BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Multiple iexplore.exe in task manager
   
BullGuard Antivirus Forum > Virus information > Alerts & New Threats > Multiple iexplore.exe in task manager  
Forum Quick Jump
 
You cannot post new topics in this forum. Locked Topic Printable version of : Multiple iexplore.exe in task manager
55 posts in this thread.
Viewing Page :
 1  2  3 
[ << Previous Thread | Next Thread >> ]

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/15/2010 2:44 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Not quite - there would have been more details, but maybe not if Eset did not locate any malware. Did you happen to notice if it showed any red indicators of that when it ended?

Looks like ComboFix, perhaps due to running in reduced functionality due to no Recovery Console installed, is not addressing the drivers we listed, so let's use a different tool.


Download The Avenger by Swandog from here and save it to your Desktop, and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens place a check in the following box:

Automatically disable any rootkits found

Then copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Begin copying here:
Drivers to delete:
".1185569378"
ACKFBIA
KRGSL
MTXVRT
OVLLJRWYF

Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/15/2010 3:53 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Nope, Eeset returned nothing. Never noticed any 'redness'.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\".1185569378"" not found!
Deletion of driver "".1185569378"" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "ACKFBIA" deleted successfully.
Driver "KRGSL" deleted successfully.
Driver "MTXVRT" deleted successfully.
Driver "OVLLJRWYF" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/16/2010 3:08 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Indicates it did not locate that numerical named driver. Run and post a new RSIT scan so we can check that please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/16/2010 5:23 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
You rang sir?...

Done the scan but the log came in 2 parts.

1. log.txt
2. info.txt <---- (I'll post this part in seperate post)

RSIT Log (log.txt)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Logfile of random's system information tool 1.06 (written by random/random)
Run by Kris_2 at 2010-01-16 14:09:42
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 160 GB (70%) free of 228 GB
Total RAM: 3316 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09:48, on 16/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kris_2\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Kris_2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: 1185569378 (.1185569378) - Unknown owner - C:\Program Files\1185569378\Kris1185569378L.exe (file missing)
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4955 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-01-17 4907008]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"dlcxmon.exe"=C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe [2007-01-12 292336]
"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 926\memcard.exe [2006-11-04 304008]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-11 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-11 133656]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-11 141848]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-01-07 429392]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2010-01-12 304464]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2005-08-11 249856]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2010-01-12 304464]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-02-11 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgLiveSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 2 months======

2010-01-16 14:09:42 ----D---- C:\rsit
2010-01-14 18:45:17 ----SHD---- C:\$RECYCLE.BIN
2010-01-14 18:31:09 ----A---- C:\Windows\SWXCACLS.exe
2010-01-12 23:52:44 ----A---- C:\Windows\system32\t2embed.dll
2010-01-12 23:52:44 ----A---- C:\Windows\system32\fontsub.dll
2010-01-12 23:49:03 ----A---- C:\Windows\system32\BGLsp.dll
2010-01-12 17:49:20 ----D---- C:\Program Files\BullGuard Ltd
2010-01-12 17:02:25 ----D---- C:\Users\Kris_2\AppData\Roaming\AVG8
2010-01-09 15:25:21 ----D---- C:\Windows\temp
2010-01-08 13:10:58 ----A---- C:\Windows\zip.exe
2010-01-08 13:10:58 ----A---- C:\Windows\SWSC.exe
2010-01-08 13:10:58 ----A---- C:\Windows\SWREG.exe
2010-01-08 13:10:58 ----A---- C:\Windows\sed.exe
2010-01-08 13:10:58 ----A---- C:\Windows\PEV.exe
2010-01-08 13:10:58 ----A---- C:\Windows\NIRCMD.exe
2010-01-08 13:10:58 ----A---- C:\Windows\MBR.exe
2010-01-08 13:10:58 ----A---- C:\Windows\grep.exe
2010-01-07 13:06:27 ----D---- C:\ProgramData\BullGuard
2010-01-07 13:06:26 ----D---- C:\Users\Kris_2\AppData\Roaming\BullGuard
2010-01-07 12:59:11 ----D---- C:\Users\Kris_2\AppData\Roaming\Tific
2010-01-06 10:48:39 ----D---- C:\Windows\Internet Logs
2010-01-05 15:24:38 ----D---- C:\Windows\ERDNT
2009-12-26 11:05:34 ----D---- C:\Program Files\Common Files\PC Tools
2009-12-26 10:20:35 ----D---- C:\Users\Kris_2\AppData\Roaming\Trusteer
2009-12-26 10:20:30 ----D---- C:\Program Files\Trusteer
2009-12-22 16:14:04 ----D---- C:\Program Files\Microsoft
2009-12-22 16:13:40 ----D---- C:\Program Files\Windows Live
2009-12-12 15:19:46 ----D---- C:\Program Files\CCleaner
2009-12-11 01:18:41 ----D---- C:\Users\Kris_2\AppData\Roaming\Malwarebytes
2009-12-11 01:18:34 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-11 00:53:15 ----D---- C:\Users\Kris_2\AppData\Roaming\BitTorrent
2009-12-11 00:51:44 ----D---- C:\Program Files\BitTorrent
2009-12-09 11:43:56 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-09 11:43:55 ----A---- C:\Windows\system32\httpapi.dll
2009-12-09 11:24:34 ----A---- C:\Windows\system32\winhttp.dll
2009-12-09 11:24:30 ----A---- C:\Windows\system32\mshtml.dll
2009-12-09 11:24:29 ----A---- C:\Windows\system32\iertutil.dll
2009-12-09 11:24:29 ----A---- C:\Windows\system32\ieframe.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\wininet.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\urlmon.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\occache.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\msfeeds.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\ieui.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\iedkcs32.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\msfeedssync.exe
2009-12-09 11:24:27 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\jsproxy.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\ieUnatt.exe
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iesysprep.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iesetup.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iernonce.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iepeers.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\ie4uinit.exe
2009-12-09 11:23:43 ----A---- C:\Windows\system32\rastls.dll
2009-12-08 18:26:10 ----D---- C:\Users\Kris_2\AppData\Roaming\DivX
2009-12-08 18:16:40 ----D---- C:\ProgramData\Nero
2009-12-08 18:16:40 ----D---- C:\Program Files\Nero
2009-12-07 22:22:47 ----D---- C:\Users\Kris_2\AppData\Roaming\Ahead
2009-12-07 04:00:56 ----D---- C:\Program Files\Common Files\Ahead
2009-12-05 16:09:47 ----D---- C:\Program Files\Trend Micro
2009-12-04 17:41:35 ----D---- C:\Windows\pss
2009-12-04 03:02:30 ----D---- C:\dvdsanta
2009-12-03 01:38:24 ----A---- C:\Windows\NeroDigital.ini
2009-12-02 12:20:55 ----D---- C:\Program Files\AVG
2009-11-30 19:47:26 ----D---- C:\ProgramData\Malwarebytes
2009-11-25 13:39:36 ----A---- C:\Windows\system32\tzres.dll
2009-11-25 12:48:12 ----A---- C:\Windows\system32\msxml6.dll
2009-11-25 12:48:11 ----A---- C:\Windows\system32\msxml3.dll
2009-11-19 18:56:24 ----D---- C:\ProgramData\Office Genuine Advantage

