Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Infected with Virtumonde

  1. #11
    Junior Member
    Join Date
    Dec 2008
    Posts
    27

    Default

    ComboFix 09-05-08.03 - Canucklehead 05/10/2009 12:20.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.584 [GMT -4:00]
    Running from: c:\documents and settings\Canucklehead\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Canucklehead\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    AV: Bitdefender Antivirus *On-access scanning enabled* (Outdated)

    FILE ::
    c:\windows\system32\drivers\antispyware.sys
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Vuze
    c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
    c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
    c:\program files\Vuze\plugins\azemp\azemp_2.0.34.jar
    c:\program files\Vuze\plugins\azemp\azemp_2.0.34.zip
    c:\program files\Vuze\plugins\azemp\azemp_2.1.02.jar
    c:\program files\Vuze\plugins\azemp\azemp_2.1.02.zip
    c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
    c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
    c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
    c:\program files\Vuze\plugins\azemp\font.desc.bak
    c:\program files\Vuze\plugins\azemp\mplayer\config
    c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
    c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
    c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32
    c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.34
    c:\program files\Vuze\plugins\azemp\plugin.properties_2.1.02
    c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.jar
    c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.zip
    c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.jar
    c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.zip
    c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.17
    c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.5
    c:\windows\system32\drivers\antispyware.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ANTISPYWARE
    -------\Legacy_NPF
    -------\Service_antispyware


    ((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
    .

    2009-05-09 15:41 . 2009-05-09 15:42 -------- d-----w c:\program files\ERUNT
    2009-04-29 08:32 . 2009-04-29 08:35 -------- d-----w c:\program files\fishsim2
    2009-04-13 18:59 . 2009-04-13 19:00 -------- d-----w c:\program files\Windows Live Safety Center
    2009-04-13 18:31 . 2009-04-13 18:31 -------- dc----w c:\documents and settings\Canucklehead\Tracing
    2009-04-13 17:39 . 2009-04-13 17:39 -------- d-----w c:\program files\Microsoft Silverlight
    2009-04-13 17:38 . 2009-02-06 22:08 55152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys
    2009-04-13 17:38 . 2009-04-13 17:38 -------- d-----w c:\program files\Microsoft Sync Framework
    2009-04-13 17:37 . 2006-11-29 17:06 3426072 ----a-w c:\windows\system32\d3dx9_32.dll
    2009-04-13 17:37 . 2009-04-13 17:37 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
    2009-04-13 17:35 . 2009-04-13 17:35 -------- d-----w c:\program files\Microsoft
    2009-04-13 17:35 . 2009-04-13 17:35 -------- d-----w c:\program files\Windows Live SkyDrive
    2009-04-13 17:34 . 2009-04-13 17:38 -------- d-----w c:\program files\Windows Live
    2009-04-13 17:29 . 2009-04-13 17:29 -------- d-----w c:\program files\Common Files\Windows Live

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-07 08:13 . 2006-09-13 07:55 -------- d-----w c:\program files\xnews
    2009-05-02 12:02 . 2009-03-18 13:27 11952 ----a-w c:\windows\system32\avgrsstx.dll
    2009-05-02 12:02 . 2009-03-18 13:27 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-05-02 12:02 . 2009-03-18 13:27 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
    2009-04-21 23:53 . 2008-04-06 23:01 -------- d-----w c:\program files\cLog Reader
    2009-04-13 18:23 . 2008-08-31 09:55 39696 -c--a-w c:\documents and settings\Canucklehead\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-03-15 08:57 . 2008-07-08 18:25 -------- d-----w c:\program files\Spybot - Search & Destroy
    2006-10-04 16:23 . 2006-10-04 16:23 1446442 -c--a-w c:\program files\moviecodec.zip
    2006-09-13 07:54 . 2006-09-13 07:48 713503 ----a-w c:\program files\xnews.zip
    2001-10-29 03:56 . 2001-10-29 03:56 10098 -c--a-w c:\program files\readme.txt
    2005-07-14 19:31 . 2006-05-24 17:37 27648 -csha-w c:\windows\system32\AVSredirect.dll
    2005-06-26 22:32 . 2006-05-08 18:07 616448 -csha-r c:\windows\system32\cygwin1.dll
    2005-06-22 05:37 . 2006-05-24 17:37 45568 -csha-r c:\windows\system32\cygz.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "ioloDelayModule"="c:\program files\iolo\System Mechanic Professional 6\delay.exe" [2005-06-09 96256]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
    "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-17 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
    2009-01-09 22:39 46392 ----a-w c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_winlogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-05-02 12:02 11952 ----a-w c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\windows\system32

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\WM Recorder 10\\WMR90.exe"=
    "c:\\Program Files\\WM Recorder 10\\WMR.exe"=
    "c:\\Program Files\\WM Recorder 10\\RMR.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Pro Home 2007\\sandra.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Pro Home 2007\\RpcSandraSrv.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Pro Home 2007\\Win32\\RpcDataSrv.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "139:TCP"= 139:TCP:@xpsp2res.dll,-22004
    "445:TCP"= 445:TCP:@xpsp2res.dll,-22005
    "137:UDP"= 137:UDP:@xpsp2res.dll,-22001
    "138:UDP"= 138:UDP:@xpsp2res.dll,-22002
    "1087:UDP"= 1087:UDP:Windows Media Format SDK (iexplore.exe)
    "1086:UDP"= 1086:UDP:Windows Media Format SDK (iexplore.exe)
    "1089:UDP"= 1089:UDP:Windows Media Format SDK (iexplore.exe)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
    "RemoteAddresses"= *
    "Enabled"= 1 (0x1)

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/18/2009 9:27 AM 325896]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/18/2009 9:27 AM 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/18/2009 9:27 AM 908568]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/18/2009 9:27 AM 298776]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/13/2009 1:38 PM 55152]
    R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 5:53 PM 226656]
    S2 gupdate1c98c18bb6bdaa2;Google Update Service (gupdate1c98c18bb6bdaa2);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2009 3:17 AM 133104]
    S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
    S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_service.exe [1/9/2009 6:39 PM 46392]
    S3 PentaxUsb;PENTAX Optio E10 on USB;c:\windows\system32\drivers\CoachUsb.sys [5/2/2007 6:04 PM 50976]
    S3 PentaxVc;PENTAX Optio E10 Video Capture;c:\windows\system32\drivers\CoachVc.sys [5/2/2007 6:04 PM 44256]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan
    .
    Contents of the 'Scheduled Tasks' folder

    2009-05-10 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 15:51]

    2009-05-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 07:16]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
    uInternet Settings,ProxyServer = socks=
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-10 12:24
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\bdfsfltr]
    "ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

    [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\bdfsfltr]
    "ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(384)
    c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_winlogon.dll

    - - - - - - - > 'explorer.exe'(1880)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    .
    **************************************************************************
    .
    Completion time: 2009-05-10 12:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-10 16:27
    ComboFix2.txt 2009-05-10 10:01

    Pre-Run: 34,195,316,736 bytes free
    Post-Run: 34,193,264,640 bytes free

    188 --- E O F --- 2007-09-08 07:09

  2. #12
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply along with a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #13
    Junior Member
    Join Date
    Dec 2008
    Posts
    27

    Default

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0 REPORT
    Sunday, May 10, 2009
    Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Program database last update: Sunday, May 10, 2009 18:16:10
    Records in database: 2155880
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan statistics:
    Files scanned: 335639
    Threat name: 3
    Infected objects: 3
    Suspicious objects: 0
    Duration of the scan: 03:58:53


    File name / Threat name / Threats count
    C:\Documents and Settings\Canucklehead\Desktop\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
    C:\WINDOWS\system32\Undo\Manual\{C71CE972-2242-49A3-9E1E-194987953DB4}\{0E3D1EFF-EC60-4AD6-A330-D9B3554DA032}.tmp Infected: Packed.Win32.Tdss.c 1
    C:\WINDOWS\system32\Undo\Manual\{C71CE972-2242-49A3-9E1E-194987953DB4}\{5AAA7F90-9938-4A55-AF35-AE9AAF057E4A}.tmp Infected: Rootkit.Win32.TDSS.dbg 1

    The selected area was scanned.




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:58:15 PM, on 5/10/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.summitdirect.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162196894187
    O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\136\g2ax_winlogon.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\136\g2ax_service.exe
    O23 - Service: Google Update Service (gupdate1c98c18bb6bdaa2) (gupdate1c98c18bb6bdaa2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\Win32\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\RpcSandraSrv.exe

    --
    End of file - 6961 bytes

  4. #14
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please tell me what is inside this folder:

    C:\WINDOWS\system32\Undo
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #15
    Junior Member
    Join Date
    Dec 2008
    Posts
    27

    Default

    Inside C:\WINDOWS\system32\Undo is two other folders, one named temp (empty) and one named manual.
    The 'Manual' folder has 36 folders with mostly .dat .tmp .LCK and txt files. all with various creation dates back to mid 2008, and I couldn't find anything readable to let me know what it is or where it came from.
    None of the .txt files can be read.

  6. #16
    Junior Member
    Join Date
    Dec 2008
    Posts
    27

    Default

    I kept searching through the folders within C:\WINDOWS\system32\Undo and found one containing a .exe file and a short cut to MS-DOS program.
    Hope that's helpful.

  7. #17
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Do you have any idea where that folder might have came from?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  8. #18
    Junior Member
    Join Date
    Dec 2008
    Posts
    27

    Default

    Sorry I have no idea. It was created in November 23rd of 2007 and modified the next day.

  9. #19
    Junior Member
    Join Date
    Dec 2008
    Posts
    27

    Default

    Sorry for the second reply but after thinking about it more, the computer was in for repairs about that time so it could very well be a backup that a tech put into the system during testing. It ended up only being a power supply problem.

  10. #20
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Then just delete this folder:

    C:\WINDOWS\system32\Undo\Manual\{C71CE972-2242-49A3-9E1E-194987953DB4}

    Empty Recycle Bin.

    Still problems?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •