Joined
·
2 Posts
Hiya guys,
after doing what i coudl to try and get rid of this i have come to teh end of my wits. I have found that somehow even with ym reg blocker etc that i have managed to become infected with (at least) WIN32.gael.3666 and that i am experiencing massive slow downs on my PC and network.
From what i can see i now have too many svchosts in my processes but getting rid of them from Vista ultimate isnt as easy as it used to be on XP (well not for me anyway)
Also with this being my day to day laptop i am sceptical to just reinstall as i have a lot of data that i will need to carry over to a new build so would prefer to stop the threat in the first place.
Nothing wierd happening with PC, no silly pop ups or anything but what i have seen is that Outlook sometimes says it is sending 2 mails when i have only a single mail to one person, this is what prompted me to look into things and while Symantec has been finding some DWHxxxx.tmp files it sticks them into quarantine and thats it but the fact i see replicating files it worries me even more.
You will find the DDS.txt below and the other two zipped up like specified (as long as i have done it right)
DDS (Ver_09-05-14.01) - NTFSx86
Run by Andy at 15:44:48.69 on 18/05/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.2046.788 [GMT 1:00]
AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: The Shield Deluxe 2009 Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\QuesCom\Management Console\QWAlerter\QWAlerter.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\stsystra.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AWMON] "c:\program files\norman\norman ad-aware se plus\Ad-Watch.exe"
uRun: [Fraps] "c:\fraps\FRAPS.EXE"
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe"
mRun: [Flashget] "c:\program files\flashget\FlashGet.exe" /min
mRun: [NWEReboot]
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Auto Run Software for Photo Frame]
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] "rundll32.exe" c:\windows\system32\nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\andy\appdata\roaming\micros~1\windows\startm~1\programs\startup\buffal~1.lnk - c:\program files\buffalo\nasnavi\NasNavi.exe
StartupFolder: c:\users\andy\appdata\roaming\micros~1\windows\startm~1\programs\startup\speedf~1.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {A0EF7E3F-789A-4DB1-A286-FA16733DCD4F} = 208.67.220.220,156.154.70.1
TCP: {E8162D65-8F59-417D-8AFC-4AC8ADB38C54} = 208.67.220.220,62.6.40.162
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
============= SERVICES / DRIVERS ===============
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-10-10 14464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
R2 QWAlerter;QWAlerter;c:\program files\quescom\management console\qwalerter\QWAlerter.exe [2007-8-15 86016]
R3 DUSBTAWAN;Psion Dacom ISDN NDISWAN;c:\windows\system32\drivers\dusbwan.sys [2007-8-17 23479]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-6 101936]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\drivers\camdrv30.sys [2001-8-17 171264]
S3 DTA128;Psion Dacom Gold Port ISDN;c:\windows\system32\drivers\dusbta2k.sys [2007-8-17 127949]
S3 Kwari.xLoader;Kwari.xLoader;c:\users\andy\appdata\local\micro forte\kwari\kwari.xloader.32 --> c:\users\andy\appdata\local\micro forte\kwari\Kwari.xLoader.32 [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-11 16896]
============== File Associations ===============
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
=============== Created Last 30 ================
2009-05-18 15:35 <DIR> --d----- c:\users\andy\appdata\roaming\Webroot
2009-05-18 15:09 81,984 a------- c:\windows\system32\bdod.bin
2009-05-18 14:27 <DIR> --d----- c:\program files\Trend Micro
2009-05-18 12:50 946 a------- c:\windows\system32\BDUpdateV1.xml
2009-05-18 12:40 850 a------- c:\windows\system32\ProductTweaks.xml
2009-05-18 12:40 385 a------- c:\windows\system32\user_gensett.xml
2009-05-18 12:27 <DIR> --d----- c:\program files\MSSOAP
2009-05-18 12:27 <DIR> --d----- c:\program files\common files\MSSoap
2009-05-18 12:27 <DIR> --d----- c:\programdata\Webroot
2009-05-18 12:27 <DIR> --d----- c:\program files\Webroot
2009-05-18 12:27 <DIR> --d----- c:\progra~2\Webroot
2009-05-18 12:19 164 a------- c:\windows\install.dat
2009-05-18 12:13 <DIR> --d----- c:\users\andy\appdata\roaming\BitDefender
2009-05-18 12:12 <DIR> --d----- c:\programdata\BitDefender
2009-05-18 12:12 <DIR> --d----- c:\program files\PCSecurityShield
2009-05-18 12:12 <DIR> --d----- c:\progra~2\BitDefender
2009-05-18 12:10 <DIR> --d----- c:\program files\common files\BitDefender
2009-05-14 10:43 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-14 10:43 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-14 10:43 <DIR> --d----- c:\program files\iPod
2009-05-14 10:42 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 10:42 <DIR> --d----- c:\program files\iTunes
2009-05-14 10:42 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 10:35 <DIR> --d----- c:\program files\Bonjour
2009-04-24 12:25 <DIR> --d----- c:\program files\File And MP3 Tag Renamer
2009-04-21 16:30 <DIR> --d----- c:\programdata\FLEXnet
2009-04-21 15:16 <DIR> --d----- c:\program files\common files\Macrovision Shared
==================== Find3M ====================
2009-05-15 12:07 213,128 a------- c:\users\andy\appdata\roaming\nvModes.dat
2009-05-14 10:40 51,200 a------- c:\windows\inf\infpub.dat
2009-05-14 10:40 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-14 10:40 86,016 a------- c:\windows\inf\infstor.dat
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-22 00:40 44 ----h--- c:\program files\206246e1.tmp
2008-12-19 13:37 174 a--sh--- c:\program files\desktop.ini
2008-12-19 13:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-15 19:17 22,328 a------- c:\users\andy\appdata\roaming\PnkBstrK.sys
2008-01-28 12:03 557,056 a------- c:\users\andy\GoToAssist_phone__319_en.exe
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-07-27 16:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-07-27 16:28 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-07-27 16:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-12-19 01:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-19 01:47 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-19 01:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 20:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT
============= FINISH: 15:45:31.87 ===============
after doing what i coudl to try and get rid of this i have come to teh end of my wits. I have found that somehow even with ym reg blocker etc that i have managed to become infected with (at least) WIN32.gael.3666 and that i am experiencing massive slow downs on my PC and network.
From what i can see i now have too many svchosts in my processes but getting rid of them from Vista ultimate isnt as easy as it used to be on XP (well not for me anyway)
Also with this being my day to day laptop i am sceptical to just reinstall as i have a lot of data that i will need to carry over to a new build so would prefer to stop the threat in the first place.
Nothing wierd happening with PC, no silly pop ups or anything but what i have seen is that Outlook sometimes says it is sending 2 mails when i have only a single mail to one person, this is what prompted me to look into things and while Symantec has been finding some DWHxxxx.tmp files it sticks them into quarantine and thats it but the fact i see replicating files it worries me even more.
You will find the DDS.txt below and the other two zipped up like specified (as long as i have done it right)
DDS (Ver_09-05-14.01) - NTFSx86
Run by Andy at 15:44:48.69 on 18/05/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.2046.788 [GMT 1:00]
AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: The Shield Deluxe 2009 Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\QuesCom\Management Console\QWAlerter\QWAlerter.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\stsystra.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AWMON] "c:\program files\norman\norman ad-aware se plus\Ad-Watch.exe"
uRun: [Fraps] "c:\fraps\FRAPS.EXE"
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe"
mRun: [Flashget] "c:\program files\flashget\FlashGet.exe" /min
mRun: [NWEReboot]
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Auto Run Software for Photo Frame]
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] "rundll32.exe" c:\windows\system32\nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\andy\appdata\roaming\micros~1\windows\startm~1\programs\startup\buffal~1.lnk - c:\program files\buffalo\nasnavi\NasNavi.exe
StartupFolder: c:\users\andy\appdata\roaming\micros~1\windows\startm~1\programs\startup\speedf~1.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {A0EF7E3F-789A-4DB1-A286-FA16733DCD4F} = 208.67.220.220,156.154.70.1
TCP: {E8162D65-8F59-417D-8AFC-4AC8ADB38C54} = 208.67.220.220,62.6.40.162
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
============= SERVICES / DRIVERS ===============
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-10-10 14464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
R2 QWAlerter;QWAlerter;c:\program files\quescom\management console\qwalerter\QWAlerter.exe [2007-8-15 86016]
R3 DUSBTAWAN;Psion Dacom ISDN NDISWAN;c:\windows\system32\drivers\dusbwan.sys [2007-8-17 23479]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-6 101936]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\drivers\camdrv30.sys [2001-8-17 171264]
S3 DTA128;Psion Dacom Gold Port ISDN;c:\windows\system32\drivers\dusbta2k.sys [2007-8-17 127949]
S3 Kwari.xLoader;Kwari.xLoader;c:\users\andy\appdata\local\micro forte\kwari\kwari.xloader.32 --> c:\users\andy\appdata\local\micro forte\kwari\Kwari.xLoader.32 [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-11 16896]
============== File Associations ===============
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
=============== Created Last 30 ================
2009-05-18 15:35 <DIR> --d----- c:\users\andy\appdata\roaming\Webroot
2009-05-18 15:09 81,984 a------- c:\windows\system32\bdod.bin
2009-05-18 14:27 <DIR> --d----- c:\program files\Trend Micro
2009-05-18 12:50 946 a------- c:\windows\system32\BDUpdateV1.xml
2009-05-18 12:40 850 a------- c:\windows\system32\ProductTweaks.xml
2009-05-18 12:40 385 a------- c:\windows\system32\user_gensett.xml
2009-05-18 12:27 <DIR> --d----- c:\program files\MSSOAP
2009-05-18 12:27 <DIR> --d----- c:\program files\common files\MSSoap
2009-05-18 12:27 <DIR> --d----- c:\programdata\Webroot
2009-05-18 12:27 <DIR> --d----- c:\program files\Webroot
2009-05-18 12:27 <DIR> --d----- c:\progra~2\Webroot
2009-05-18 12:19 164 a------- c:\windows\install.dat
2009-05-18 12:13 <DIR> --d----- c:\users\andy\appdata\roaming\BitDefender
2009-05-18 12:12 <DIR> --d----- c:\programdata\BitDefender
2009-05-18 12:12 <DIR> --d----- c:\program files\PCSecurityShield
2009-05-18 12:12 <DIR> --d----- c:\progra~2\BitDefender
2009-05-18 12:10 <DIR> --d----- c:\program files\common files\BitDefender
2009-05-14 10:43 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-14 10:43 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-14 10:43 <DIR> --d----- c:\program files\iPod
2009-05-14 10:42 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 10:42 <DIR> --d----- c:\program files\iTunes
2009-05-14 10:42 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 10:35 <DIR> --d----- c:\program files\Bonjour
2009-04-24 12:25 <DIR> --d----- c:\program files\File And MP3 Tag Renamer
2009-04-21 16:30 <DIR> --d----- c:\programdata\FLEXnet
2009-04-21 15:16 <DIR> --d----- c:\program files\common files\Macrovision Shared
==================== Find3M ====================
2009-05-15 12:07 213,128 a------- c:\users\andy\appdata\roaming\nvModes.dat
2009-05-14 10:40 51,200 a------- c:\windows\inf\infpub.dat
2009-05-14 10:40 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-14 10:40 86,016 a------- c:\windows\inf\infstor.dat
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-22 00:40 44 ----h--- c:\program files\206246e1.tmp
2008-12-19 13:37 174 a--sh--- c:\program files\desktop.ini
2008-12-19 13:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-15 19:17 22,328 a------- c:\users\andy\appdata\roaming\PnkBstrK.sys
2008-01-28 12:03 557,056 a------- c:\users\andy\GoToAssist_phone__319_en.exe
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-07-27 16:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-07-27 16:28 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-07-27 16:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-12-19 01:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-19 01:47 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-19 01:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 20:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT
============= FINISH: 15:45:31.87 ===============
Attachments
-
4.9 KB Views: 52