in to see this link.]
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: CarboniteService - Carbonite, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 9294 bytes

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 18th February 2010, 8:21 pm

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 18th February 2010, 10:40 pm

Thank you for the directions, but I am in Safe Mode and the XP Anispyware 2010 is not letting me go anywhere. Even in regular mode. It keeps on scanning and giving me pop ups that I am infected. Is there anything I can do to disable this first?
UPDATE: Regular mode on my desktop but it will not let me open any icons... (ex. internet explorer, malware bytes or system restore... It always tries to open, then asks what program do you want to open with, then it kicks me off. I just had a worm / netsky last week. I used the oTL. Thanks for your support!


Last edited by Vista on 18th February 2010, 11:03 pm; edited 1 time in total

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 18th February 2010, 10:40 pm

I am using my daughters laptop to communicate with you... thanks.

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 18th February 2010, 11:21 pm

RKill by Grinler
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.


==

Then, please try again.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 18th February 2010, 11:38 pm

?


Last edited by Vista on 19th February 2010, 2:48 pm; edited 1 time in total

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 19th February 2010, 2:47 pm

Hello,
I found a way to get to the internet. I downloaded RKill and it posted the following runs. I am not sure they are running because I get processes are terminated. Posted each run below. Can you please help?

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Valerie on 02/19/2010 at 9:06:26.


Processes terminated by Rkill or while it was running:

C:\WINDOWS\System32\vssvc.exe
C:\Documents and Settings\Valerie\Desktop\rkill2.com

C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Documents and Settings\Valerie\Desktop\rkill4.pif

C:\Program Files\WinFax\WFXMOD32.EXE
C:\Documents and Settings\Valerie\Desktop\rkill.com


Rkill completed on 02/19/2010 at 9:06:40.
:

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 19th February 2010, 4:54 pm

It did not find the issue.

Please download [You must be registered and logged in to see this link.] by DragonMaster Jay and save it to your Desktop.
  • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 19th February 2010, 8:14 pm

SpiderKill by DragonMaster Jay ( Oct 2009 )


Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************


Volume in drive C is NEW C 0408
Volume Serial Number is FC6F-1880

Directory of C:\Windows\System32\Drivers

02/12/2010 05:55 PM .
02/12/2010 05:55 PM ..
04/13/2008 01:36 PM 187,776 acpi.sys
08/12/2004 08:17 AM 11,648 acpiec.sys
04/13/2008 07:11 PM 4,255 adv01nt5.dll
04/13/2008 07:11 PM 3,967 adv02nt5.dll
04/13/2008 07:11 PM 3,615 adv05nt5.dll
04/13/2008 07:11 PM 3,647 adv07nt5.dll
04/13/2008 07:11 PM 3,135 adv08nt5.dll
04/13/2008 07:11 PM 3,711 adv09nt5.dll
04/13/2008 07:11 PM 3,775 adv11nt5.dll
04/13/2008 11:39 AM 142,592 aec.sys
08/14/2008 05:04 AM 138,496 afd.sys
04/13/2008 01:36 PM 42,368 agp440.sys
04/13/2008 01:36 PM 44,928 agpcpq.sys
04/13/2008 01:36 PM 42,752 alim1541.sys
04/13/2008 01:36 PM 43,008 amdagp.sys
04/13/2008 01:31 PM 37,376 amdk6.sys
04/13/2008 01:31 PM 37,760 amdk7.sys
04/13/2008 01:51 PM 60,800 arp1394.sys
04/13/2008 01:57 PM 14,336 asyncmac.sys
04/13/2008 01:40 PM 96,512 atapi.sys
08/03/2004 10:29 PM 56,623 ati1btxx.sys
08/03/2004 10:29 PM 11,615 ati1mdxx.sys
08/03/2004 10:29 PM 12,047 ati1pdxx.sys
08/03/2004 10:29 PM 30,671 ati1raxx.sys
08/03/2004 10:29 PM 63,663 ati1rvxx.sys
08/03/2004 10:29 PM 26,367 ati1snxx.sys
08/03/2004 10:29 PM 21,343 ati1ttxx.sys
08/03/2004 10:29 PM 36,463 ati1tuxx.sys
08/03/2004 10:29 PM 29,455 ati1xbxx.sys
08/03/2004 10:29 PM 34,735 ati1xsxx.sys
08/03/2004 10:29 PM 327,040 ati2mtaa.sys
08/03/2004 10:29 PM 701,440 ati2mtag.sys
08/03/2004 10:29 PM 57,856 atinbtxx.sys
08/03/2004 10:29 PM 13,824 atinmdxx.sys
08/03/2004 10:29 PM 14,336 atinpdxx.sys
08/03/2004 10:29 PM 52,224 atinraxx.sys
08/03/2004 10:29 PM 104,960 atinrvxx.sys
08/03/2004 10:29 PM 28,672 atinsnxx.sys
08/03/2004 10:29 PM 13,824 atinttxx.sys
08/03/2004 10:29 PM 73,216 atintuxx.sys
08/03/2004 10:29 PM 31,744 atinxbxx.sys
08/03/2004 10:29 PM 63,488 atinxsxx.sys
07/17/2004 11:36 AM 64,352 ativmc20.cod
04/13/2008 01:51 PM 59,904 atmarpc.sys
08/12/2004 08:17 AM 31,360 atmepvc.sys
04/13/2008 01:51 PM 55,808 atmlane.sys
08/12/2004 08:17 AM 352,256 atmuni.sys
04/13/2008 07:11 PM 21,183 atv01nt5.dll
04/13/2008 07:11 PM 11,359 atv02nt5.dll
04/13/2008 07:11 PM 25,471 atv04nt5.dll
04/13/2008 07:11 PM 14,143 atv06nt5.dll
04/13/2008 07:11 PM 17,279 atv10nt5.dll
08/17/2001 08:59 AM 3,072 audstub.sys
02/19/2010 08:38 AM Avg
10/29/2009 10:26 AM 30,104 avgfwdx.sys
10/29/2009 10:27 AM 25,608 AVGIDSxx.sys
10/29/2009 10:27 AM 333,192 avgldx86.sys
10/29/2009 10:27 AM 28,424 avgmfx86.sys
10/29/2009 10:27 AM 161,800 avgrkx86.sys
11/09/2009 02:49 PM 360,584 avgtdix.sys
08/12/2004 08:17 AM 4,224 beep.sys
04/13/2008 01:53 PM 71,552 bridge.sys
04/13/2008 01:46 PM 17,024 bthenum.sys
04/13/2008 01:46 PM 37,888 bthmodem.sys
04/13/2008 01:51 PM 101,120 bthpan.sys
06/13/2008 06:05 AM 272,128 bthport.sys
04/13/2008 01:46 PM 36,480 bthprint.sys
04/13/2008 01:46 PM 18,944 bthusb.sys
08/12/2004 08:17 AM 13,952 cbidf2k.sys
08/12/2004 08:18 AM 18,688 cdaudio.sys
04/13/2008 02:14 PM 63,744 cdfs.sys
05/30/2009 06:28 AM 9,336 cdr4_xp.sys
05/30/2009 06:28 AM 9,464 cdralw2k.sys
04/13/2008 01:40 PM 62,976 cdrom.sys
04/13/2008 07:11 PM 15,423 ch7xxnt5.dll
08/12/2004 08:18 AM 262,528 cinemst2.sys
04/13/2008 02:16 PM 49,536 classpnp.sys
08/12/2004 08:18 AM 11,776 cpqdap01.sys
04/13/2008 01:31 PM 36,736 crusoe.sys
07/17/2004 10:55 PM 129,045 cxthsfs2.cty
06/16/2005 01:41 PM 37,150 DcCam.sys
03/31/2005 06:47 AM 61,564 DcFpoint.sys
03/31/2005 06:47 AM 38,673 DCFS2k.sys
03/31/2005 06:47 AM 8,022 DcLps.sys
03/31/2005 06:47 AM 70,262 DcPtp.sys
04/18/2008 07:19 AM disdn
04/13/2008 01:40 PM 36,352 disk.sys
04/13/2008 01:40 PM 14,208 diskdump.sys
04/13/2008 01:44 PM 799,744 dmboot.sys
04/13/2008 01:44 PM 153,344 dmio.sys
08/12/2004 08:18 AM 5,888 dmload.sys
04/13/2008 01:45 PM 52,864 dmusic.sys
04/13/2008 01:45 PM 60,160 drmk.sys
04/13/2008 01:45 PM 2,944 drmkaud.sys
08/04/2004 03:21 AM 87,136 drvmcdb.sys
08/13/2004 02:56 AM 40,544 drvnddm.sys
08/12/2004 08:18 AM 10,496 dxapi.sys
04/13/2008 01:38 PM 71,168 dxg.sys
