|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-06-2008, 11:37 AM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 9
OS: xp
|
c:\windows\avguard.exe
I'm having this process called avguard.exe which makes my firefox unable to launch. I have tried a lot to remove it but it keeps coming back. Both the process and the file comes back seconds after removal.
I have been told it is a worm.netsky.g causing this but the guides on how to remove it doesn't fit in this case... I can't find the registry values that netsky.g creates. Logfile of random's system information tool 1.04 (written by random/random) Run by Mattias at 2008-11-06 19:52:02 Microsoft Windows XP Professional Service Pack 2 System drive C: has 62 GB (81%) free of 76 GB Total RAM: 511 MB (46% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:52:14, on 2008-11-06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\World of Warcraft\WoW-2.4.2-enGB-downloader.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\avguard.exe C:\Documents and Settings\Mattias\Desktop\RSIT.exe C:\Program Files\trend micro\Mattias.exe O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - Startup: lsass.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe -- End of file - 2298 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-01 61440] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360] "DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952] C:\Documents and Settings\Mattias\Start Menu\Programs\Startup lsass.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll [2008-08-21 143360] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\Program Files\World of Warcraft\WoW-2.4.2-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.4.2-enGB-downloader.exe:*:Enabled:Blizzard Downloader" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4fd7948-abec-11dd-aced-806d6172696f}] shell\AutoRun\command - F:\Installer.exe ======List of files/folders created in the last 1 months====== 2008-11-06 19:52:05 ----D---- C:\Program Files\trend micro 2008-11-06 19:52:02 ----D---- C:\rsit 2008-11-06 19:30:48 ----A---- C:\WINDOWS\gmer.ini 2008-11-06 19:30:45 ----A---- C:\WINDOWS\gmer_uninstall.cmd 2008-11-06 19:30:44 ----A---- C:\WINDOWS\gmer.exe 2008-11-06 19:30:44 ----A---- C:\WINDOWS\gmer.dll 2008-11-06 19:30:35 ----D---- C:\Documents and Settings\Mattias\Application Data\WinRAR 2008-11-06 19:10:18 ----A---- C:\SDFix.exe 2008-11-06 18:56:47 ----SHD---- C:\RECYCLER 2008-11-06 18:26:07 ----D---- C:\WINDOWS\system32\CatRoot_bak 2008-11-06 18:15:23 ----D---- C:\WINDOWS\system32\PreInstall 2008-11-06 18:15:21 ----N---- C:\WINDOWS\system32\spmsg.dll 2008-11-06 18:15:20 ----A---- C:\WINDOWS\system32\spupdsvc.exe 2008-11-06 18:15:18 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$ 2008-11-06 18:15:18 ----HD---- C:\WINDOWS\$hf_mig$ 2008-11-06 18:09:07 ----D---- C:\Program Files\Windows Live Safety Center 2008-11-06 17:38:24 ----D---- C:\WINDOWS\system32\SoftwareDistribution 2008-11-06 17:37:26 ----D---- C:\WINDOWS\system32\appmgmt 2008-11-06 17:36:50 ----D---- C:\WINDOWS\LastGood 2008-11-06 17:27:32 ----A---- C:\WINDOWS\avguard.exe 2008-11-06 17:27:24 ----A---- C:\WINDOWS\system32\wowformf436_130.dll 2008-11-06 14  24 ----D---- C:\WINDOWS\Eurobattle.net Installer2008-11-06 14 00 ----A---- C:\WINDOWS\Eurobattle.net Installer Setup Log.txt2008-11-06 13:45:34 ----D---- C:\Documents and Settings\Mattias\Application Data\Ventrilo 2008-11-06 13:44:48 ----D---- C:\Program Files\VentriloMIX 2008-11-06 13:43:39 ----A---- C:\WINDOWS\War3Unin.exe 2008-11-06 13:41:01 ----D---- C:\Program Files\Warcraft III 2008-11-06 13:36:42 ----D---- C:\Program Files\DAEMON Tools Lite 2008-11-06 12:35:23 ----D---- C:\Documents and Settings\Mattias\Application Data\DAEMON Tools 2008-11-06 12:30:35 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard 2008-11-06 11:55:58 ----A---- C:\WINDOWS\system32\h323log.txt 2008-11-06 11:55:05 ----D---- C:\Program Files\World of Warcraft 2008-11-06 11:55:05 ----D---- C:\Program Files\Common Files\Blizzard Entertainment 2008-11-06 11:54:21 ----A---- C:\WINDOWS\system32\ativvaxx.dll 2008-11-06 11:54:21 ----A---- C:\WINDOWS\system32\ati3duag.dll 2008-11-06 11:54:21 ----A---- C:\WINDOWS\system32\ati3d1ag.dll 2008-11-06 11:54:20 ----A---- C:\WINDOWS\system32\ati2dvag.dll 2008-11-06 11:54:20 ----A---- C:\WINDOWS\system32\ati2cqag.dll 2008-11-06 11:54:01 ----A---- C:\WINDOWS\system32\usbui.dll 2008-11-06 11:53:53 ----A---- C:\WINDOWS\system32\HSFCISP2.dll 2008-11-06 11:53:52 ----A---- C:\WINDOWS\system32\mdmxsdk.dll 2008-11-06 11:53:34 ----D---- C:\Documents and Settings\Mattias\Application Data\ATI 2008-11-06 11:53:34 ----D---- C:\Documents and Settings\All Users\Application Data\ATI 2008-11-06 11:52:45 ----A---- C:\WINDOWS\imsins.BAK 2008-11-06 11:52:42 ----SHD---- C:\WINDOWS\Installer 2008-11-06 11:52:42 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-11-06 11:52:41 ----A---- C:\WINDOWS\ODBCINST.INI 2008-11-06 11:52:38 ----RD---- C:\Program Files 2008-11-06 11:52:38 ----D---- C:\Program Files\Common Files\SpeechEngines 2008-11-06 11:52:38 ----D---- C:\Program Files\Common Files\Microsoft Shared 2008-11-06 11:52:38 ----D---- C:\Program Files\Common Files 2008-11-06 11:52:35 ----RA---- C:\WINDOWS\system32\kbdtuq.dll 2008-11-06 11:52:35 ----RA---- C:\WINDOWS\system32\kbdtuf.dll 2008-11-06 11:52:35 ----RA---- C:\WINDOWS\system32\kbdazel.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdycc.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbduzb.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdur.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdtat.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdru1.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdru.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdmon.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdkyr.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdkaz.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdbu.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdblr.dll 2008-11-06 11:52:33 ----RA---- C:\WINDOWS\system32\kbdaze.dll 2008-11-06 11:52:31 ----RA---- C:\WINDOWS\system32\kbdhept.dll 2008-11-06 11:52:31 ----RA---- C:\WINDOWS\system32\kbdhela3.dll 2008-11-06 11:52:31 ----RA---- C:\WINDOWS\system32\kbdhela2.dll 2008-11-06 11:52:31 ----RA---- C:\WINDOWS\system32\kbdhe319.dll 2008-11-06 11:52:31 ----RA---- C:\WINDOWS\system32\kbdhe220.dll 2008-11-06 11:52:31 ----RA---- C:\WINDOWS\system32\kbdhe.dll 2008-11-06 11:52:31 ----RA---- C:\WINDOWS\system32\kbdgkl.dll 2008-11-06 11:52:29 ----RA---- C:\WINDOWS\system32\kbdlv1.dll 2008-11-06 11:52:29 ----RA---- C:\WINDOWS\system32\kbdlv.dll 2008-11-06 11:52:29 ----RA---- C:\WINDOWS\system32\kbdlt1.dll 2008-11-06 11:52:29 ----RA---- C:\WINDOWS\system32\kbdlt.dll 2008-11-06 11:52:29 ----RA---- C:\WINDOWS\system32\kbdest.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdycl.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdsl1.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdsl.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdro.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdpl1.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdpl.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdhu1.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdhu.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdcz2.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdcz1.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdcz.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\kbdcr.dll 2008-11-06 11:52:27 ----RA---- C:\WINDOWS\system32\KBDAL.DLL 2008-11-06 11:52:24 ----A---- C:\WINDOWS\system32\spxcoins.dll 2008-11-06 11:52:24 ----A---- C:\WINDOWS\system32\irclass.dll 2008-11-06 11:52:24 ----A---- C:\WINDOWS\system32\EqnClass.Dll 2008-11-06 11:52:24 ----A---- C:\WINDOWS\system32\dgsetup.dll 2008-11-06 11:52:24 ----A---- C:\WINDOWS\system32\dgrpsetu.dll 2008-11-06 11:52:22 ----N---- C:\WINDOWS\system32\CONFIG.TMP 2008-11-06 11:52:22 ----A---- C:\WINDOWS\TASKMAN.EXE 2008-11-06 11:52:21 ----A---- C:\WINDOWS\system32\batt.dll 2008-11-06 11:52:21 ----A---- C:\WINDOWS\NOTEPAD.EXE 2008-11-06 11:52:20 ----A---- C:\WINDOWS\system32\storprop.dll 2008-11-06 11:52:12 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini 2008-11-06 11:52:08 ----RA---- C:\WINDOWS\SET8.tmp 2008-11-06 11:52:05 ----RA---- C:\WINDOWS\SET4.tmp 2008-11-06 11:52:04 ----RA---- C:\WINDOWS\SET3.tmp 2008-11-06 11:51:58 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-06 11:51:58 ----D---- C:\WINDOWS\system32\CatRoot 2008-11-06 11:51:53 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft 2008-11-06 11:51:49 ----N---- C:\WINDOWS\{00000000-00000000-0000000B-00001102-00000004-00541102}.BAK 2008-11-06 11:51:40 ----A---- C:\WINDOWS\setuplog.txt 2008-11-06 11:51:36 ----SHD---- C:\System Volume Information 2008-11-06 11:51:36 ----D---- C:\Documents and Settings 2008-11-06 11:50:42 ----SH---- C:\boot.ini 2008-11-06 11:44:40 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-11-06 11:44:40 ----RSD---- C:\WINDOWS\Fonts 2008-11-06 11:44:40 ----RD---- C:\WINDOWS\Web 2008-11-06 11:44:40 ----HD---- C:\WINDOWS\inf 2008-11-06 11:44:40 ----D---- C:\WINDOWS\WinSxS 2008-11-06 11:44:40 ----D---- C:\WINDOWS\twain_32 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Temp 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\wins 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\wbem 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\usmt 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\spool 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\ShellExt 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\Setup 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\ras 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\oobe 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\npp 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\mui 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\inetsrv 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\IME 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\icsxml 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\ias 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\export 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\drivers 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\dhcp 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\config 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\3com_dmi 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\3076 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\2052 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1054 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1042 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1041 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1037 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1033 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1031 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1028 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32\1025 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system32 2008-11-06 11:44:40 ----D---- C:\WINDOWS\system 2008-11-06 11:44:40 ----D---- C:\WINDOWS\security 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Resources 2008-11-06 11:44:40 ----D---- C:\WINDOWS\repair 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Provisioning 2008-11-06 11:44:40 ----D---- C:\WINDOWS\PeerNet 2008-11-06 11:44:40 ----D---- C:\WINDOWS\pchealth 2008-11-06 11:44:40 ----D---- C:\WINDOWS\mui 2008-11-06 11:44:40 ----D---- C:\WINDOWS\msapps 2008-11-06 11:44:40 ----D---- C:\WINDOWS\msagent 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Media 2008-11-06 11:44:40 ----D---- C:\WINDOWS\java 2008-11-06 11:44:40 ----D---- C:\WINDOWS\ime 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Help 2008-11-06 11:44:40 ----D---- C:\WINDOWS\ehome 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Driver Cache 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Debug 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Cursors 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Connection Wizard 2008-11-06 11:44:40 ----D---- C:\WINDOWS\Config 2008-11-06 11:44:40 ----D---- C:\WINDOWS\AppPatch 2008-11-06 11:44:40 ----D---- C:\WINDOWS\addins 2008-11-06 11:44:40 ----D---- C:\WINDOWS 2008-11-06 11:36:24 ----D---- C:\Documents and Settings\Mattias\Application Data\Macromedia 2008-11-06 11:36:23 ----D---- C:\Documents and Settings\Mattias\Application Data\Adobe 2008-11-06 11:25:57 ----D---- C:\WINDOWS\system32\Defaults 2008-11-06 11:25:46 ----D---- C:\Program Files\ESET 2008-11-06 11:25:46 ----D---- C:\Documents and Settings\All Users\Application Data\ESET 2008-11-06 11:23:35 ----D---- C:\Program Files\Creative 2008-11-06 11:21:40 ----A---- C:\WINDOWS\system32\wrap_oal.dll 2008-11-06 11:21:40 ----A---- C:\WINDOWS\system32\OpenAL32.dll 2008-11-06 11:21:39 ----D---- C:\Documents and Settings\Mattias\Application Data\Creative 2008-11-06 11:19:24 ----A---- C:\WINDOWS\system32\ksuser.dll 2008-11-06 11:17:03 ----RSD---- C:\WINDOWS\assembly 2008-11-06 11:15:14 ----D---- C:\WINDOWS\Microsoft.NET 2008-11-06 11:14:39 ----N---- C:\WINDOWS\system32\ati2sgag.exe 2008-11-06 11:14:15 ----D---- C:\WINDOWS\system32\ReinstallBackups 2008-11-06 11:13:42 ----D---- C:\WINDOWS\system32\Data 2008-11-06 11:13:34 ----D---- C:\Program