======List of files/folders modified in the last 2 months======

2010-01-16 14:09:48 ----D---- C:\Windows\Prefetch
2010-01-16 13:53:59 ----SHD---- C:\Windows\Installer
2010-01-16 13:53:38 ----SHD---- C:\System Volume Information
2010-01-16 13:44:28 ----D---- C:\Windows\System32
2010-01-16 13:44:28 ----D---- C:\Windows\inf
2010-01-16 13:44:28 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-01-15 12:45:54 ----D---- C:\Windows\system32\drivers
2010-01-15 12:45:54 ----D---- C:\Windows
2010-01-14 22:46:23 ----RD---- C:\Program Files
2010-01-14 18:57:25 ----SD---- C:\Windows\Downloaded Program Files
2010-01-14 18:45:14 ----A---- C:\Windows\system.ini
2010-01-13 13:33:56 ----D---- C:\Windows\Debug
2010-01-13 00:44:58 ----D---- C:\Windows\winsxs
2010-01-13 00:32:00 ----D---- C:\Windows\system32\catroot2
2010-01-12 23:55:12 ----D---- C:\Windows\system32\catroot
2010-01-12 23:55:09 ----D---- C:\Program Files\Windows Mail
2010-01-12 23:53:39 ----D---- C:\Program Files\Common Files\microsoft shared
2010-01-12 17:06:44 ----SD---- C:\Users\Kris_2\AppData\Roaming\Microsoft
2010-01-12 17:06:39 ----D---- C:\ProgramData
2010-01-09 15:13:05 ----D---- C:\Windows\AppPatch
2010-01-09 15:08:03 ----D---- C:\Program Files\Common Files
2010-01-08 14:45:42 ----D---- C:\Windows\Minidump
2010-01-08 00:35:16 ----RSD---- C:\Windows\assembly
2010-01-07 12:18:34 ----D---- C:\Windows\system32\Tasks
2010-01-06 13:15:14 ----D---- C:\TempDVD
2010-01-05 16:02:32 ----AD---- C:\ProgramData\TEMP
2010-01-05 13:22:36 ----D---- C:\Windows\system32\config
2010-01-05 00:17:46 ----A---- C:\Windows\system32\mrt.exe
2010-01-04 15:28:13 ----RD---- C:\Users
2009-12-31 00:30:20 ----D---- C:\Windows\Cache
2009-12-27 19:44:50 ----SD---- C:\ProgramData\Microsoft
2009-12-17 15:36:00 ----D---- C:\Windows\system32\LogFiles
2009-12-09 12:42:30 ----D---- C:\Windows\rescache
2009-12-09 12:24:59 ----D---- C:\Windows\system32\migration
2009-12-09 12:24:58 ----D---- C:\Windows\system32\en-US
2009-12-09 12:24:58 ----D---- C:\Program Files\Internet Explorer
2009-12-08 18:17:16 ----D---- C:\Windows\ehome
2009-12-05 16:31:03 ----D---- C:\Program Files\Common Files\Adobe
2009-12-05 16:31:03 ----D---- C:\Program Files\Adobe
2009-12-05 16:31:02 ----D---- C:\ProgramData\Adobe
2009-12-03 22:20:10 ----D---- C:\Windows\Downloaded Installations
2009-12-02 12:33:03 ----D---- C:\Windows\system32\spool
2009-11-30 23:09:47 ----D---- C:\Windows\system32\wbem
2009-11-30 23:08:49 ----D---- C:\Windows\Tasks
2009-11-30 23:08:49 ----D---- C:\Program Files\Windows Defender
2009-11-30 23:08:48 ----D---- C:\Windows\system32\Msdtc
2009-11-30 23:08:48 ----D---- C:\Windows\system32\CodeIntegrity
2009-11-30 23:08:47 ----D---- C:\Program Files\DivX
2009-11-30 23:08:46 ----D---- C:\Windows\registration
2009-11-30 23:08:46 ----D---- C:\Program Files\Common Files\DivX Shared
2009-11-19 18:07:59 ----D---- C:\Windows\system32\zh-TW
2009-11-19 18:07:59 ----D---- C:\Windows\system32\zh-HK
2009-11-19 18:07:59 ----D---- C:\Windows\system32\tr-TR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\sv-SE
2009-11-19 18:07:59 ----D---- C:\Windows\system32\pt-BR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\nl-NL
2009-11-19 18:07:59 ----D---- C:\Windows\system32\nb-NO
2009-11-19 18:07:59 ----D---- C:\Windows\system32\ko-KR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\it-IT
2009-11-19 18:07:59 ----D---- C:\Windows\system32\he-IL
2009-11-19 18:07:59 ----D---- C:\Windows\system32\fr-FR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\fi-FI
2009-11-19 18:07:59 ----D---- C:\Windows\system32\es-ES
2009-11-19 18:07:59 ----D---- C:\Windows\system32\el-GR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\de-DE
2009-11-19 18:07:59 ----D---- C:\Windows\system32\da-DK
2009-11-19 18:07:59 ----D---- C:\Windows\system32\ar-SA