08/12/2004 08:18 AM 3,328 dxgthk.sys
02/10/2004 03:49 PM 154,112 e100b325.sys
02/09/2010 05:22 AM etc
03/31/2005 07:00 AM 152,081 ExportIt.sys
04/13/2008 02:14 PM 143,744 fastfat.sys
04/13/2008 01:40 PM 27,392 fdc.sys
04/13/2008 01:33 PM 44,544 fips.sys
04/13/2008 01:40 PM 20,480 flpydisk.sys
04/13/2008 01:32 PM 129,792 fltmgr.sys
08/12/2004 08:18 AM 12,160 fsvga.sys
08/12/2004 08:19 AM 7,936 fs_rec.sys
08/12/2004 08:19 AM 125,056 ftdisk.sys
04/13/2008 01:36 PM 46,464 gagp30kx.sys
08/12/2004 08:19 AM 3,440,660 gm.dls
08/12/2004 08:19 AM 646 gmreadme.txt
04/13/2008 11:36 AM 144,384 hdaudbus.sys
04/13/2008 01:46 PM 25,600 hidbth.sys
04/13/2008 01:45 PM 36,864 hidclass.sys
04/13/2008 01:45 PM 19,200 hidir.sys
04/13/2008 01:45 PM 24,960 hidparse.sys
04/13/2008 01:45 PM 10,368 hidusb.sys
08/03/2004 10:41 PM 220,032 hsfbs2s2.sys
08/03/2004 10:41 PM 685,056 hsfcxts2.sys
08/03/2004 10:41 PM 1,041,536 hsfdpsp2.sys
10/20/2009 11:20 AM 265,728 http.sys
04/13/2008 02:18 PM 52,480 i8042prt.sys
10/14/2005 04:15 PM 1,302,812 ialmnt5.sys
04/13/2008 01:40 PM 42,112 imapi.sys
03/05/2004 10:14 PM 1,233,525 IntelC51.sys
03/05/2004 10:15 PM 647,929 IntelC52.sys
06/15/2004 10:52 PM 61,157 IntelC53.sys
04/13/2008 01:40 PM 5,504 intelide.sys
04/13/2008 01:31 PM 36,352 intelppm.sys
04/13/2008 01:53 PM 36,608 ip6fw.sys
08/12/2004 08:20 AM 32,896 ipfltdrv.sys
04/13/2008 01:57 PM 20,864 ipinip.sys
04/13/2008 01:57 PM 152,832 ipnat.sys
04/13/2008 02:19 PM 75,264 ipsec.sys
04/13/2008 01:45 PM 46,592 irbus.sys
04/13/2008 01:54 PM 11,264 irenum.sys
04/13/2008 01:36 PM 37,248 isapnp.sys
04/13/2008 01:39 PM 24,576 kbdclass.sys
04/13/2008 01:45 PM 172,416 kmixer.sys
03/30/2005 03:46 PM 411,920 KodakCCS.exe
04/13/2008 02:16 PM 141,056 ks.sys
06/24/2009 06:18 AM 92,928 ksecdd.sys
09/10/2009 01:53 PM 19,160 mbam.sys
09/10/2009 01:54 PM 38,224 mbamswissarmy.sys
08/12/2004 08:21 AM 7,680 mcd.sys
08/03/2004 10:41 PM 11,868 mdmxsdk.sys
04/13/2008 01:36 PM 63,744 mf.sys
08/12/2004 08:22 AM 4,224 mnmdd.sys
04/13/2008 02:00 PM 30,080 modem.sys
08/17/2001 01:57 PM 16,128 MODEMCSA.sys
03/05/2004 10:13 PM 37,048 mohfilt.sys
04/13/2008 01:39 PM 23,040 mouclass.sys
08/17/2001 01:48 PM 12,160 mouhid.sys
04/13/2008 01:39 PM 42,368 mountmgr.sys
04/13/2008 01:39 PM 92,544 mqac.sys
04/13/2008 01:32 PM 180,608 mrxdav.sys
12/04/2009 01:22 PM 455,424 mrxsmb.sys
04/13/2008 01:32 PM 19,072 msfs.sys
04/13/2008 01:56 PM 35,072 msgpc.sys
04/13/2008 01:39 PM 7,552 mskssrv.sys
04/13/2008 01:39 PM 5,376 mspclock.sys
04/13/2008 01:39 PM 4,992 mspqm.sys
04/13/2008 01:36 PM 15,488 mssmbios.sys
08/03/2004 10:41 PM 126,686 mtlmnt5.sys
08/03/2004 10:41 PM 1,309,184 mtlstrm.sys
08/03/2004 10:29 PM 452,736 mtxparhm.sys
04/13/2008 02:17 PM 105,344 mup.sys
04/13/2008 01:43 PM 12,672 mutohpen.sys
04/13/2008 02:20 PM 182,656 ndis.sys
04/13/2008 01:57 PM 10,112 ndistapi.sys
04/13/2008 01:55 PM 14,592 ndisuio.sys
04/13/2008 02:20 PM 91,520 ndiswan.sys
04/13/2008 01:57 PM 40,576 ndproxy.sys
04/13/2008 01:56 PM 34,688 netbios.sys
04/13/2008 02:21 PM 162,816 netbt.sys
07/17/2004 11:35 AM 67,866 netwlan5.img
04/13/2008 01:51 PM 61,824 nic1394.sys
08/12/2004 08:18 AM 12,032 nikedrv.sys
04/13/2008 01:53 PM 40,320 nmnt.sys
04/13/2008 01:32 PM 30,848 npfs.sys
04/13/2008 02:15 PM 574,976 ntfs.sys
08/03/2004 10:41 PM 180,360 ntmtlfax.sys
08/12/2004 08:25 AM 2,944 null.sys
08/03/2004 10:29 PM 1,897,408 nv4_mini.sys
08/12/2004 08:25 AM 12,416 nwlnkflt.sys
08/12/2004 08:25 AM 32,512 nwlnkfwd.sys
04/13/2008 01:56 PM 88,320 nwlnkipx.sys
08/12/2004 08:25 AM 63,232 nwlnknb.sys
08/12/2004 08:25 AM 55,936 nwlnkspx.sys
04/13/2008 01:34 PM 163,584 nwrdr.sys
08/12/2004 08:25 AM 3,456 oprghdlr.sys
04/13/2008 01:31 PM 42,752 p3.sys
04/13/2008 01:40 PM 80,128 parport.sys
04/13/2008 01:40 PM 19,712 partmgr.sys
08/12/2004 08:25 AM 6,784 parvdm.sys
04/13/2008 01:36 PM 68,224 pci.sys
08/17/2001 01:51 PM 3,328 pciide.sys
04/13/2008 01:40 PM 24,960 pciidex.sys
04/13/2008 01:36 PM 120,192 pcmcia.sys
04/13/2008 02:19 PM 146,048 portcls.sys