Files\ATI Technologies 2008-11-06 11:13:27 ----HD---- C:\Program Files\InstallShield Installation Information 2008-11-06 11:11:54 ----DC---- C:\WINDOWS\system32\DRVSTORE 2008-11-06 11:11:54 ----D---- C:\Program Files\Common Files\InstallShield 2008-11-06 11:11:38 ----D---- C:\ATI 2008-11-06 11:11:04 ----D---- C:\Program Files\MSN Messenger 2008-11-06 11:10:35 ----D---- C:\Documents and Settings\Mattias\Application Data\Mozilla 2008-11-06 11:10:27 ----D---- C:\Program Files\Mozilla Firefox 2008-11-06 11:09:56 ----D---- C:\Program Files\uTorrent 2008-11-06 11:09:55 ----D---- C:\Documents and Settings\Mattias\Application Data\uTorrent 2008-11-06 11:09:48 ----D---- C:\Program Files\WinRAR 2008-11-06 11:09:17 ----D---- C:\Documents and Settings\Mattias\Application Data\Identities 2008-11-06 11:09:08 ----ASH---- C:\Documents and Settings\Mattias\Application Data\desktop.ini 2008-11-06 11:09:07 ----SD---- C:\Documents and Settings\Mattias\Application Data\Microsoft 2008-11-06 11:08:23 ----D---- C:\WINDOWS\SoftwareDistribution 2008-11-06 11:08:13 ----D---- C:\WINDOWS\Prefetch 2008-11-06 11:08:12 ----SD---- C:\WINDOWS\system32\Microsoft 2008-11-06 11:08:12 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-06 11:04:17 ----D---- C:\WINDOWS\system32\xircom 2008-11-06 11:04:17 ----D---- C:\Program Files\xerox 2008-11-06 11:04:17 ----D---- C:\Program Files\microsoft frontpage 2008-11-06 11:04:00 ----A---- C:\WINDOWS\control.ini 2008-11-06 11:04:00 ----A---- C:\AUTOEXEC.BAT 2008-11-06 11:03:43 ----A---- C:\WINDOWS\OEWABLog.txt 2008-11-06 11:03:40 ----A---- C:\WINDOWS\system32\mapi32.dll 2008-11-06 11:02:27 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-11-06 11:02:27 ----RD---- C:\WINDOWS\Offline Web Pages 2008-11-06 11:02:27 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest 2008-11-06 11:02:19 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest 2008-11-06 11:01:46 ----D---- C:\WINDOWS\system32\DirectX 2008-11-06 11:01:08 ----A---- C:\WINDOWS\system32\atrace.dll 2008-11-06 11:01:05 ----A---- C:\WINDOWS\system32\desktop.ini 2008-11-06 11:01:05 ----A---- C:\WINDOWS\desktop.ini 2008-11-06 11:00:52 ----A---- C:\WINDOWS\system32\nmevtmsg.dll 2008-11-06 11:00:50 ----A---- C:\WINDOWS\system32\acctres.dll 2008-11-06 11:00:49 ----D---- C:\Program Files\Common Files\Services 2008-11-06 11:00:44 ----SD---- C:\WINDOWS\Tasks 2008-11-06 11:00:44 ----A---- C:\WINDOWS\system32\icfgnt5.dll 2008-11-06 11:00:42 ----D---- C:\Program Files\Common Files\MSSoap 2008-11-06 11:00:32 ----D---- C:\WINDOWS\srchasst 2008-11-06 11:00:30 ----D---- C:\WINDOWS\system32\Macromed 2008-11-06 11:00:24 ----A---- C:\WINDOWS\system32\wuweb.dll 2008-11-06 11:00:23 ----A---- C:\WINDOWS\system32\wucltui.dll 2008-11-06 11:00:23 ----A---- C:\WINDOWS\system32\wuauserv.dll 2008-11-06 11:00:23 ----A---- C:\WINDOWS\system32\wuaueng1.dll 2008-11-06 11:00:22 ----A---- C:\WINDOWS\system32\wups.dll 2008-11-06 11:00:22 ----A---- C:\WINDOWS\system32\wuaueng.dll.wusetup.2593375.bak 2008-11-06 11:00:22 ----A---- C:\WINDOWS\system32\wuaueng.dll 2008-11-06 11:00:22 ----A---- C:\WINDOWS\system32\wuaucpl.cpl.wusetup.2592703.bak 2008-11-06 11:00:21 ----A---- C:\WINDOWS\system32\wuauclt1.exe 2008-11-06 11:00:21 ----A---- C:\WINDOWS\system32\wuauclt.exe.wusetup.2592468.bak 2008-11-06 11:00:21 ----A---- C:\WINDOWS\system32\wuauclt.exe 2008-11-06 11:00:21 ----A---- C:\WINDOWS\system32\wuapi.dll.wusetup.2592171.bak 2008-11-06 11:00:21 ----A---- C:\WINDOWS\system32\wuapi.dll 2008-11-06 11:00:20 ----A---- C:\WINDOWS\system32\bitsprx3.dll 2008-11-06 11:00:20 ----A---- C:\WINDOWS\system32\bitsprx2.dll 2008-11-06 11:00:19 ----A---- C:\WINDOWS\system32\qmgrprxy.dll 2008-11-06 11:00:19 ----A---- C:\WINDOWS\system32\qmgr.dll 2008-11-06 11:00:09 ----D---- C:\Program Files\Movie Maker 2008-11-06 11:00:02 ----A---- C:\WINDOWS\system32\safrslv.dll 2008-11-06 11:00:02 ----A---- C:\WINDOWS\system32\safrdm.dll 2008-11-06 11:00:02 ----A---- C:\WINDOWS\system32\safrcdlg.dll 2008-11-06 11:00:02 ----A---- C:\WINDOWS\system32\racpldlg.dll 2008-11-06 10:59:51 ----A---- C:\WINDOWS\system32\fltMc.exe 2008-11-06 10:59:51 ----A---- C:\WINDOWS\system32\fltlib.dll 2008-11-06 10:59:50 ----D---- C:\WINDOWS\system32\Restore 2008-11-06 10:59:50 ----A---- C:\WINDOWS\system32\srsvc.dll 2008-11-06 10:59:50 ----A---- C:\WINDOWS\system32\srrstr.dll 2008-11-06 10:59:49 ----A---- C:\WINDOWS\system32\srclient.dll 2008-11-06 10:59:48 ----A---- C:\WINDOWS\system32\isrdbg32.dll 2008-11-06 10:59:48 ----A---- C:\WINDOWS\system32\ils.dll 2008-11-06 10:59:47 ----A---- C:\WINDOWS\system32\nmmkcert.dll 2008-11-06 10:59:47 ----A---- C:\WINDOWS\system32\msconf.dll 2008-11-06 10:59:47 ----A---- C:\WINDOWS\system32\mnmsrvc.exe 2008-11-06 10:59:47 ----A---- C:\WINDOWS\system32\mnmdd.dll 2008-11-06 10:59:43 ----D---- C:\Program Files\NetMeeting 2008-11-06 10:59:43 ----A---- C:\WINDOWS\system32\msoert2.dll 2008-11-06 10:59:43 ----A---- C:\WINDOWS\system32\msoeacct.dll 2008-11-06 10:59:42 ----A---- C:\WINDOWS\system32\inetres.dll 2008-11-06 10:59:41 ----A---- C:\WINDOWS\system32\inetcomm.dll 2008-11-06 10:59:37 ----D---- C:\Program Files\Outlook Express 2008-11-06 10:59:37 ----A---- C:\WINDOWS\system32\schedsvc.dll 2008-11-06 10:59:37 ----A---- C:\WINDOWS\system32\mstinit.exe 2008-11-06 10:59:37 ----A---- C:\WINDOWS\system32\mstask.dll 2008-11-06 10:59:36 ----A---- C:\WINDOWS\system32\icwphbk.dll 2008-11-06 10:59:36 ----A---- C:\WINDOWS\system32\icwdial.dll 2008-11-06 10:59:35 ----A---- C:\WINDOWS\system32\isign32.dll 2008-11-06 10:59:35 ----A---- C:\WINDOWS\system32\inetcfg.dll 2008-11-06 10:59:23 ----D---- C:\Program Files\Common Files\System 2008-11-06 10:59:21 ----D---- C:\Program Files\Internet Explorer 2008-11-06 10:58:45 ----A---- C:\WINDOWS\vbaddin.ini 2008-11-06 10:58:45 ----A---- C:\WINDOWS\vb.ini 2008-11-06 10:58:41 ----D---- C:\WINDOWS\Registration 2008-11-06 10:58:35 ----D---- C:\Program Files\Online Services 2008-11-06 10:58:34 ----D---- C:\Program Files\Windows Media Player 2008-11-06 10:58:28 ----D---- C:\Program Files\Messenger 2008-11-06 10:58:17 ----D---- C:\Program Files\MSN Gaming Zone 2008-11-06 10:58:17 ----A---- C:\WINDOWS\system32\write.exe 2008-11-06 10:58:08 ----A---- C:\WINDOWS\system32\sndvol32.exe 2008-11-06 10:58:08 ----A---- C:\WINDOWS\system32\hticons.dll 2008-11-06 10:58:08 ----A---- C:\WINDOWS\system32\avwav.dll 2008-11-06 10:58:08 ----A---- C:\WINDOWS\system32\avtapi.dll 2008-11-06 10:58:08 ----A---- C:\WINDOWS\system32\avmeter.dll 2008-11-06 10:58:07 ----A---- C:\WINDOWS\system32\winchat.exe 2008-11-06 10:58:00 ----A---- C:\WINDOWS\system32\getuname.dll 2008-11-06 10:58:00 ----A---- C:\WINDOWS\system32\charmap.exe 2008-11-06 10:58:00 ----A---- C:\WINDOWS\system32\calc.exe 2008-11-06 10:57:59 ----A---- C:\WINDOWS\system32\winmine.exe 2008-11-06 10:57:59 ----A---- C:\WINDOWS\system32\sol.exe 2008-11-06 10:57:59 ----A---- C:\WINDOWS\system32\reset.exe 2008-11-06 10:57:59 ----A---- C:\WINDOWS\system32\mshearts.exe 2008-11-06 10:57:59 ----A---- C:\WINDOWS\system32\freecell.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\usrlogon.cmd 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\tsshutdn.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\tslabels.ini 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\tskill.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\tsdiscon.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\tscon.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\shadow.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\rwinsta.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\regini.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\rdpcfgex.dll 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\qwinsta.exe 2008-11-06 10:57:58 ----A---- C:\WINDOWS\system32\qappsrv.exe 2008-11-06 10:57:57 ----A---- C:\WINDOWS\system32\msg.exe 2008-11-06 10:57:57 ----A---- C:\WINDOWS\system32\msdtcprf.ini 2008-11-06 10:57:57 ----A---- C:\WINDOWS\system32\logoff.exe 2008-11-06 10:57:57 ----A---- C:\WINDOWS\system32\cdmodem.dll 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\stclient.dll 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\mtxlegih.dll 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\mtxex.dll 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\mtxdm.dll 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\dcomcnfg.exe 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\comsnap.dll 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\comrepl.dll 2008-11-06 10:57:56 ----A---- C:\WINDOWS\system32\comaddin.dll 2008-11-06 10:57:51 ----A---- C:\WINDOWS\system32\wmimgmt.msc 2008-11-06 10:57:42 ----D---- C:\Program Files\MSN 2008-11-06 10:57:41 ----A---- C:\WINDOWS\system32\accwiz.exe 2008-11-06 10:57:40 ----D---- C:\Program Files\Windows NT 2008-11-06 10:57:40 ----A---- C:\WINDOWS\system32\sndrec32.exe 2008-11-06 10:57:40 ----A---- C:\WINDOWS\system32\mspaint.exe 2008-11-06 10:57:40 ----A---- C:\WINDOWS\system32\mplay32.exe 2008-11-06 10:57:40 ----A---- C:\WINDOWS\system32\hypertrm.dll 2008-11-06 10:57:39 ----A---- C:\WINDOWS\system32\tscfgwmi.dll 2008-11-06 10:57:39 ----A---- C:\WINDOWS\system32\spider.exe 2008-11-06 10:57:39 ----A---- C:\WINDOWS\system32\clipbrd.exe 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\tscupgrd.exe 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\sessmgr.exe 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\remotepg.dll 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\rdshost.exe 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\rdsaddin.exe 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\rdchost.dll 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\mstscax.dll 2008-11-06 10:57:38 ----A---- C:\WINDOWS\system32\mstsc.exe 2008-11-06 10:57:37 ----D---- C:\WINDOWS\system32\MsDtc 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\termsrv.dll 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\rdpwsx.dll 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\rdpsnd.dll 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\rdpclip.exe 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\qprocess.exe 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\mtxoci.dll 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\msdtcuiu.dll 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\icaapi.dll 2008-11-06 10:57:37 ----A---- C:\WINDOWS\system32\cfgbkend.dll 2008-11-06 10:57:36 ----A---- C:\WINDOWS\system32\xolehlp.dll 2008-11-06 10:57:36 ----A---- C:\WINDOWS\system32\msdtctm.dll 2008-11-06 10:57:36 ----A---- C:\WINDOWS\system32\msdtcprx.dll 2008-11-06 10:57:36 ----A---- C:\WINDOWS\system32\msdtclog.dll 2008-11-06 10:57:36 ----A---- C:\WINDOWS\system32\msdtc.exe 2008-11-06 10:57:35 ----D---- C:\WINDOWS\system32\Com 2008-11-06 10:57:35 ----A---- C:\WINDOWS\system32\colbact.dll 2008-11-06 10:57:35 ----A---- C:\WINDOWS\system32\clbcatex.dll 2008-11-06 10:57:35 ----A---- C:\WINDOWS\system32\catsrvut.dll 2008-11-06 10:57:35 ----A---- C:\WINDOWS\system32\catsrvps.dll 2008-11-06 10:57:35 ----A---- C:\WINDOWS\system32\catsrv.dll 2008-11-06 10:57:34 ----A---- C:\WINDOWS\system32\comuid.dll 2008-11-06 10:57:34 ----A---- C:\WINDOWS\system32\comsvcs.dll 2008-11-06 10:57:34 ----A---- C:\WINDOWS\system32\clbcatq.dll 2008-11-06 10:57:28 ----A---- C:\WINDOWS\system32\servdeps.dll 2008-11-06 10:57:28 ----A---- C:\WINDOWS\system32\mmfutil.dll 2008-11-06 10:57:28 ----A---- C:\WINDOWS\system32\licwmi.dll 2008-11-06 10:57:28 ----A---- C:\WINDOWS\system32\cmprops.dll ======List of files/folders modified in the last 1 months====== 2008-11-06 11:52:37 ----A---- C:\WINDOWS\system.ini 2008-11-06 11:04:00 ----A---- C:\WINDOWS\win.ini ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868] R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-08-21 3299840] R3 COMMONFX.SYS;COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [2008-06-27 99352] R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-07 511000] R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-07 532376] R3 CTAUDFX.SYS;CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [2008-06-27 555032] R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-07 14360] R3 CTSBLFX.SYS;CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [2008-06-27 566296] R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-07 157208] R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-07 92696] R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2008-07-07 797720] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600] R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536] R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160] R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-07 127512] R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480] R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056] R4 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [] R4 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [] S3 aih99loe;aih99loe; C:\WINDOWS\system32\drivers\aih99loe.sys [] S3 COMMONFX;COMMONFX; C:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 99352] S3 CTAUDFX;CTAUDFX; C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 555032] S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-07 347080] S3 CTERFXFX.SYS;CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTERFXFX;CTERFXFX; C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTSBLFX;CTSBLFX; C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 566296] S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-06 85969] S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2008-07-07 162840] S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2008-07-07 189464] S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-08-21 573440] R2 wowsystemcode;Remote TCP/IP; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336] S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-08-20 593920] S2 RPCHE;Remote Procedure Call (RPCE); C:\Program Files\NetMeeting\Winlog.exe [2008-11-06 456192] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136] -----------------EOF----------------- Last edited by Kaninen; 11-06-2008 at 11:54 AM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-09-2008, 09:45 AM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
Hello, and Welcome to TSF.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- I see no AntiVirus application installed. An AntiVirus is a must have for machines connected to the internet today. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. There are excellent free AntiVirus applications available today, so there's no reason to be unprotected. We will address that during the course of this fix. I will tell you when. One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. This goes for online game accounts also. I suggest that you read this article too.
Please also do this: Please go to: VirusTotal
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 11-09-2008 at 09:49 AM. |
|
|
|
|
11-09-2008, 04:06 PM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 9
OS: xp
|
Re: c:\windows\avguard.exe
I had Nod32 installed but when I discovered this virus the antivirus didnt work so I uninstalled it.
Here are the logs: ComboFix 08-11-09.01 - Mattias 2008-11-09 23:56:12.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.275 [GMT 1:00] Running from: c:\documents and settings\Mattias\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Mattias\Start Menu\Programs\Startup\lsass.exe . ((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))))) . 2008-11-09 11:57 . 2008-11-09 11:57 <DIR> d-------- c:\windows\LastGood 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\scripting 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\en 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\bits 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\l2schemas 2008-11-09 04:57 . 2008-11-09 05:00 <DIR> d-------- c:\windows\ServicePackFiles 2008-11-07 19:14 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys 2008-11-07 19:13 . 2004-08-03 22:29 327,040 --------- c:\windows\system32\drivers\ati2mtaa.sys 2008-11-06 22:24 . 2008-11-09 23:32 32 --a------ c:\windows\1.ini 2008-11-06 21:19 . 2008-11-06 21:19 <DIR> d-------- C:\Logs 2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- C:\rsit 2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- c:\program files\trend micro 2008-11-06 19:30 . 2008-11-06 19:39 250 --a------ c:\windows\gmer.ini 2008-11-06 19:10 . 2008-11-06 19:10 1,529,241 --a------ C:\SDFix.exe 2008-11-06 18:22 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\drivers\bthport.sys 2008-11-06 18:22 . 2008-06-13 12:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-11-06 18:20 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-06 18:20 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-06 18:20 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-11-06 18:20 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-11-06 18:20 . 2008-08-14 11:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys 2008-11-06 18:19 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-06 18:19 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-06 18:19 . 2008-05-08 15:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys 2008-11-06 18:18 . 2008-04-11 20:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll 2008-11-06 18:18 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-11-06 18:15 . 2008-11-09 11:57 <DIR> d--h----- c:\windows\$hf_mig$ 2008-11-06 18:15 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe 2008-11-06 18:09 . 2008-11-06 18:13 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-06 17:57 . 2008-11-06 17:57 <DIR> d---s---- c:\documents and settings\Mattias\UserData 2008-11-06 17:27 . 2008-11-06 17:27 237,568 --a------ c:\windows\system32\wowformf436_130.dll 2008-11-06 17:27 . 2008-11-09 20:20 100,864 --a------ c:\windows\avguard.exe 2008-11-06 17:27 . 2008-11-06 17:27 20 --a------ c:\windows\syscheck 2008-11-06 14:06 . 2008-11-06 14:06 <DIR> d-------- c:\windows\Eurobattle.net Installer 2008-11-06 13:45 . 2008-11-06 13:59 <DIR> d-------- c:\documents and settings\Mattias\Application Data\Ventrilo 2008-11-06 13:44 . 2008-11-06 13:44 <DIR> d-------- c:\program files\VentriloMIX 2008-11-06 13:43 . 2008-11-06 13:48 139,264 --a------ c:\windows\War3Unin.exe 2008-11-06 13:43 . 2008-11-06 14:03 77,057 --a------ c:\windows\War3Unin.dat 2008-11-06 13:43 . 2008-11-06 13:48 2,829 --a------ c:\windows\War3Unin.pif 2008-11-06 13:41 . 2008-11-06 21:13 <DIR> d-------- c:\program files\Warcraft III 2008-11-06 13:36 . 2008-11-06 13:36 <DIR> d-------- c:\program files\DAEMON Tools Lite 2008-11-06 12:35 . 2008-11-06 12:35 <DIR> d-------- c:\documents and settings\Mattias\Application Data\DAEMON Tools 2008-11-06 12:35 . 2008-11-06 12:35 717,296 --a------ c:\windows\system32\drivers\sptd.sys 2008-11-06 12:30 . 2008-11-06 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-09 10:57 --------- d-----w c:\program files\MSN Messenger 2008-11-08 09:21 --------- d-----w c:\program files\World of Warcraft 2008-11-06 16:30 4,224 ----a-w c:\windows\system32\drivers\beep.sys 2008-11-06 12:44 --------- d-----w c:\program files\VentriloMIX 2008-11-06 11:27 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-11-06 10:53 --------- d-----w c:\documents and settings\Mattias\Application Data\ATI 2008-11-06 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI 2008-11-06 10:34 --------- d-----w c:\program files\ATI Technologies 2008-11-06 10:31 --------- d-----w c:\documents and settings\Mattias\Application Data\uTorrent 2008-11-06 10:26 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-06 10:25 --------- d-----w c:\program files\ESET 2008-11-06 10:25 --------- d-----w c:\documents and settings\All Users\Application Data\ESET 2008-11-06 10:23 --------- d-----w c:\program files\Creative 2008-11-06 10:21 444,952 ----a-w c:\windows\system32\wrap_oal.dll 2008-11-06 10:21 109,080 ----a-w c:\windows\system32\OpenAL32.dll 2008-11-06 10:21 --------- d-----w c:\documents and settings\Mattias\Application Data\Creative 2008-11-06 10:13 --------- d-----w c:\program files\Common Files\InstallShield 2008-11-06 10:09 --------- d-----w c:\program files\uTorrent 2008-11-06 10:04 --------- d-----w c:\program files\microsoft frontpage 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-08-21 02:19 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll 2008-08-21 02:18 314,880 ----a-w c:\windows\system32\ati2dvag.dll 2008-08-21 02:08 184,320 ----a-w c:\windows\system32\atipdlxx.dll 2008-08-21 02:08 143,360 ----a-w c:\windows\system32\Oemdspif.dll 2008-08-21 02:07 43,520 ----a-w c:\windows\system32\ati2edxx.dll 2008-08-21 02:07 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe 2008-08-21 02:07 143,360 ----a-w c:\windows\system32\ati2evxx.dll 2008-08-21 02:05 573,440 ----a-w c:\windows\system32\ati2evxx.exe 2008-08-21 02:04 53,248 ----a-w c:\windows\system32\ATIDDC.DLL 2008-08-21 02:01 10,084,352 ----a-w c:\windows\system32\atioglxx.dll 2008-08-21 01:55 4,094,560 ----a-w c:\windows\system32\ati3duag.dll 2008-08-21 01:50 307,200 ----a-w c:\windows\system32\atiiiexx.dll 2008-08-21 01:38 2,377,856 ----a-w c:\windows\system32\ativvaxx.dll 2008-08-21 01:23 48,640 ----a-w c:\windows\system32\amdpcom32.dll 2008-08-21 01:19 380,928 ----a-w c:\windows\system32\atikvmag.dll 2008-08-21 01:18 37,376 ----a-w c:\windows\system32\atiadlxx.dll 2008-08-21 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll 2008-08-21 01:17 253,952 ----a-w c:\windows\system32\atiok3x2.dll 2008-08-21 01:11 561,152 ----a-w c:\windows\system32\ati2cqag.dll 2008-08-20 20:05 593,920 ------w c:\windows\system32\ati2sgag.exe 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952] "Google Update"="c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-08 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.2-enGB-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R2 wowsystemcode;Remote TCP/IP;c:\windows\System32\svchost.exe [2008-04-14 14336] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296] S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\NetMeeting\Winlog.exe [2008-11-06 456192] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs wowsystemcode *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-11-09 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 05:53] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Mattias\Application Data\Mozilla\Firefox\Profiles\6ykijizn.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-09 23:57:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-09 23:59:10 ComboFix-quarantined-files.txt 2008-11-09 22:59:05 Pre-Run: 58*816*290*816 bytes free Post-Run: 58,987,540,480 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 168 --- E O F --- 2008-11-09 19:16:04 Antivirus Version Last Update Result AhnLab-V3 2008.11.7.1 2008.11.09 - AntiVir 7.9.0.26 2008.11.07 HEUR/Crypted Authentium 5.1.0.4 2008.11.09 - Avast 4.8.1248.0 2008.11.08 - AVG 8.0.0.161 2008.11.09 - BitDefender 7.2 2008.11.09 - CAT-QuickHeal 9.50 2008.11.08 (Suspicious) - DNAScan ClamAV 0.94.1 2008.11.09 - DrWeb 4.44.0.09170 2008.11.09 - eSafe 7.0.17.0 2008.11.09 - eTrust-Vet 31.6.6199 2008.11.08 - Ewido 4.0 2008.11.09 - F-Prot 4.4.4.56 2008.11.09 - F-Secure 8.0.14332.0 2008.11.09 - Fortinet 3.117.0.0 2008.11.09 - GData 19 2008.11.09 - Ikarus T3.1.1.45.0 2008.11.09 Win32.SuspectCrc K7AntiVirus 7.10.520 2008.11.08 - Kaspersky 7.0.0.125 2008.11.09 - McAfee 5428 2008.11.08 - Microsoft 1.4104 2008.11.09 - NOD32 3597 2008.11.08 - Norman 5.80.02 2008.11.07 - Panda 9.0.0.4 2008.11.09 - PCTools 4.4.2.0 2008.11.09 - Prevx1 V2 2008.11.10 - Rising 21.02.62.00 2008.11.09 - SecureWeb-Gateway 6.7.6 2008.11.09 Heuristic.Crypted Sophos 4.35.0 2008.11.09 Sus/Behav-1021 Sunbelt 3.1.1785.2 2008.11.08 VIPRE.Suspicious Symantec 10 2008.11.09 - TheHacker 6.3.1.1.146 2008.11.08 - TrendMicro 8.700.0.1004 2008.11.07 - VBA32 3.12.8.9 2008.11.09 - ViRobot 2008.11.7.1457 2008.11.07 - VirusBuster 4.5.11.0 2008.11.09 - Additional information File size: 456192 bytes MD5...: 58cbc64c84c3fb3c9ec29fa74f87a02a SHA1..: 5bd22f65e3673d442b8bda25b5fef351c05f106d SHA256: aaec39f69147dfd078d7e9c8612262e41f295a5094b4ad7ee82e1d956d0dbdd5 SHA512: c276674ab3b1cafcf6d850c5518714331e09ebdbac7a8d04befe4d57cb62bcb7 1c2fce34eb8d6a05ea7babfcdf96706a57af9c844d111da372155f20233b0a40 PEiD..: ASProtect v1.23 RC1 TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401000 timedatestamp.....: 0x48d19c32 (Thu Sep 18 00:09:22 2008) machinetype.......: 0x14c (I386) ( 11 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0x98000 0x40c00 8.00 7f2ca0554d7be8f72a63fb3eea282948 0x99000 0x6000 0x3a00 7.99 0468fbe7b3d2435149dd5847cc4f822a 0x9f000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xa2000 0x3000 0xa00 7.93 70d82039e183fdae8416d3cb1c83471a 0xa5000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xa6000 0x1000 0x200 0.21 9c9162431c940718529337b24534b19b 0xa7000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0xb0000 0x2000 0x200 5.58 eed3ce1dc020cc364d3a4edab4fdda85 0xb2000 0x3000 0x2000 7.97 c35a50c44022c9e4a56013614de808eb .data 0xb5000 0x28000 0x27e00 7.83 04541050bbf064addb11c9d66eea94ac .adata 0xdd000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 17 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > version.dll: VerQueryValueA > shell32.dll: Shell_NotifyIconA > user32.dll: GetKeyboardType > ole32.dll: OleSaveToStream > oleaut32.dll: GetErrorInfo > comctl32.dll: ImageList_SetIconSize > gdi32.dll: UnrealizeObject > quartz.dll: AMGetErrorTextA > user32.dll: CreateWindowExA > oleaut32.dll: SafeArrayPtrOfIndex > wsock32.dll: WSACleanup > advapi32.dll: RegSetValueExA > advapi32.dll: RegQueryValueExA > oleaut32.dll: SysFreeString > oleaut32.dll: VariantChangeTypeEx > kernel32.dll: RaiseException ( 0 exports ) packers (F-Prot): Aspack packers (Kaspersky): PE_Patch |
|
|
|
|
11-09-2008, 06:43 PM
|
#4 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
If your NOD32 was legal, and you still have the installation media, reinstall it after this next set of instructions...otherwise I would recommend Avira as an excellent FREE replacement.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
Please return with the log from ComboFix, and a new HijackThis log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
11-10-2008, 07:44 AM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 9
OS: xp
|
Re: c:\windows\avguard.exe
It didn't upload any file