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 afw;Agnitum Firewall Driver; C:\Windows\system32\DRIVERS\afw.sys [2010-01-12 29208]
R1 kl1;kl1; C:\Windows\system32\DRIVERS\kl1.sys [2009-09-01 128016]
R1 RapportKELL;RapportKELL; \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys [2009-12-15 58984]
R1 RapportPG;RapportPG; \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [2009-12-15 337000]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\Windows\system32\DRIVERS\AegisP.sys [2008-04-13 17801]
R2 BdFileSpy;BullGuard File Monitor Driver; \??\C:\Windows\system32\drivers\BdFileSpy.sys [2010-01-12 55504]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 RMCAST;RMCAST (Pgm) Protocol Driver; C:\Windows\system32\DRIVERS\RMCAST.sys [2009-04-11 113664]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-05 8192]
R3 AfwCore;Agnitum Firewall Core Driver; \??\C:\Windows\system32\Drivers\AfwCore.sys [2010-01-12 305688]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2007-04-29 228224]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-01-24 2054872]
R3 MBAMProtector;MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [2010-01-07 19160]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service; C:\Windows\system32\DRIVERS\WPN111v.sys [2008-08-04 904192]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGMp50.sys []
S3 AFGSp50;AFGSp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGSp50.sys []
S3 catchme;catchme; \??\C:\456out\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 IntelDH;IntelDH Driver; C:\Windows\System32\Drivers\IntelDH.sys [2007-07-27 5504]
S3 MRV6X32P;Vista 32-bits Native WiFi Driver; C:\Windows\system32\DRIVERS\MRVW13B.sys [2007-05-03 256000]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NDISKIO;NDISKIO; \??\C:\Users\Kris_2\AppData\Local\Temp\00000e71.nmc\nse\bin\ndiskio.sys []
S3 nsak;nsak; \??\C:\Users\Kris_2\AppData\Local\Temp\00000e71.nmc\nse\bin\nsak.sys []
S3 Profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys [2010-01-12 14720]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 Reconn;BullGuard Email Monitor; \??\C:\Program Files\BullGuard Ltd\BullGuard\Reconn.sys [2008-07-29 16984]
S3 RT73;D-Link USB Wireless LAN Card Driver; C:\Windows\system32\DRIVERS\Dr71WU.sys [2005-11-03 245504]
S3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2006-11-02 47104]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 s616bus;Sony Ericsson Device 616 driver (WDM); C:\Windows\system32\DRIVERS\s616bus.sys [2007-04-03 83208]
S3 ST330;ST330; C:\Windows\system32\drivers\st330.sys [2007-08-16 30464]
S3 STBUS;STBUS; C:\Windows\system32\drivers\stbus.sys [2007-08-16 12672]
S3 stppp;Speedtouch PPP Adapter Adapter; C:\Windows\system32\DRIVERS\stppp.sys [2007-08-16 35328]
S3 Trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys [2010-01-12 39808]
S3 TSHWMDTCP;TSHWMDTCP; \??\C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys []
S3 UMPass;Microsoft UMPass Driver; C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 7680]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-11 73216]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 W8335XP;802.11g/b Driver for Windows XP ; C:\Windows\system32\DRIVERS\Mrvw125.sys [2007-06-19 282624]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S4 iaStor;Intel AHCI Controller; C:\Windows\system32\drivers\iastor.sys [2007-04-26 304920]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AERTFilters;Andrea RT Filters Service; C:\Windows\system32\AERTSrv.exe [2007-12-05 77824]
R2 BgLiveSvc;BullGuard LiveUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2010-01-12 300368]
R2 BgMainSvc;BullGuard Main Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFileScan;BullGuard File Scan Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFire;BullGuard Firewall Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 dlcx_device;dlcx_device; C:\Windows\system32\dlcxcoms.exe [2006-11-04 537480]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
R2 RapportMgmtService;Rapport Management Service; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2009-12-15 972008]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-05 386560]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S2 .1185569378;1185569378; C:\Program Files\1185569378\Kris1185569378L.exe []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/16/2010 5:25 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
2. info.txt

info.txt logfile of random's system information tool 1.06 2010-01-16 14:09:49

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
926plv32-->MsiExec.exe /I{0FA7B858-E0E1-400B-B5C0-1285F7D6FE5E}
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player-->C:\Windows\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Adobe\SHOCKW~1\Install.log
BitTorrent-->C:\Program Files\BitTorrent\uninst.exe
BullGuard 8.5-->C:\Program Files\BullGuard Ltd\BullGuard\uninst.exe
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch-->C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Conexant D850 PCI V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -IDel200fz.inf
Dell Photo AIO Printer 926-->C:\Program Files\Dell Photo AIO Printer 926\Install\x86\Uninst.exe
Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections 12.1.11.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Intel(R) PRO Network Connections 12.1.11.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
K-Lite Codec Pack 3.2.5 Standard-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero 7 Premium-->MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETGEAR RangeMax(TM) Wireless USB 2.0 Adapter WPN111-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{582E9125-32B6-4CBA-AB48-3E33CE3DB389}\Setup.exe"
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Rapport-->MsiExec.exe /X{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Reason 3.0-->"C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live ID Sign-in Assistant-->MsiExec.exe /X{10A44844-4465-456E-8C97-80BDD4F68845}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

=====HijackThis Backups=====

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-05]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) [2009-12-05]
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file) [2009-12-05]
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file) [2009-12-05]
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file) [2009-12-05]
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file) [2009-12-05]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab [2009-12-05]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab [2009-12-05]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-12-06]
O23 - Service: ACKFBIA - Sysinternals - www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\ACKFBIA.exe [2009-12-09]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-12-09]
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe [2009-12-09]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-20]
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup [2009-12-22]
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab [2009-12-22]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-12-22]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [2010-01-04]

======Security center information======

FW: ZoneAlarm Pro Firewall (disabled)
AS: ZoneAlarm Pro Anti-Spyware

======System event log======

Computer Name: HouseComp
Event Code: 34005
Message: The ICS_IPV6 was unable to allocate  bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
Record Number: 162336
Source Name: Microsoft-Windows-SharedAccess_NAT
Time Written: 20090621011424.000000-000
Event Type: Warning
User:

Computer Name: HouseComp
Event Code: 34005
Message: The ICS_IPV6 was unable to allocate  bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
Record Number: 162197
Source Name: Microsoft-Windows-SharedAccess_NAT
Time Written: 20090620115417.000000-000
Event Type: Warning
User:

Computer Name: HouseComp
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 162185
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20090620043750.357977-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HouseComp
Event Code: 34005
Message: The ICS_IPV6 was unable to allocate  bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
Record Number: 162085
Source Name: Microsoft-Windows-SharedAccess_NAT
Time Written: 20090620005001.000000-000
Event Type: Warning
User:

Computer Name: HouseComp
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 162073
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20090619153442.878398-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: RoomComp
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2279729505-3709079803-170581798-1001_Classes:
Process 840 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001_CLASSES

Record Number: 2070
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20071014195636.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: RoomComp
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2279729505-3709079803-170581798-1001:
Process 840 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001

Record Number: 2069
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20071014195636.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: RoomComp
Event Code: 1000
Message: Faulting application AirGCFG.exe, version 3.3.1.51123, time stamp 0x43841483, faulting module wlanapi.dll!apsGetInterfaceCount, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc0000139, fault offset 0x00008fc7, process id 0xb64, application start time 0x01c80e9bfe2ef547.
Record Number: 2065
Source Name: Application Error
Time Written: 20071014195425.000000-000
Event Type: Error
User:

Computer Name: RoomComp
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2279729505-3709079803-170581798-1001_Classes:
Process 916 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001_CLASSES

Record Number: 2045
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20071010001522.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: RoomComp
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2279729505-3709079803-170581798-1001:
Process 916 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001

Record Number: 2044
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20071010001522.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: HouseComp
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: HOUSECOMP$
Account Domain: HPC
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x278
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 62103
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090529115159.500835-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: HOUSECOMP$
Account Domain: HPC
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x278
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 62102
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090529115159.500835-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5

Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege
Record Number: 62101
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090529115159.220034-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: HOUSECOMP$
Account Domain: HPC
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x278
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 62100
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090529115159.220034-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 62099
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090529115158.830031-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;%CommonProgramFiles%\Microsoft Shared\Windows Live;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared;C:\Program Files\Common Files\DivX Shared;C:\Program Files\Smart Projects\IsoBuster
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0f02
"NUMBER_OF_PROCESSORS"=2
"tvdumpflags"=8

-----------------EOF-----------------

'till next time...

Thee Infamous El Guapo
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/17/2010 2:03 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
That service remains there. This malware method is similar to some difficult Sality variants I have dealt with in the past.


Go to Start Search, type devmgmt.msc in the Start Search box. devmgmt.msc will appear at the top of the Menu. Rightclick on it and choose "Run as administrator".

When the Device Manager display opens click View - Show hidden devices.

Then in the list below that click the plus symbol (+) next to the following to expand that list:

Non-Plug and Play Drivers


In that list locate the following item. If it shows there, right click it and select Uninstall.

.1185569378

Go ahead and allow the computer to reboot to complete disabling that malware service.

--------------------------

After the reboot run and post a new ComboFix scan log please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/17/2010 4:13 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello Jin

I cant find that '.1185569378' in that list, do you think it has allready been removed?

I didn't run combofix either because I felt it was pointless because '.1185569378' couldn't be located and uninstalled.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/17/2010 6:03 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
That was the right choice not running ComboFix again. I would like to check a Registry entry, to see if the malware is using one Windows method to recreate itself.

@ECHO OFF
if exist Regsearch1.txt del /q Regsearch1.txt
regedit /e Regsearch1.txt "HKEY_LOCAL_MACHINE\SYSTEM\Select"
Notepad Regsearch1.txt


Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text (inside the Code box) into the open Notepad text box, then save this to your desktop as "cfgcheck.bat"

Be sure to include the "" quotes in the name. Then click on cfgcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/18/2010 4:50 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\Select]
"Current"=dword:00000001
"Default"=dword:00000001
"Failed"=dword:00000000
"LastKnownGood"=dword:00000002


This is what I got, is it what you're looking for?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/18/2010 8:42 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Yes, that was to check if the malware is using some Last Known Good method to create itself. The driver is showing as stopped. Let's see if Avenger can at least disable it.


Open Avenger again.

Okay the warning. When the Avenger display opens place a check in the following box:

Automatically disable any rootkits found

Then copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Begin copying here:
Drivers to disable:
.1185569378
1185569378


Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/19/2010 5:57 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver ".1185569378" disabled successfully.

Error: could not open driver "1185569378"
Disablement of driver "1185569378" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/20/2010 2:53 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
That was it then - the period in front of the name,and perhaps not bracketed as well. Let's check now with a removal.

Run Avenger again, and copy/paste the following into that:

Begin copying here:
Drivers to disable:
.1185569378


Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

--------------

Then run a new Gmer scan, and post that log and the C:\avenger.txt log please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/22/2010 4:22 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello...

AVENGER LOG
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver ".1185569378" disabled successfully.

Completed script processing.

*******************

Finished! Terminate.



GMER LOG:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-22 01:17:57
Windows 6.0.6002 Service Pack 2
Running: hz458i0k.exe; Driver: C:\Users\Kris_2\AppData\Local\Temp\uwlcipoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x96440D36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x96441442]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x9644158E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x96444CC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x96444CF8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys Z!!!enFile [0x964414F2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys Z!!!enProcess [0x96440E7A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys Z!!!enThread [0x9644106C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x9644119E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x96444DCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x96444D36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x96444D68]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x96444D9A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x96440CE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x964415EE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x96444C66]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x96440C88]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x96440BE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x96440C2C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 191 826B58D4 4 Bytes [36, 0D, 44, 96]
.text ntkrnlpa.exe!KeSetEvent + 1D9 826B591C 4 Bytes [42, 14, 44, 96] {INC EDX; ADC AL, 0x44; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeSetEvent + 2D1 826B5A14 8 Bytes [8E, 15, 44, 96, C6, 4C, 44, ...] {MOV SS, [0x4cc69644]; INC ESP; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeSetEvent + 2E1 826B5A24 4 Bytes [F8, 4C, 44, 96] {CLC ; DEC ESP; INC ESP; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeSetEvent + 3D1 826B5B14 4 Bytes [F2, 14, 44, 96]
.text ...
? system32\drivers\nylxjtcq.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!SetScrollRange 7702D185 5 Bytes JMP 01D9E19C C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!GetScrollInfo 7702F073 5 Bytes JMP 01D9E0C0 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!ShowScrollBar 7702F8AE 5 Bytes JMP 01D9E1C8 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!SetScrollInfo 770371D8 5 Bytes JMP 01D9E144 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!EnableScrollBar 7704AF53 5 Bytes JMP 01D9E094 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!GetScrollPos 7705337D 5 Bytes JMP 01D9E0EC C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!GetScrollRange 770534A5 5 Bytes JMP 01D9E118 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe[12] USER32.dll!SetScrollPos 77053602 5 Bytes JMP 01D9E170 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[980] ntdll.dll!KiUserApcDispatcher 776A5D18 5 Bytes JMP 004348F0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[980] WS2_32.dll!getaddrinfo 7619418A 5 Bytes JMP 71670022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[980] WS2_32.dll!gethostbyname 761A62D4 5 Bytes JMP 716E0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[996] ntdll.dll!KiUserApcDispatcher 776A5D18 5 Bytes JMP 004112A0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[996] USER32.dll!InSendMessageEx + 3B1 7702E6B0 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[996] WS2_32.dll!getaddrinfo 7619418A 5 Bytes JMP 71640022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[996] WS2_32.dll!gethostbyname 761A62D4 5 Bytes JMP 71670022

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744E7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7453A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744EBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744DF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744E75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744DE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74518395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [744EDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744DFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744DFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744D71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7456CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7450C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744DD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744D6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744D687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744E2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys

Device \Driver\usbhub \Device\USBPDO-9 RapportKELL.sys
Device \Driver\usbhub \Device\00000066 RapportKELL.sys
Device \Driver\usbhub \Device\00000067 RapportKELL.sys
Device \Driver\usbhub \Device\00000068 RapportKELL.sys
Device \Driver\usbhub \Device\USBPDO-11 RapportKELL.sys
Device \Driver\usbhub \Device\00000069 RapportKELL.sys
Device \Driver\nsiproxy \Device\Nsi AfwCore.sys
Device \Driver\usbhub \Device\0000006a RapportKELL.sys
Device \Driver\usbhub \Device\0000006b RapportKELL.sys
Device \Driver\usbhub \Device\0000006c RapportKELL.sys
Device \Driver\usbhub \Device\0000006d RapportKELL.sys
Device \FileSystem\fastfat \Fat 819E3A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat BdFileSpy.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0xC6 0x71 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0xC6 0x71 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0xC6 0x71 0x16 ...

---- EOF - GMER 1.0.15 ----
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/22/2010 7:44 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Oh heck, I had posted the same Avenger disable script. That new random named file showing in the Gmer scan is Avenger's, and the Gmer scan looks okay other than that. Please run Avenger again, but use the following script instead:

Begin copying here:
Drivers to delete:
.1185569378


After the reboot post that new C:\avenger.txt log please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/22/2010 3:31 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
haha no worries mate...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver ".1185569378" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

till nxt time...
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/23/2010 3:29 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Looks like it got it that time round, but I left out a second check means of verifying it stayed deleted. Run and post back a new RSIT scan log please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/23/2010 3:29 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Logfile of random's system information tool 1.06 (written by random/random)
Run by Kris_2 at 2010-01-23 12:27:42
Microsoft® Windows Vista™ Home Premium  Service Pack 2
System drive C: has 154 GB (67%) free of 228 GB
Total RAM: 3316 MB (56% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:49, on 23/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kris_2\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Kris_2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: dlcx_device -   - C:\Windows\system32\dlcxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 4751 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-01-17 4907008]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"dlcxmon.exe"=C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe [2007-01-12 292336]
"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 926\memcard.exe [2006-11-04 304008]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-11 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-11 133656]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-11 141848]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-01-07 429392]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2010-01-12 304464]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2005-08-11 249856]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2010-01-12 304464]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-02-11 204800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgLiveSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgMainSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=
"NoDriveTypeAutoRun"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======File associations======
.js - edit - C:\Windows\System32\Notepad.exe %1
======List of files/folders created in the last 3 months======
2010-01-22 12:26:17 ----A---- C:\avenger.txt
2010-01-22 10:54:16 ----A---- C:\Windows\system32\mshtml.dll
2010-01-22 10:54:15 ----A---- C:\Windows\system32\ieframe.dll
2010-01-22 10:54:14 ----A---- C:\Windows\system32\iertutil.dll
2010-01-22 10:54:13 ----A---- C:\Windows\system32\wininet.dll
2010-01-22 10:54:13 ----A---- C:\Windows\system32\urlmon.dll
2010-01-22 10:54:13 ----A---- C:\Windows\system32\occache.dll
2010-01-22 10:54:13 ----A---- C:\Windows\system32\msfeeds.dll
2010-01-22 10:54:12 ----A---- C:\Windows\system32\iedkcs32.dll
2010-01-22 10:54:11 ----A---- C:\Windows\system32\ieui.dll
2010-01-22 10:54:11 ----A---- C:\Windows\system32\iepeers.dll
2010-01-22 10:54:10 ----A---- C:\Windows\system32\msfeedssync.exe
2010-01-22 10:54:10 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-01-22 10:54:10 ----A---- C:\Windows\system32\jsproxy.dll
2010-01-22 10:54:10 ----A---- C:\Windows\system32\ieUnatt.exe
2010-01-22 10:54:10 ----A---- C:\Windows\system32\iesysprep.dll
2010-01-22 10:54:10 ----A---- C:\Windows\system32\ie4uinit.exe
2010-01-22 10:54:09 ----A---- C:\Windows\system32\iesetup.dll
2010-01-22 10:54:09 ----A---- C:\Windows\system32\iernonce.dll
2010-01-19 14:50:18 ----D---- C:\Avenger
2010-01-18 01:46:41 ----A---- C:\Windows\system32\Regsearch1.txt
2010-01-16 14:09:42 ----D---- C:\rsit
2010-01-14 18:45:17 ----SHD---- C:\$RECYCLE.BIN
2010-01-14 18:31:09 ----A---- C:\Windows\SWXCACLS.exe
2010-01-12 23:52:44 ----A---- C:\Windows\system32\t2embed.dll
2010-01-12 23:52:44 ----A---- C:\Windows\system32\fontsub.dll
2010-01-12 23:49:03 ----A---- C:\Windows\system32\BGLsp.dll
2010-01-12 17:49:20 ----D---- C:\Program Files\BullGuard Ltd
2010-01-12 17:02:25 ----D---- C:\Users\Kris_2\AppData\Roaming\AVG8
2010-01-09 15:25:21 ----D---- C:\Windows\temp
2010-01-08 13:10:58 ----A---- C:\Windows\zip.exe
2010-01-08 13:10:58 ----A---- C:\Windows\SWSC.exe
2010-01-08 13:10:58 ----A---- C:\Windows\SWREG.exe
2010-01-08 13:10:58 ----A---- C:\Windows\sed.exe
2010-01-08 13:10:58 ----A---- C:\Windows\PEV.exe
2010-01-08 13:10:58 ----A---- C:\Windows\NIRCMD.exe
2010-01-08 13:10:58 ----A---- C:\Windows\MBR.exe
2010-01-08 13:10:58 ----A---- C:\Windows\grep.exe
2010-01-07 13:06:27 ----D---- C:\ProgramData\BullGuard
2010-01-07 13:06:26 ----D---- C:\Users\Kris_2\AppData\Roaming\BullGuard
2010-01-07 12:59:11 ----D---- C:\Users\Kris_2\AppData\Roaming\Tific
2010-01-06 10:48:39 ----D---- C:\Windows\Internet Logs
2010-01-05 15:24:38 ----D---- C:\Windows\ERDNT
2009-12-26 11:05:34 ----D---- C:\Program Files\Common Files\PC Tools
2009-12-26 10:20:35 ----D---- C:\Users\Kris_2\AppData\Roaming\Trusteer
2009-12-26 10:20:30 ----D---- C:\Program Files\Trusteer
2009-12-22 16:14:04 ----D---- C:\Program Files\Microsoft
2009-12-22 16:13:40 ----D---- C:\Program Files\Windows Live
2009-12-12 15:19:46 ----D---- C:\Program Files\CCleaner
2009-12-11 01:18:41 ----D---- C:\Users\Kris_2\AppData\Roaming\Malwarebytes
2009-12-11 01:18:34 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-11 00:53:15 ----D---- C:\Users\Kris_2\AppData\Roaming\BitTorrent
2009-12-11 00:51:44 ----D---- C:\Program Files\BitTorrent
2009-12-09 11:43:56 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-09 11:43:55 ----A---- C:\Windows\system32\httpapi.dll
2009-12-09 11:24:34 ----A---- C:\Windows\system32\winhttp.dll
2009-12-09 11:23:43 ----A---- C:\Windows\system32\rastls.dll
2009-12-08 18:26:10 ----D---- C:\Users\Kris_2\AppData\Roaming\DivX
2009-12-08 18:16:40 ----D---- C:\ProgramData\Nero
2009-12-08 18:16:40 ----D---- C:\Program Files\Nero
2009-12-07 22:22:47 ----D---- C:\Users\Kris_2\AppData\Roaming\Ahead
2009-12-07 04:00:56 ----D---- C:\Program Files\Common Files\Ahead
2009-12-05 16:09:47 ----D---- C:\Program Files\Trend Micro
2009-12-04 17:41:35 ----D---- C:\Windows\pss
2009-12-04 03:02:30 ----D---- C:\dvdsanta
2009-12-03 01:38:24 ----A---- C:\Windows\NeroDigital.ini
2009-12-02 12:20:55 ----D---- C:\Program Files\AVG
2009-11-30 19:47:26 ----D---- C:\ProgramData\Malwarebytes
2009-11-25 13:39:36 ----A---- C:\Windows\system32\tzres.dll
2009-11-25 12:48:12 ----A---- C:\Windows\system32\msxml6.dll
2009-11-25 12:48:11 ----A---- C:\Windows\system32\msxml3.dll
2009-11-19 18:56:24 ----D---- C:\ProgramData\Office Genuine Advantage
2009-11-11 18:56:53 ----A---- C:\Windows\system32\WSDApi.dll
2009-11-09 20:39:42 ----A---- C:\Windows\system32\javaws.exe
2009-11-09 20:39:42 ----A---- C:\Windows\system32\javaw.exe
2009-11-09 20:39:42 ----A---- C:\Windows\system32\java.exe
2009-10-28 09:19:57 ----D---- C:\Program Files\Windows Portable Devices
2009-10-28 09:17:48 ----A---- C:\Windows\system32\UIAnimation.dll
2009-10-28 09:17:47 ----A---- C:\Windows\system32\UIRibbonRes.dll
2009-10-28 09:17:47 ----A---- C:\Windows\system32\UIRibbon.dll
2009-10-28 09:17:21 ----A---- C:\Windows\system32\WMPhoto.dll
2009-10-28 09:17:20 ----A---- C:\Windows\system32\cdd.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\XpsRasterService.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\XpsPrint.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\WindowsCodecs.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-10-28 09:17:19 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\dxdiagn.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\dxdiag.exe
2009-10-28 09:17:19 ----A---- C:\Windows\system32\d3d10warp.dll
2009-10-28 09:17:19 ----A---- C:\Windows\system32\d2d1.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\xpsservices.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\OpcServices.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\FntCache.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\dxgi.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\DWrite.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\d3d11.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\d3d10level9.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\d3d10core.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\d3d10_1core.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\d3d10_1.dll
2009-10-28 09:17:18 ----A---- C:\Windows\system32\d3d10.dll
2009-10-28 09:16:42 ----A---- C:\Windows\system32\WPDShextAutoplay.exe
2009-10-28 09:16:42 ----A---- C:\Windows\system32\wpdbusenum.dll
2009-10-28 09:16:42 ----A---- C:\Windows\system32\BthMtpContextHandler.dll
2009-10-28 09:16:37 ----A---- C:\Windows\system32\PortableDeviceConnectApi.dll
2009-10-28 09:16:35 ----A---- C:\Windows\system32\wpdshext.dll
2009-10-28 09:16:35 ----A---- C:\Windows\system32\WpdMtpUS.dll
2009-10-28 09:16:35 ----A---- C:\Windows\system32\WpdConns.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\WPDSp.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\WPDShServiceObj.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\WpdMtp.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\wpd_ci.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\PortableDeviceWMDRM.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\PortableDeviceTypes.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\PortableDeviceClassExtension.dll
2009-10-28 09:16:34 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2009-10-28 09:15:40 ----A---- C:\Windows\system32\oleaccrc.dll
2009-10-28 09:15:36 ----A---- C:\Windows\system32\UIAutomationCore.dll
2009-10-28 09:15:36 ----A---- C:\Windows\system32\oleacc.dll
2009-10-28 09:06:46 ----A---- C:\Windows\system32\wmp.dll
2009-10-28 09:06:44 ----A---- C:\Windows\system32\unregmp2.exe
2009-10-28 09:06:43 ----A---- C:\Windows\system32\wmploc.DLL
======List of files/folders modified in the last 3 months======
2010-01-23 12:04:50 ----D---- C:\Windows\System32
2010-01-23 12:04:50 ----D---- C:\Windows\inf
2010-01-23 12:04:50 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-01-23 12:02:57 ----D---- C:\Windows\system32\drivers
2010-01-23 11:57:39 ----D---- C:\Windows\system32\catroot2
2010-01-22 21:19:44 ----D---- C:\Windows\Prefetch
2010-01-22 16:36:49 ----D---- C:\Windows\Minidump
2010-01-22 16:36:46 ----D---- C:\Windows
2010-01-22 12:14:12 ----D---- C:\Program Files\Microsoft Silverlight
2010-01-22 11:04:24 ----D---- C:\Windows\system32\migration
2010-01-22 11:04:24 ----D---- C:\Program Files\Internet Explorer
2010-01-22 10:56:10 ----D---- C:\Windows\winsxs
2010-01-22 10:55:37 ----SHD---- C:\Windows\Installer
2010-01-22 10:55:05 ----SHD---- C:\System Volume Information
2010-01-22 10:52:27 ----D---- C:\Windows\system32\catroot
2010-01-19 14:50:18 ----RD---- C:\Program Files
2010-01-18 01:23:31 ----SD---- C:\Windows\Downloaded Program Files
2010-01-14 18:45:14 ----A---- C:\Windows\system.ini
2010-01-13 13:33:56 ----D---- C:\Windows\Debug
2010-01-12 23:55:09 ----D---- C:\Program Files\Windows Mail
2010-01-12 23:53:39 ----D---- C:\Program Files\Common Files\microsoft shared
2010-01-12 17:06:44 ----SD---- C:\Users\Kris_2\AppData\Roaming\Microsoft
2010-01-12 17:06:39 ----D---- C:\ProgramData
2010-01-09 15:13:05 ----D---- C:\Windows\AppPatch
2010-01-09 15:08:03 ----D---- C:\Program Files\Common Files
2010-01-08 00:35:16 ----RSD---- C:\Windows\assembly
2010-01-07 12:18:34 ----D---- C:\Windows\system32\Tasks
2010-01-06 13:15:14 ----D---- C:\TempDVD
2010-01-05 16:02:32 ----AD---- C:\ProgramData\TEMP
2010-01-05 13:22:36 ----D---- C:\Windows\system32\config
2010-01-05 00:17:46 ----A---- C:\Windows\system32\mrt.exe
2010-01-04 15:28:13 ----RD---- C:\Users
2009-12-31 00:30:20 ----D---- C:\Windows\Cache
2009-12-27 19:44:50 ----SD---- C:\ProgramData\Microsoft
2009-12-17 15:36:00 ----D---- C:\Windows\system32\LogFiles
2009-12-09 12:42:30 ----D---- C:\Windows\rescache
2009-12-09 12:24:58 ----D---- C:\Windows\system32\en-US
2009-12-08 18:17:16 ----D---- C:\Windows\ehome
2009-12-05 16:31:03 ----D---- C:\Program Files\Common Files\Adobe
2009-12-05 16:31:03 ----D---- C:\Program Files\Adobe
2009-12-05 16:31:02 ----D---- C:\ProgramData\Adobe
2009-12-03 22:20:10 ----D---- C:\Windows\Downloaded Installations
2009-12-02 12:33:03 ----D---- C:\Windows\system32\spool
2009-11-30 23:09:47 ----D---- C:\Windows\system32\wbem
2009-11-30 23:08:49 ----D---- C:\Windows\Tasks
2009-11-30 23:08:49 ----D---- C:\Program Files\Windows Defender
2009-11-30 23:08:48 ----D---- C:\Windows\system32\Msdtc
2009-11-30 23:08:48 ----D---- C:\Windows\system32\CodeIntegrity
2009-11-30 23:08:47 ----D---- C:\Program Files\DivX
2009-11-30 23:08:46 ----D---- C:\Windows\registration
2009-11-30 23:08:46 ----D---- C:\Program Files\Common Files\DivX Shared
2009-11-19 18:07:59 ----D---- C:\Windows\system32\zh-TW
2009-11-19 18:07:59 ----D---- C:\Windows\system32\zh-HK
2009-11-19 18:07:59 ----D---- C:\Windows\system32\tr-TR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\sv-SE
2009-11-19 18:07:59 ----D---- C:\Windows\system32\pt-BR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\nl-NL
2009-11-19 18:07:59 ----D---- C:\Windows\system32\nb-NO
2009-11-19 18:07:59 ----D---- C:\Windows\system32\ko-KR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\it-IT
2009-11-19 18:07:59 ----D---- C:\Windows\system32\he-IL
2009-11-19 18:07:59 ----D---- C:\Windows\system32\fr-FR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\fi-FI
2009-11-19 18:07:59 ----D---- C:\Windows\system32\es-ES
2009-11-19 18:07:59 ----D---- C:\Windows\system32\el-GR
2009-11-19 18:07:59 ----D---- C:\Windows\system32\de-DE
2009-11-19 18:07:59 ----D---- C:\Windows\system32\da-DK
2009-11-19 18:07:59 ----D---- C:\Windows\system32\ar-SA
2009-11-09 20:39:40 ----D---- C:\Program Files\Java
2009-11-02 20:42:06 ----N---- C:\Windows\system32\MpSigStub.exe
2009-10-28 09:19:55 ----D---- C:\Windows\system32\zh-CN
2009-10-28 09:19:55 ----D---- C:\Windows\system32\uk-UA
2009-10-28 09:19:55 ----D---- C:\Windows\system32\th-TH
2009-10-28 09:19:55 ----D---- C:\Windows\system32\sr-Latn-CS
2009-10-28 09:19:55 ----D---- C:\Windows\system32\sl-SI
2009-10-28 09:19:55 ----D---- C:\Windows\system32\sk-SK
2009-10-28 09:19:55 ----D---- C:\Windows\system32\ru-RU
2009-10-28 09:19:55 ----D---- C:\Windows\system32\ro-RO
2009-10-28 09:19:55 ----D---- C:\Windows\system32\pt-PT
2009-10-28 09:19:55 ----D---- C:\Windows\system32\pl-PL
2009-10-28 09:19:55 ----D---- C:\Windows\system32\lv-LV
2009-10-28 09:19:55 ----D---- C:\Windows\system32\lt-LT
2009-10-28 09:19:55 ----D---- C:\Windows\system32\ja-JP
2009-10-28 09:19:55 ----D---- C:\Windows\system32\hu-HU
2009-10-28 09:19:55 ----D---- C:\Windows\system32\hr-HR
2009-10-28 09:19:55 ----D---- C:\Windows\system32\et-EE
2009-10-28 09:19:55 ----D---- C:\Windows\system32\cs-CZ
2009-10-28 09:19:55 ----D---- C:\Windows\system32\bg-BG
2009-10-28 09:19:46 ----D---- C:\Program Files\Windows Media Player
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 afw;Agnitum Firewall Driver; C:\Windows\system32\DRIVERS\afw.sys [2010-01-12 29208]
R1 kl1;kl1; C:\Windows\system32\DRIVERS\kl1.sys [2009-09-01 128016]
R1 RapportKELL;RapportKELL; \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys [2009-12-15 58984]
R1 RapportPG;RapportPG; \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [2009-12-15 337000]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\Windows\system32\DRIVERS\AegisP.sys [2008-04-13 17801]
R2 BdFileSpy;BullGuard File Monitor Driver; \??\C:\Windows\system32\drivers\BdFileSpy.sys [2010-01-12 55504]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 RMCAST;RMCAST (Pgm) Protocol Driver; C:\Windows\system32\DRIVERS\RMCAST.sys [2009-04-11 113664]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-05 8192]
R3 AfwCore;Agnitum Firewall Core Driver; \??\C:\Windows\system32\Drivers\AfwCore.sys [2010-01-12 305688]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2007-04-29 228224]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-01-24 2054872]
R3 MBAMProtector;MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [2010-01-07 19160]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service; C:\Windows\system32\DRIVERS\WPN111v.sys [2008-08-04 904192]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGMp50.sys []
S3 AFGSp50;AFGSp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGSp50.sys []
S3 catchme;catchme; \??\C:\456out\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 IntelDH;IntelDH Driver; C:\Windows\System32\Drivers\IntelDH.sys [2007-07-27 5504]
S3 MRV6X32P;Vista 32-bits Native WiFi Driver; C:\Windows\system32\DRIVERS\MRVW13B.sys [2007-05-03 256000]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NDISKIO;NDISKIO; \??\C:\Users\Kris_2\AppData\Local\Temp\00000e71.nmc\nse\bin\ndiskio.sys []
S3 nsak;nsak; \??\C:\Users\Kris_2\AppData\Local\Temp\00000e71.nmc\nse\bin\nsak.sys []
S3 Profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys [2010-01-12 14720]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 Reconn;BullGuard Email Monitor; \??\C:\Program Files\BullGuard Ltd\BullGuard\Reconn.sys [2008-07-29 16984]
S3 RT73;D-Link USB Wireless LAN Card Driver; C:\Windows\system32\DRIVERS\Dr71WU.sys [2005-11-03 245504]
S3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2006-11-02 47104]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 s616bus;Sony Ericsson Device 616 driver (WDM); C:\Windows\system32\DRIVERS\s616bus.sys [2007-04-03 83208]
S3 ST330;ST330; C:\Windows\system32\drivers\st330.sys [2007-08-16 30464]
S3 STBUS;STBUS; C:\Windows\system32\drivers\stbus.sys [2007-08-16 12672]
S3 stppp;Speedtouch PPP Adapter Adapter; C:\Windows\system32\DRIVERS\stppp.sys [2007-08-16 35328]
S3 Trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys [2010-01-12 39808]
S3 TSHWMDTCP;TSHWMDTCP; \??\C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys []
S3 UMPass;Microsoft UMPass Driver; C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 7680]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-11 73216]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 W8335XP;802.11g/b Driver for Windows XP ; C:\Windows\system32\DRIVERS\Mrvw125.sys [2007-06-19 282624]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S4 iaStor;Intel AHCI Controller; C:\Windows\system32\drivers\iastor.sys [2007-04-26 304920]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AERTFilters;Andrea RT Filters Service; C:\Windows\system32\AERTSrv.exe [2007-12-05 77824]
R2 BgLiveSvc;BullGuard LiveUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2010-01-12 300368]
R2 BgMainSvc;BullGuard Main Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFileScan;BullGuard File Scan Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFire;BullGuard Firewall Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 dlcx_device;dlcx_device; C:\Windows\system32\dlcxcoms.exe [2006-11-04 537480]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
R2 RapportMgmtService;Rapport Management Service; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2009-12-15 972008]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-05 386560]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
-----------------EOF-----------------
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/24/2010 1:16 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Looks good now. Before we consider some final cleaning up steps, post back how things are running now please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/24/2010 4:13 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello,

Things appear to be running cool I'm not being redirected anymore as that was one of the symptoms but I still have more than one "iexplore.exe" in process explorer.

I dont understand why there are more than one. I only have one internet explorer window open but in process explorer it says there are 2 sometimes even 3.

When i right click on iexplore.exe/properties/pemissions (from the process explorer window) "Account Unknown (S-1-5-5-0-282703)" appears in the box under "groups or user names". but the number is always different.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/25/2010 3:56 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
A problem with using programs like Process Explorer is that they look into information areas not normally seen, and so create questions where no reason for them existed earlier. Each time you open a tab in IE, another new instance of iexplore.exe is started. So seeing more than one would be "normal". For the Permissions display, and again you are viewing info you just would not normally observe, I sense the account you are referring to is the Login SID. If you check the info here, it suggests the changed numbers you see in the Permissions display is related to what RID (Relative ID) to the current user's login account. Guesswork on my part, but again not something I might consider malware created.


Just to check the accounts there, click Here and download Bobbi Flekman's SWWhoAmI (swwhoami.exe) to your Desktop (important you save it to your desktop).


Then go to Go to Start > Run and type

cmd

and OK. At the prompt copy/paste the following (Enter after).
"%userprofile%\desktop\swwhoami.exe" /listusers >c:\userlook.txt & start notepad c:\userlook.txt

Once the scan completes a textbox will open - please copy/paste those contents back here (the file can be found at C:\userlook.txt).
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/25/2010 4:02 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello there thanks for all the help so far

I copied and pasted that line into the cmd prompt box and after hitting enter the message 'Access Denied' appeard underneath it.

Hmm?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/26/2010 2:39 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Vista, so perhaps the command prompt needs admin level access for this one. Not sure it will work for Vista actually, but it is not a change maker, and does provide a nice way to check user accounts.

For the command prompt access, click on the Start button and type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as Administrator". Then try the steps again please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/26/2010 5:22 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Good thinking batman.

I'm guessing this is what you're lookin for.

Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator (Disabled)
| Guest (Disabled)
Yes | Kris_2
Yes | Mcx1

The thing is I'm the Administrator on this computer (Kris_2) Why is there a seperate Administrator account?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/26/2010 5:54 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
That is the computer's actual Administrator account, created when the computer was first run after installation. It is the master account, available through Safe Mode on multi-user systems, and is the way to solve some tough problems when other accounts are damaged. Be very sure to enable that as soon as possible (User Accounts in Control Panel). That being disabled may be why you seem to be seeing odd account information, though most of that was just due to the changing numbers assigned at each bootup. Other user accounts have "Administrator" level privileges, and so are called "Administrator". I assume you recognize that "Mcx1" account, and no other unknown accounts are being picked up there.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/26/2010 5:09 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
How do I enable it? I went to user accounts and the only account there is mines (Kris) and that says I'm the Administrator account. So if I cant find this other administrator account then how can I enable it?

That Mcx1 wasn't created by me I thought it was allready there :s you think thats suspicious?
Back to Top
 
You cannot post new topics in this forum. Locked Topic Printable version of : Multiple iexplore.exe in task manager
55 posts in this thread.
Viewing Page :
 1  2  3 
 
Forum Information
Currently it is Saturday, October 25, 2014 5:33 PM (GMT +3)
There are a total of 60,698 posts in 13,332 threads.
In the last 3 days there were 1 new threads and 20 reply posts. View Active Threads
Who's Online
This forum has 36552 registered members. Please welcome our newest member, BigStone.
3 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Errors, warnings, infections, trojans and junk (29)10/25/2014 7:27:58 AM (Touch)
Bullguard dosent update to latest versions (13)10/25/2014 3:59:32 AM (BigStone)
Bullguard firewall blocks dns requests for virtual machine clients (3)10/24/2014 11:55:39 AM (leok)