04/13/2008 01:31 PM 35,840 processr.sys
04/13/2008 01:56 PM 69,120 psched.sys
08/12/2004 08:26 AM 17,792 ptilink.sys
05/30/2009 06:28 AM 43,528 pxhelp20.sys
08/12/2004 08:26 AM 8,832 rasacd.sys
04/13/2008 02:19 PM 51,328 rasl2tp.sys
04/13/2008 01:57 PM 41,472 raspppoe.sys
04/13/2008 02:19 PM 48,384 raspptp.sys
08/12/2004 08:26 AM 16,512 raspti.sys
08/12/2004 08:27 AM 34,432 rawwan.sys
04/13/2008 02:28 PM 175,744 rdbss.sys
08/12/2004 08:27 AM 4,224 rdpcdd.sys
04/13/2008 01:32 PM 196,224 rdpdr.sys
04/13/2008 07:13 PM 139,656 rdpwd.sys
08/03/2004 10:41 PM 13,776 recagent.sys
04/13/2008 01:40 PM 57,600 redbook.sys
04/13/2008 01:46 PM 59,136 rfcomm.sys
08/12/2004 08:18 AM 12,032 rio8drv.sys
08/12/2004 08:18 AM 12,032 riodrv.sys
05/08/2008 09:02 AM 203,136 rmcast.sys
04/13/2008 01:56 PM 30,592 rndismp.sys
04/13/2008 01:56 PM 30,592 rndismpx.sys
08/12/2004 08:27 AM 5,888 rootmdm.sys
08/03/2004 10:29 PM 166,912 s3gnbm.sys
04/13/2008 01:40 PM 96,384 scsiport.sys
04/13/2008 01:36 PM 79,232 sdbus.sys
04/13/2008 11:39 AM 20,480 secdrv.sys
04/13/2008 01:40 PM 15,744 serenum.sys
04/13/2008 02:15 PM 64,512 serial.sys
08/17/2001 12:53 PM 6,784 serscan.sys
04/13/2008 01:40 PM 11,904 sffdisk.sys
04/13/2008 01:40 PM 10,240 sffp_mmc.sys
04/13/2008 01:40 PM 11,008 sffp_sd.sys
04/13/2008 01:40 PM 11,392 sfloppy.sys
04/13/2008 07:12 PM 3,901 siint5.dll
04/13/2008 01:36 PM 40,960 sisagp.sys
08/03/2004 10:41 PM 129,535 slnt7554.sys
08/03/2004 10:41 PM 404,990 slntamr.sys
08/03/2004 10:41 PM 95,424 slnthal.sys
08/03/2004 10:41 PM 13,240 slwdmsup.sys
04/13/2008 01:36 PM 5,888 smbali.sys
08/12/2004 08:28 AM 14,592 smclib.sys
04/13/2008 01:46 PM 25,344 sonydcam.sys
04/13/2008 01:45 PM 6,272 splitter.sys
04/13/2008 01:36 PM 73,472 sr.sys
12/31/2009 11:50 AM 353,792 srv.sys
07/14/2004 11:29 AM 5,627 sscdbhk5.sys
07/14/2004 11:28 AM 23,545 ssrtln.sys
04/13/2008 01:45 PM 49,408 stream.sys
04/13/2008 01:39 PM 4,352 swenum.sys
04/13/2008 01:45 PM 56,576 swmidi.sys
04/13/2008 02:15 PM 60,800 sysaudio.sys
04/13/2008 01:40 PM 14,976 tape.sys
06/20/2008 06:51 AM 361,600 tcpip.sys
06/20/2008 06:08 AM 225,856 tcpip6.sys
04/13/2008 02:00 PM 19,072 tdi.sys
04/13/2008 07:13 PM 12,040 tdpipe.sys
04/13/2008 07:13 PM 21,896 tdtcp.sys
04/13/2008 07:13 PM 40,840 termdd.sys
08/12/2004 08:18 AM 51,712 tosdvd.sys
08/12/2004 08:18 AM 21,376 tsbvcap.sys
04/13/2008 01:56 PM 12,288 tunmp.sys
04/13/2008 01:36 PM 44,672 uagp35.sys
04/13/2008 01:32 PM 66,048 udfs.sys
09/20/2008 03:02 PM UMDF
04/13/2008 01:39 PM 384,768 update.sys
04/13/2008 01:56 PM 12,800 usb8023.sys
04/13/2008 01:56 PM 12,800 usb8023x.sys
04/13/2008 01:45 PM 60,032 usbaudio.sys
04/13/2008 01:45 PM 25,600 usbcamd.sys
04/13/2008 01:45 PM 25,728 usbcamd2.sys
04/13/2008 01:45 PM 32,128 usbccgp.sys
08/12/2004 08:31 AM 4,736 usbd.sys
04/13/2008 01:45 PM 30,208 usbehci.sys
04/13/2008 01:45 PM 59,520 usbhub.sys
04/13/2008 01:45 PM 15,872 usbintel.sys
04/13/2008 01:45 PM 143,872 usbport.sys
04/13/2008 01:47 PM 25,856 usbprint.sys
04/13/2008 01:45 PM 15,104 usbscan.sys
04/13/2008 01:45 PM 26,368 usbstor.sys
04/13/2008 01:45 PM 20,608 usbuhci.sys
04/13/2008 01:46 PM 121,984 usbvideo.sys
04/13/2008 07:12 PM 11,325 vchnt5.dll
08/12/2004 08:18 AM 58,112 vdmindvd.sys
04/13/2008 01:44 PM 20,992 vga.sys
04/13/2008 01:36 PM 42,240 viaagp.sys
04/13/2008 01:44 PM 81,664 videoprt.sys
04/13/2008 01:41 PM 52,352 volsnap.sys
04/13/2008 01:43 PM 14,208 wacompen.sys
08/03/2004 10:29 PM 11,807 wadv07nt.sys
08/03/2004 10:29 PM 11,295 wadv08nt.sys
08/03/2004 10:29 PM 11,871 wadv09nt.sys
08/03/2004 10:29 PM 11,935 wadv11nt.sys
04/13/2008 01:57 PM 34,560 wanarp.sys
08/03/2004 10:29 PM 22,271 watv06nt.sys
08/03/2004 10:29 PM 25,471 watv10nt.sys
04/13/2008 02:17 PM 83,072 wdmaud.sys
11/02/2000 12:10 AM 164,180 windrvr.sys
08/12/2004 08:34 AM 4,352 wmilib.sys
10/18/2006 07:00 PM 38,528 wpdusb.sys
08/12/2004 08:34 AM 12,032 ws2ifsl.sys
09/28/2006 05:55 PM 77,568 WudfPf.sys
09/28/2006 06:00 PM 82,944 WudfRd.sys
301 File(s) 31,960,420 bytes

Directory of C:\Windows\System32\Drivers\Avg

02/19/2010 08:38 AM .
02/19/2010 08:38 AM ..
04/22/2009 07:51 AM 6,061,540 avi7.avg
10/29/2009 10:27 AM 113,461 iavichjw.avm
02/11/2010 06:09 PM 564,577 iavifw.avm
02/19/2010 08:38 AM 55,899,862 incavi.avm
01/19/2010 05:44 PM 142,495 microavi.avg
09/30/2009 04:37 PM 492,629 miniavi.avg
6 File(s) 63,274,564 bytes

Directory of C:\Windows\System32\Drivers\disdn

04/18/2008 07:19 AM .
04/18/2008 07:19 AM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

02/09/2010 05:22 AM .
02/09/2010 05:22 AM ..
01/25/2009 03:22 PM 6,338 hosts.XXX
08/12/2004 08:21 AM 3,683 lmhosts.sam
08/12/2004 08:24 AM 407 networks
08/12/2004 08:26 AM 799 protocol
08/12/2004 08:28 AM 7,116 services
5 File(s) 18,343 bytes

Directory of C:\Windows\System32\Drivers\UMDF

09/20/2008 03:02 PM .
09/20/2008 03:02 PM ..
10/18/2006 08:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
313 File(s) 95,924,559 bytes
14 Dir(s) 227,530,883,072 bytes free


***********************Hidden Drivers********************
Volume in drive C is NEW C 0408
Volume Serial Number is FC6F-1880