ComboFix 08-11-09.04 - Mattias 2008-11-10 15:35:25.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.143 [GMT 1:00] Running from: c:\documents and settings\Mattias\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mattias\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\NetMeeting\Winlog.exe c:\windows\avguard.exe c:\windows\syscheck c:\windows\system32\wowformf436_130.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_RPCHE -------\Legacy_WOWSYSTEMCODE -------\Service_RPCHE -------\Service_wowsystemcode ((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 ))))))))))))))))))))))))))))))) . 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\scripting 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\en 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\bits 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\l2schemas 2008-11-09 04:57 . 2008-11-09 05:00 <DIR> d-------- c:\windows\ServicePackFiles 2008-11-07 19:14 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys 2008-11-07 19:13 . 2004-08-03 22:29 327,040 --------- c:\windows\system32\drivers\ati2mtaa.sys 2008-11-06 22:24 . 2008-11-10 01:24 0 --a------ c:\windows\1.ini 2008-11-06 21:19 . 2008-11-06 21:19 <DIR> d-------- C:\Logs 2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- C:\rsit 2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- c:\program files\trend micro 2008-11-06 19:30 . 2008-11-06 19:39 250 --a------ c:\windows\gmer.ini 2008-11-06 19:10 . 2008-11-06 19:10 1,529,241 --a------ C:\SDFix.exe 2008-11-06 18:22 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\drivers\bthport.sys 2008-11-06 18:22 . 2008-06-13 12:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-11-06 18:20 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-06 18:20 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-06 18:20 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-11-06 18:20 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-11-06 18:20 . 2008-08-14 11:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys 2008-11-06 18:19 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-06 18:19 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-06 18:19 . 2008-05-08 15:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys 2008-11-06 18:18 . 2008-04-11 20:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll 2008-11-06 18:18 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-11-06 18:15 . 2008-11-09 11:57 <DIR> d--h----- c:\windows\$hf_mig$ 2008-11-06 18:15 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe 2008-11-06 18:09 . 2008-11-06 18:13 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-06 17:57 . 2008-11-06 17:57 <DIR> d---s---- c:\documents and settings\Mattias\UserData 2008-11-06 14:06 . 2008-11-06 14:06 <DIR> d-------- c:\windows\Eurobattle.net Installer 2008-11-06 13:45 . 2008-11-06 13:59 <DIR> d-------- c:\documents and settings\Mattias\Application Data\Ventrilo 2008-11-06 13:44 . 2008-11-06 13:44 <DIR> d-------- c:\program files\VentriloMIX 2008-11-06 13:43 . 2008-11-06 13:48 139,264 --a------ c:\windows\War3Unin.exe 2008-11-06 13:43 . 2008-11-06 14:03 77,057 --a------ c:\windows\War3Unin.dat 2008-11-06 13:43 . 2008-11-06 13:48 2,829 --a------ c:\windows\War3Unin.pif 2008-11-06 13:41 . 2008-11-06 21:13 <DIR> d-------- c:\program files\Warcraft III 2008-11-06 13:36 . 2008-11-06 13:36 <DIR> d-------- c:\program files\DAEMON Tools Lite 2008-11-06 12:35 . 2008-11-06 12:35 <DIR> d-------- c:\documents and settings\Mattias\Application Data\DAEMON Tools 2008-11-06 12:35 . 2008-11-06 12:35 717,296 --a------ c:\windows\system32\drivers\sptd.sys 2008-11-06 12:30 . 2008-11-06 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 14:26 --------- d-----w c:\documents and settings\Mattias\Application Data\uTorrent 2008-11-09 10:57 --------- d-----w c:\program files\MSN Messenger 2008-11-08 09:21 --------- d-----w c:\program files\World of Warcraft 2008-11-06 16:30 4,224 ----a-w c:\windows\system32\drivers\beep.sys 2008-11-06 12:44 --------- d-----w c:\program files\VentriloMIX 2008-11-06 11:27 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-11-06 10:53 --------- d-----w c:\documents and settings\Mattias\Application Data\ATI 2008-11-06 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI 2008-11-06 10:34 --------- d-----w c:\program files\ATI Technologies 2008-11-06 10:26 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-06 10:25 --------- d-----w c:\program files\ESET 2008-11-06 10:25 --------- d-----w c:\documents and settings\All Users\Application Data\ESET 2008-11-06 10:23 --------- d-----w c:\program files\Creative 2008-11-06 10:21 444,952 ----a-w c:\windows\system32\wrap_oal.dll 2008-11-06 10:21 109,080 ----a-w c:\windows\system32\OpenAL32.dll 2008-11-06 10:21 --------- d-----w c:\documents and settings\Mattias\Application Data\Creative 2008-11-06 10:13 --------- d-----w c:\program files\Common Files\InstallShield 2008-11-06 10:09 --------- d-----w c:\program files\uTorrent 2008-11-06 10:04 --------- d-----w c:\program files\microsoft frontpage 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-08-21 02:19 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll 2008-08-21 02:18 314,880 ----a-w c:\windows\system32\ati2dvag.dll 2008-08-21 02:08 184,320 ----a-w c:\windows\system32\atipdlxx.dll 2008-08-21 02:08 143,360 ----a-w c:\windows\system32\Oemdspif.dll 2008-08-21 02:07 43,520 ----a-w c:\windows\system32\ati2edxx.dll 2008-08-21 02:07 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe 2008-08-21 02:07 143,360 ----a-w c:\windows\system32\ati2evxx.dll 2008-08-21 02:05 573,440 ----a-w c:\windows\system32\ati2evxx.exe 2008-08-21 02:04 53,248 ----a-w c:\windows\system32\ATIDDC.DLL 2008-08-21 02:01 10,084,352 ----a-w c:\windows\system32\atioglxx.dll 2008-08-21 01:55 4,094,560 ----a-w c:\windows\system32\ati3duag.dll 2008-08-21 01:50 307,200 ----a-w c:\windows\system32\atiiiexx.dll 2008-08-21 01:38 2,377,856 ----a-w c:\windows\system32\ativvaxx.dll 2008-08-21 01:23 48,640 ----a-w c:\windows\system32\amdpcom32.dll 2008-08-21 01:19 380,928 ----a-w c:\windows\system32\atikvmag.dll 2008-08-21 01:18 37,376 ----a-w c:\windows\system32\atiadlxx.dll 2008-08-21 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll 2008-08-21 01:17 253,952 ----a-w c:\windows\system32\atiok3x2.dll 2008-08-21 01:11 561,152 ----a-w c:\windows\system32\ati2cqag.dll 2008-08-20 20:05 593,920 ------w c:\windows\system32\ati2sgag.exe 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((( snapshot@2008-11-09_23.58.42,57 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952] "Google Update"="c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-08 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.2-enGB-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296] . Contents of the 'Scheduled Tasks' folder 2008-11-10 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 05:53] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 15:39:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\windows\system32\wscntfy.exe c:\windows\system32\verclsid.exe . ************************************************************************** . Completion time: 2008-11-10 15:41:17 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-10 14:41:10 ComboFix2.txt 2008-11-09 22:59:12 Pre-Run: 57*128*710*144 bytes free Post-Run: 57,883,574,272 bytes free 173 --- E O F --- 2008-11-09 19:16:04 |
|
|
|
|
11-10-2008, 08:58 AM
|
#6 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
Please go to Start > Run and copy/paste the following, then press Enter:
C:\QooBox\ComboFix-quarantined-files.txt Post the contents of the logfile which will open.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-10-2008, 11:22 AM
|
#7 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 9
OS: xp
|
Re: c:\windows\avguard.exe
2008-11-06 13:44:50 A------- 107,546 C:\Qoobox\Quarantine\C\Documents and Settings\Mattias\Start Menu\Programs\Startup\lsass.exe.vir
2008-11-06 17:27:23 A------- 20 C:\Qoobox\Quarantine\C\WINDOWS\syscheck.vir 2008-11-06 17:27:24 A------- 237,568 C:\Qoobox\Quarantine\C\WINDOWS\system32\wowformf436_130.dll.vir 2008-11-06 17:27:32 A------- 100,864 C:\Qoobox\Quarantine\C\WINDOWS\avguard.exe.vir 2008-11-06 17:30:42 A------- 456,192 C:\Qoobox\Quarantine\C\Program Files\NetMeeting\Winlog.exe.vir 2008-11-09 23:54:01 A------- 760 C:\Qoobox\Quarantine\catchme.log 2008-11-09 23:57:24 A------- 4,962 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-11-09 23:58:42 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-11-09 23:58:42 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-11-09 23:58:42 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-11-10 15:35:22 A------- 678,622 C:\Qoobox\Quarantine\[4]-Submit_2008-11-10@15.35.zip 2008-11-10 15:36:39 A------- 1,048 C:\Qoobox\Quarantine\Registry_backups\Legacy_RPCHE.reg.dat 2008-11-10 15:36:39 A------- 1,098 C:\Qoobox\Quarantine\Registry_backups\Legacy_WOWSYSTEMCODE.reg.dat 2008-11-10 15:36:40 A------- 2,814 C:\Qoobox\Quarantine\Registry_backups\Service_RPCHE.reg.dat 2008-11-10 15:36:40 A------- 3,490 C:\Qoobox\Quarantine\Registry_backups\Service_wowsystemcode.reg.dat 2008-11-10 15:36:52 A------- 287,051 C:\Qoobox\Quarantine\C\WINDOWS\_avguard_.exe.zip |
|
|
|
|
11-10-2008, 01:13 PM
|
#8 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
Now reinstall Eset, or use the link to Avira I gave you. Run a full system scan with either, and post the requested logs from HijackThis, and also from Avira if you go that route.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
11-10-2008, 05:45 PM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
C:\Program Files\trend micro\HijackThis.exe
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-11-2008, 02:04 PM
|
#11 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 9
OS: xp
|
Re: c:\windows\avguard.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:40, on 2008-11-11 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\trend micro\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Startup: lsass.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- End of file - 3592 bytes |
|
|
|
|
11-11-2008, 02:55 PM
|
#12 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked
O4 - Startup: lsass.exe Close HijackThis now. --------------------------------------------------------------------------------------------- I'd like you to run an online scan. This scanner requires SunJava
--------------------------------------------------------------------------------------------- Please perform this online scan to help look for remnants Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner **Note** To optimize scanning time and produce a more sensible report for review:
Click Accept, when prompted to download and install the program files and database of malware definitions.
--------------------------------------------------------------------------------------------- Also post a new HijackThis log. Let me know how the machine is behaving.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-14-2008, 09:51 AM
|
#13 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 9
OS: xp
|
Re: c:\windows\avguard.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:17, on 2008-11-14 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\java.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\trend micro\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 4971 bytes -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, November 14, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, November 14, 2008 13:29:29 Records in database: 1384804 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: C:\ F:\ G:\ Scan statistics: Files scanned: 34079 Threat name: 1 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 01:09:32 File name / Threat name / Threats count C:\Documents and Settings\Mattias\Desktop\ventriloMIX05.exe Infected: Trojan-GameThief.Win32.Tibia.ul 1 C:\Documents and Settings\Mattias\Local Settings\temp\data\backup.exe Infected: Trojan-GameThief.Win32.Tibia.ul 1 C:\Program Files\trend micro\backups\backup-20081112-055311-989-lsass.exe Infected: Trojan-GameThief.Win32.Tibia.ul 1 C:\Qoobox\Quarantine\C\Documents and Settings\Mattias\Start Menu\Programs\Startup\lsass.exe.vir Infected: Trojan-GameThief.Win32.Tibia.ul 1 The selected area was scanned. The computer works fine, firefox starts as it should. Should I be worried about the trojans? |
|
|
|
|
11-14-2008, 10:53 AM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
Do you do online gaming, and have you intentionally downloaded Ventrillo to your machine from the author's site?
C:\Documents and Settings\Mattias\Desktop\ventriloMIX05.exe C:\Documents and Settings\Mattias\Local Settings\temp\data\backup.exe Were it me, I'd be inclined to delete them both, based on the other infections removed. This can be deleted also C:\Program Files\trend micro\backups\backup-20081112-055311-989-lsass.exe C:\Qoobox is ComboFix quarantine, and will be removed by uninstalling ComboFix as instructed below. Other than that, your logs appear clean.You should be good to go. We still have a few items to address. Go to  -> Run -> copy/paste in the following single line command & click OKcombofix /u  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety.
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
11-14-2008, 07:22 PM
|
#16 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,225
OS: 2000 Pro; XP Pro; XP Home
|
Re: c:\windows\avguard.exe
Glad to have helped.
 Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