Directory of C:\Windows\System32\Drivers



*********************Processes*******************


PROCESS PID PRIO PATH
smss.exe 888 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 936 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 960 High C:\WINDOWS\system32\winlogon.exe
services.exe 1004 Normal C:\WINDOWS\system32\services.exe
lsass.exe 1016 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 1220 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1308 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1432 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1572 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1676 Normal C:\WINDOWS\system32\svchost.exe
avgchsvx.exe 1776 Normal C:\Program Files\AVG\AVG9\avgchsvx.exe
avgrsx.exe 1784 Normal C:\Program Files\AVG\AVG9\avgrsx.exe
spoolsv.exe 1896 Normal C:\WINDOWS\system32\spoolsv.exe
AVGIDSAgent.exe 1932 Normal C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
avgcsrvx.exe 1976 Normal C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe 756 Normal C:\WINDOWS\system32\svchost.exe
PhotoshopElementsFileAgent.exe 792 Normal C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
avgwdsvc.exe 864 Normal C:\Program Files\AVG\AVG9\avgwdsvc.exe
avgfws9.exe 908 Normal C:\Program Files\AVG\AVG9\avgfws9.exe
carboniteservice.exe 1088 Normal C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
avgam.exe 1528 Normal C:\Program Files\AVG\AVG9\avgam.exe
avgnsx.exe 1588 Normal C:\Program Files\AVG\AVG9\avgnsx.exe
IntuitUpdateService.exe 1968 Normal C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
MDM.EXE 2468 Normal C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
QBCFMonitorService.exe 2512 Normal C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
avgcsrvx.exe 2688 Normal C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe 2788 Normal C:\WINDOWS\system32\svchost.exe
WFXSVC.EXE 2824 Normal C:\WINDOWS\system32\WFXSVC.EXE
dllhost.exe 2128 Normal C:\WINDOWS\system32\dllhost.exe
msdtc.exe 3180 Normal C:\WINDOWS\system32\msdtc.exe
IEXPLORE.EXE 2960 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE 2068 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE 3880 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
explorer.exe 5996 Normal C:\WINDOWS\explorer.exe
dlcjcoms.exe 5648 High C:\WINDOWS\system32\dlcjcoms.exe
vssvc.exe 5208 Normal C:\WINDOWS\System32\vssvc.exe
dllhost.exe 3968 Normal C:\WINDOWS\system32\dllhost.exe
cmd.exe 3780 Normal C:\WINDOWS\system32\cmd.exe
processes.exe 5920 Normal C:\Documents and Settings\Valerie\Desktop\SpiderKill\processes.exe


Module information for 'explorer.exe'(5996)
MODULE BASE SIZE PATH
explorer.exe 1000000 1044480 C:\WINDOWS\explorer.exe 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18876 (longhorn_ie8_gdr.091218-1700) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1253376 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18876 (longhorn_ie8_gdr.091218-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18876 (longhorn_ie8_gdr.091218-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
CarboniteNSE.dll 10000000 593920 C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll 3.7.7 build 404 (Dec-03-2009) Carbonite Explorer Extensions
dbghelp.dll 59a60000 659456 C:\WINDOWS\system32\dbghelp.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Image Helper
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\system32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
MSIMG32.dll 76380000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
xpsp2res.dll 12f0000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
actxprxy.dll 71d40000 110592 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18876 (longhorn_ie8_gdr.091218-1700) Internet Explorer
NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
webcheck.dll 20b0000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Web Site Monitor
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
mydocs.dll 72410000 106496 C:\WINDOWS\system32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.5512 (xpsp.080413-0852) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft® Windows(TM) Telephony API Client DLL
msv1_0.dll 77c70000 151552 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.5876 (xpsp_sp3_gdr.090909-1234) Microsoft Authentication Package v1.0
cryptdll.dll 76790000 49152 C:\WINDOWS\system32\cryptdll.dll 5.1.2600.5512 (xpsp.080413-2113) Cryptography Manager
printui.dll 74b80000 573440 C:\WINDOWS\system32\printui.dll 5.1.2600.5512 (xpsp.080413-0852) Print UI DLL
ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\system32\CFGMGR32.dll 5.1.2600.5512 (xpsp.080413-2111) Configuration Manager Forwarder DLL
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
zipfldr.dll 73380000 356352 C:\WINDOWS\system32\zipfldr.dll 6.00.2900.5512 (xpsp.080413-2105) Compressed (zipped) Folders
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
WfxSeh32.Dll 21670000 53248 C:\Program Files\WinFax\WfxSeh32.Dll 9.00.98.0727 Shell extension for ACT phonebook integration DLL
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
MSISIP.DLL 605f0000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4001.5512 MSI Signature SIP Provider
wshext.dll 7dfa0000 90112 C:\WINDOWS\system32\wshext.dll 5.7.0.18066 Microsoft (R) Shell Extension for Windows script Host
MCPS.DLL 36d30000 102400 C:\PROGRA~1\MICROS~2\OFFICE11\MCPS.DLL 11.0.5510 Media Catalog Proxy/Stub



******************************************
EOF

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 19th February 2010, 8:37 pm

Looks like the HOSTS file is hooked.

  • find the HOSTS file located in the folder C:\windows\System32\drivers\etc (yours was HOSTS.xxx)
    (
    for Windows Xp/Vista/7)
  • correct the file by deleting all the lines except: 127.0.0.1 localhost
  • or change your HOSTS file to the original one. You can download the original file in the link:[You must be registered and logged in to see this link.].

(Courtesy of Kaspersky)

=======

Please download [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 19th February 2010, 9:41 pm

Hello, Completed everything except the Host.exe opened up with Jasc Paint Shop Photo Album... and it has nothing. Is that supposed to happen? It is asking me what program do I want to open it with. Which one should I pick?

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 19th February 2010, 10:09 pm

Notepad, please.

When you go to save it again, click File > Save as...

Choose Save as type: All Files

File name: HOSTS

No extension, just that one word. Then, click Save.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 19th February 2010, 10:20 pm

Sorry didn't read the rest of your note...

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 19th February 2010, 10:26 pm

Cheetah-Anti-Rogue v1.3.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 02/19/2010 - Time: 17:25:43 - Arch.: x86


-- Malware removal tools check --
Trend Micro HijackThis 2.0.2
Malwarebytes' Anti-Malware


-- Known infection --

C:\DOCUME~1\Valerie\LOCALS~1\Temp\B.tmp (Trj.Sinowal.X)
C:\DOCUME~1\Valerie\LOCALS~1\Temp\5.tmp (Trj.Bredavi-Backdoor)
C:\DOCUME~1\Valerie\LOCALS~1\Temp\8.tmp (HEUR:::Trj.Bredavi-Backdoor)
C:\DOCUME~1\Valerie\LOCALS~1\Temp\9.tmp (HEUR:::Trj.Bredavi-Backdoor)


Extra message: Detection only.


EOF

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 19th February 2010, 11:03 pm

Hehe, let me see something, if possible:

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 19th February 2010, 11:32 pm

I am waiting for the Malware scan to complete and I noticed that I do not have sound in my speakers... I did get a message that wants me to install hardware for Multi Media )?( but I tried to install it and it would not install. Maybe it was cause of the problems I was having. Not sure how to get the sound back...

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Belahzur on 20th February 2010, 12:07 am

We'll try to fix that soon, 1 problem at a time. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 20th February 2010, 2:41 am

Post the results when ready.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 20th February 2010, 2:51 am

Below is the log. What should I be doing with my security on myPC? This is the second time this week I've had a virus. Any suggestions? I have Free AVG 9.0. That must not be good enough. Thanks again for all your help!

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 9:08:22 PM
mbam-log-2010-02-19 (21-08-22).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 199067
Time elapsed: 50 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 20th February 2010, 3:14 am

Hmm..seems to be a continuous infection. A backdoor was spotted on the reverse page. Seems pretty bad and hiding from MBAM. Could not hide from my tool.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 20th February 2010, 1:55 pm

SDFix: Version 1.240
Run by Valerie on Fri 02/19/2010 at 11:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-20 08:47:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"RefCount"=dword:00000002

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dlcjcoms.exe"="C:\\WINDOWS\\system32\\dlcjcoms.exe:*:Enabled:Dell 964 Server"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe:*:Enabled:Dell 964 Printer Status"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"="C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\AVG\\AVG8\\avgam.exe"="C:\\Program Files\\AVG\\AVG8\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiag.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiag.exe:*:Enabled:avgdiag.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\AVG\\AVG9\\avgam.exe"="C:\\Program Files\\AVG\\AVG9\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG9\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"="C:\\Program Files\\AVG\\AVG9\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG9\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Documents and Settings\\Valerie\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Valerie\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 21 Jan 2004 61,440 ...H. --- "C:\Program Files\MSN\msnupdate!@#@.exe"
Wed 21 Jan 2004 292,864 ...H. --- "C:\Program Files\MSN\txsrvc.dll"
Wed 21 Jan 2004 302,080 ...H. --- "C:\Program Files\MSN\unicows.dll"
Sun 20 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 17 Feb 2010 49,664 ...H. --- "C:\Documents and Settings\Valerie\My Documents\~WRL2543.tmp"
Tue 14 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 16 Jan 2008 30,208 ...H. --- "C:\Documents and Settings\Valerie\My Documents\Stationary\~WRL0001.tmp"
Wed 9 Dec 2009 32,256 ...H. --- "C:\Documents and Settings\Valerie\My Documents\Stationary\~WRL4002.tmp"
Sun 26 Apr 2009 266,752 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Templates\~WRL0189.tmp"
Fri 10 Jul 2009 172,544 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0115.tmp"
Wed 25 Nov 2009 585,728 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0341.tmp"
Fri 22 Jan 2010 712,192 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0356.tmp"
Tue 8 Sep 2009 367,104 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2661.tmp"
Tue 6 Oct 2009 428,032 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2817.tmp"
Sun 2 Aug 2009 271,872 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2879.tmp"
Wed 24 Jun 2009 134,656 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL3678.tmp"
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\ar00000\install.exe"
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\in00000\setup.exe"
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\Upgrade\setup1.exe"
Sun 20 Jul 2008 4,348 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv1key.bak"
Mon 28 Jul 2008 20 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 20 Jul 2008 400 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv2key.bak"
Mon 28 Jul 2008 1,536 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 20th February 2010, 2:28 pm

We need to do some more diagnostics to make sure your computer is clean.

1. Please download [You must be registered and logged in to see this link.] and Save it to your desktop

  1. Double click it to start the tool.
  2. Click Scan.
  3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.



2. Download [You must be registered and logged in to see this link.] to your desktop

  • A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
  • A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply


3. Please download CKScanner by askey127 from [You must be registered and logged in to see this link.]

Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


4. I request the following logs to be posted in your next reply, please:
-Rooter
-LockSearch
-CKScanner

Thanks. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 20th February 2010, 3:45 pm

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 4 Stepping 1, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !

.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:211 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
F:\ [Removable]
.
Scan : 10:30.40
Path : C:\Documents and Settings\Valerie\Desktop\Rooter.exe
User : Valerie ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (892)
______ \??\C:\WINDOWS\system32\csrss.exe (940)
______ \??\C:\WINDOWS\system32\winlogon.exe (964)
______ C:\WINDOWS\system32\services.exe (1008)
______ C:\WINDOWS\system32\lsass.exe (1020)
______ C:\WINDOWS\system32\svchost.exe (1224)
______ C:\WINDOWS\system32\svchost.exe (1312)
______ C:\WINDOWS\System32\svchost.exe (1436)
______ C:\WINDOWS\system32\svchost.exe (1572)
______ C:\WINDOWS\system32\svchost.exe (1684)
______ C:\Program Files\AVG\AVG9\avgchsvx.exe (1772)
______ C:\Program Files\AVG\AVG9\avgrsx.exe (1780)
______ C:\WINDOWS\system32\spoolsv.exe (1908)
Locked AVGIDSAgent.exe (1948)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (1984)
______ C:\WINDOWS\Explorer.EXE (620)
______ C:\WINDOWS\system32\svchost.exe (1568)
______ C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (1624)
Locked avgwdsvc.exe (1676)
Locked avgfws9.exe (1696)
______ C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (328)
______ C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (644)
Locked avgam.exe (1516)
______ C:\Program Files\AVG\AVG9\avgnsx.exe (1832)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (2528)
______ C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (2568)
______ C:\WINDOWS\system32\svchost.exe (2764)
______ C:\WINDOWS\system32\WFXSVC.EXE (2792)
______ C:\Program Files\WinFax\WFXMOD32.EXE (2856)
______ C:\WINDOWS\System32\alg.exe (3832)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (3704)
______ C:\WINDOWS\System32\svchost.exe (3804)
______ C:\WINDOWS\system32\dllhost.exe (3496)
______ C:\WINDOWS\system32\msdtc.exe (1768)
______ C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (4024)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (3656)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (2308)
______ C:\WINDOWS\system32\dlcjcoms.exe (1416)
______ C:\Program Files\AVG\AVG9\avgui.exe (112)
______ C:\Documents and Settings\Valerie\Desktop\Rooter.exe (5992)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:249990902784)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{76D70BD6-ADEF-4772-B82F-52AD730EEB58}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 10:31.07
.
C:\Rooter$\Rooter_1.txt - (20/02/2010 | 10:31.07)

LockSearch by jpshortstuff (05.11.09.1)
Log created at 10:32 on 20/02/2010 (Valerie)
Scanning C:\


C:\pagefile.sys
-------------------------

-=E.O.F=-

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\valerie\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind.swf
c:\documents and settings\valerie\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind_image.swf
c:\program files\jasc software inc\paint shop pro studio\bump maps\cracked desert.pspimage
c:\program files\jasc software inc\paint shop pro studio\patterns\cracked paint.pspimage
scanner sequence 3.CA.11
----- EOF -----

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 20th February 2010, 5:24 pm

I would say clean.

How is the computer running now?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Vista on 20th February 2010, 10:39 pm

It is working Very nice thank you!!!! I personally want to thank you for all your help. You truly are a MASTER!!! I also donated to Geek Police this morning... it is well worth the money. Until we meet again...... A BIG THANKS!!

Vista
Senior
Senior

Posts Posts : 341
Joined Joined : 2009-02-12
Gender Gender : Female
OS OS : Windows 8
Points Points : 32794
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Stealth Intrusion

Post by Dr Jay on 21st February 2010, 6:45 pm

You're welcome. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum