Jump to content

Asterix

Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

Reputation

0 Neutral
  1. Asterix
    I had to unlock all of my Norton .exe files, but it now seems to work fine. The auto-protect is working, and a quick scan did not find anything. I also did another quick scan with Malwarebytes, and it too did not find anything. I think we are good to go! 2 Questions: 1) Can you recommend something other than my Norton Corporate (which I get for free) AV?. I went back to Norton almost a year ago once AVG stopped being free... 2) Is there a way to "donate" to this website via Paypal for the services rendered? Regards, Asterix
  2. Asterix
    CORRECTION: I MEANT TO SAY I WAS "ABLE" TO UNLOCK, ETC. SORRY. Malwarebytes log below: Malwarebytes' Anti-Malware 1.40 Database version: 2720 Windows 5.1.2600 Service Pack 3 31/08/2009 8:13:22 AM mbam-log-2009-08-31 (08-13-19).txt Scan type: Quick Scan Objects scanned: 100536 Time elapsed: 4 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 8 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\MSINET.oca (Malware.Trace) -> No action taken. C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\TDSSkkbi.dll (Rootkit.TDSS) -> No action taken.
  3. Asterix
    Combofix log attached below. I was unable to unlock hijackthis, malwarebytes and spybot. I ran malware and clicked "remove" the threats, and the log is posted. The hijackthis log is also posted. Significant improvement right now, but I am not certain that we got them all. I was unable to unlock my Norton AV, but I cannot seem to get the autoprotect to come on. I will try after rebooting and see what happens. ComboFix 09-08-30.04 - Djordje 31/08/2009 7:49.2.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1560 [GMT -4:00] Running from: c:\documents and settings\Djordje\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Djordje\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} file zipped: c:\documents and settings\All Users\jack.exe file zipped: c:\windows\system32\drivers\bcxrvdbvtnxrquqs.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\jack.exe c:\windows\system32\drivers\bcxrvdbvtnxrquqs.sys . ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 ))))))))))))))))))))))))))))))) . 2009-08-31 03:38 . 2009-08-31 03:39 -------- d-----w- c:\program files\Spybot - Search and Destroy 2009-08-31 00:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-31 00:47 . 2009-08-31 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-31 00:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\Djordje\Application Data\Malwarebytes 2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-30 13:01 . 2009-08-30 23:44 -------- d-----w- c:\program files\NoAdware 2009-08-30 12:55 . 2009-08-30 12:55 -------- d-----w- C:\!KillBox 2009-08-29 12:34 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-08-29 12:33 . 2009-08-29 12:33 -------- d-----w- c:\program files\Panda Security 2009-08-28 19:10 . 2009-08-28 19:10 -------- d-----w- C:\spoolerlogs 2009-08-21 02:27 . 2009-08-21 02:27 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE 2009-08-21 02:27 . 2009-08-21 02:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-08-19 11:16 . 2009-08-19 11:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-12 11:42 . 2009-08-12 11:42 -------- d-sh--w- c:\documents and settings\Djordje\IECompatCache 2009-08-12 11:01 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-08 13:53 . 2009-08-08 13:53 -------- d-----w- c:\windows\system32\IOSUBSYS 2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-31 10:44 . 2008-03-08 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-31 03:34 . 2008-03-08 23:53 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-28 19:07 . 2008-02-07 16:50 -------- d-----w- c:\program files\Symantec AntiVirus 2009-08-14 16:25 . 2008-05-08 03:35 -------- d-----w- c:\documents and settings\Djordje\Application Data\FileZilla 2009-08-12 11:21 . 2009-06-11 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-10 20:05 . 2006-09-22 11:05 128144 ----a-w- c:\documents and settings\Djordje\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-10 17:19 . 2007-02-16 14:05 -------- d-----w- c:\documents and settings\Djordje\Application Data\Azureus 2009-08-08 13:53 . 2007-04-09 22:42 -------- d-----w- c:\program files\Google 2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-12 13:23 . 2009-04-01 13:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll 2009-07-12 13:23 . 2009-04-01 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge 2009-07-12 03:00 . 2008-02-28 16:34 805952 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-07-11 16:23 . 2009-03-06 14:07 -------- d-----w- c:\program files\TransAM CC2 2009-07-11 15:55 . 2009-07-11 15:55 34 ----a-w- c:\program files\TRAN.RAT 2009-07-11 15:55 . 2009-07-11 15:55 25 ----a-w- c:\program files\TRAN.SYM 2009-07-11 13:34 . 2008-08-22 17:59 -------- d-----w- c:\program files\Seagate Software 2009-07-11 13:34 . 2009-07-11 13:34 -------- d-----w- c:\program files\ValMatic 2009-07-11 12:47 . 2008-06-13 14:54 -------- d-----w- c:\program files\TransAM 2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll 2009-07-01 21:34 . 2009-07-01 21:34 99678 -c--a-r- c:\documents and settings\Djordje\Application Data\Microsoft\Installer\{E942407D-3261-476C-850B-9546BCA72499}\_1C13ED278AAF63E67C5DE6.exe 2009-07-01 21:34 . 2009-07-01 21:34 99678 -c--a-r- c:\documents and settings\Djordje\Application Data\Microsoft\Installer\{E942407D-3261-476C-850B-9546BCA72499}\_0BBC25476C38B6119E41D8.exe 2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2008-05-08 00:16 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll 2008-05-03 23:08 . 2008-05-03 23:08 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-18 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "RoxWatch9"=2 (0x2) "RoxMediaDB9"=3 (0x3) "Roxio Upnp Server 9"=2 (0x2) "Roxio UPnP Renderer 9"=3 (0x3) "MSSQL$VALMATIC8"=2 (0x2) "GoogleDesktopManager-022208-143751"=3 (0x3) "FileZilla Server"=3 (0x3) "Fax"=2 (0x2) "DefWatch"=2 (0x2) "Adobe LM Service"=3 (0x3) "CiSvc"=3 (0x3) "Autodesk Licensing Service"=3 (0x3) "Ati HotKey Poller"=2 (0x2) "MDM"=2 (0x2) "WDBtnMgrSvc.exe"=2 (0x2) "usnjsvc"=3 (0x3) "IDriverT"=3 (0x3) "Pml Driver HPZ12"=3 (0x3) "gusvc"=3 (0x3) "RasMan"=3 (0x3) "SwPrv"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\lxcgcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Qameleon\\QViewPlus\\QViewPlus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "135:TCP"= 135:TCP:TCP Port 135 "5000:TCP"= 5000:TCP:TCP Port 5000 "5001:TCP"= 5001:TCP:TCP Port 5001 "5002:TCP"= 5002:TCP:TCP Port 5002 "5003:TCP"= 5003:TCP:TCP Port 5003 "5004:TCP"= 5004:TCP:TCP Port 5004 "5005:TCP"= 5005:TCP:TCP Port 5005 "5006:TCP"= 5006:TCP:TCP Port 5006 "5007:TCP"= 5007:TCP:TCP Port 5007 "5008:TCP"= 5008:TCP:TCP Port 5008 "5009:TCP"= 5009:TCP:TCP Port 5009 "5010:TCP"= 5010:TCP:TCP Port 5010 "5011:TCP"= 5011:TCP:TCP Port 5011 "5012:TCP"= 5012:TCP:TCP Port 5012 "5013:TCP"= 5013:TCP:TCP Port 5013 "5014:TCP"= 5014:TCP:TCP Port 5014 "5015:TCP"= 5015:TCP:TCP Port 5015 "5016:TCP"= 5016:TCP:TCP Port 5016 "5017:TCP"= 5017:TCP:TCP Port 5017 "5018:TCP"= 5018:TCP:TCP Port 5018 "5019:TCP"= 5019:TCP:TCP Port 5019 "5020:TCP"= 5020:TCP:TCP Port 5020 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [29/08/2009 8:34 AM 28544] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/08/2009 11:30 AM 102448] S3 EraserUtilDrv10821;EraserUtilDrv10821; [x] S3 P0230BBK;Creative PC-CAM 750 (Still Image);c:\windows\system32\DRIVERS\P0230bbk.sys --> c:\windows\system32\DRIVERS\P0230bbk.sys [?] S3 P0230BVD;Creative PC-CAM 750 (Video);c:\windows\system32\DRIVERS\P0230bVd.sys --> c:\windows\system32\DRIVERS\P0230bVd.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27/09/2006 9:33 PM 116464] S3 SQLAgent$VALMATIC8;SQLAgent$VALMATIC8;c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlagent.EXE -i VALMATIC8 --> c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlagent.EXE -i VALMATIC8 [?] S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [03/05/2008 7:08 PM 29744] S4 MSSQL$VALMATIC8;MSSQL$VALMATIC8;c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlservr.exe -sVALMATIC8 --> c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlservr.exe -sVALMATIC8 [?] S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [19/02/2008 2:15 AM 106496] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrv10910 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-31 c:\windows\Tasks\HP Usg Daily.job - c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2006-12-23 04:55] . . ------- Supplementary Scan ------- . uStart Page = about:blank uLocal Page = mStart Page = about:blank IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Djordje\Application Data\Mozilla\Firefox\Profiles\yg7pgu13.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-31 08:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(728) c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll . Completion time: 2009-08-31 8:06 ComboFix-quarantined-files.txt 2009-08-31 12:06 ComboFix2.txt 2009-08-31 00:17 Pre-Run: 15,548,551,168 bytes free Post-Run: 15,505,580,032 bytes free 260 --- E O F --- 2009-08-26 19:51 Upload was successful
  4. Asterix
    Hijack this can now run, log posted below. Not sure if this means that I am clean or not. Norton AV auto-protect did not start properly once comfofix rebooted the comp. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:23:16 PM, on 30/08/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Djordje\Desktop\sad.exe C:\WINDOWS\system32\SearchProtocolHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188859060406 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204642936218 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 6175 bytes
  5. Asterix
    Combofix log posted: ComboFix 09-08-30.01 - Djordje 30/08/2009 19:46.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1642 [GMT -4:00] Running from: c:\documents and settings\Djordje\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk C:\vvv.exe c:\windows\Fonts\AcadEref.ttf c:\windows\Installer\106a98.msi c:\windows\Installer\10b328c.msp c:\windows\Installer\10b328f.msp c:\windows\Installer\11dfbe.msp c:\windows\Installer\1423b3.msp c:\windows\Installer\1499cd.msp c:\windows\Installer\1499d0.msp c:\windows\Installer\17e966.msp c:\windows\Installer\17e969.msp c:\windows\Installer\26922a.msi c:\windows\Installer\284f9b5.msp c:\windows\Installer\3b0038.msp c:\windows\Installer\3b003b.msp c:\windows\Installer\3b003e.msp c:\windows\Installer\3b0041.msp c:\windows\Installer\3b0044.msp c:\windows\Installer\3b0047.msp c:\windows\Installer\3b004a.msp c:\windows\Installer\3b004d.msp c:\windows\Installer\3b0050.msp c:\windows\Installer\7a97aa.msp c:\windows\Installer\8c37f1.msi c:\windows\Installer\d1379.msp c:\windows\Installer\d137c.msp c:\windows\Installer\ea0fcc.msp c:\windows\run.log c:\windows\system32\drivers\kbiwkmvtuebwkt.sys c:\windows\system32\kbiwkmdtfnsdoq.dat c:\windows\system32\kbiwkmfnmnaoex.dat c:\windows\system32\kbiwkmpxmjutpq.dll c:\windows\system32\kbiwkmqwhxvmtk.dat c:\windows\system32\kbiwkmrnsbruem.dat c:\windows\system32\kbiwkmrxyhorgi.dll c:\windows\system32\kbiwkmwnstlnkl.dat c:\windows\system32\kbiwkmxboeyanr.dat c:\windows\system32\prunnet.exe c:\windows\system32\s2 c:\windows\system32\sX3i19 C:\winlogon.exe Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_kbiwkmkaomyndo -------\Legacy_kbiwkmkaomyndo -------\Legacy_CMDSERVICE -------\Legacy_NETWORK_MONITOR -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 ))))))))))))))))))))))))))))))) . 2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\Djordje\Application Data\Malwarebytes 2009-08-30 21:28 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-30 21:28 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-30 21:07 . 2005-02-16 15:06 218112 ----a-w- c:\documents and settings\All Users\jack.exe 2009-08-30 13:01 . 2009-08-30 23:44 -------- d-----w- c:\program files\NoAdware 2009-08-30 12:55 . 2009-08-30 12:55 -------- d-----w- C:\!KillBox 2009-08-29 12:34 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-08-29 12:33 . 2009-08-29 12:33 -------- d-----w- c:\program files\Panda Security 2009-08-28 19:10 . 2009-08-28 19:10 -------- d-----w- C:\spoolerlogs 2009-08-21 02:27 . 2009-08-21 02:27 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE 2009-08-21 02:27 . 2009-08-21 02:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-08-19 11:16 . 2009-08-19 11:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-12 11:42 . 2009-08-12 11:42 -------- d-sh--w- c:\documents and settings\Djordje\IECompatCache 2009-08-12 11:01 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-08 15:08 . 2009-08-08 15:08 70656 ----a-w- c:\windows\system32\drivers\bcxrvdbvtnxrquqs.sys 2009-08-08 13:53 . 2009-08-08 13:53 -------- d-----w- c:\windows\system32\IOSUBSYS 2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-28 19:07 . 2008-02-07 16:50 -------- d-----w- c:\program files\Symantec AntiVirus 2009-08-14 16:25 . 2008-05-08 03:35 -------- d-----w- c:\documents and settings\Djordje\Application Data\FileZilla 2009-08-12 11:21 . 2009-06-11 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-10 20:05 . 2006-09-22 11:05 128144 ----a-w- c:\documents and settings\Djordje\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-10 17:19 . 2007-02-16 14:05 -------- d-----w- c:\documents and settings\Djordje\Application Data\Azureus 2009-08-08 13:53 . 2007-04-09 22:42 -------- d-----w- c:\program files\Google 2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-12 13:23 . 2009-04-01 13:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll 2009-07-12 13:23 . 2009-04-01 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge 2009-07-12 03:00 . 2008-02-28 16:34 805952 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-07-11 16:23 . 2009-03-06 14:07 -------- d-----w- c:\program files\TransAM CC2 2009-07-11 15:55 . 2009-07-11 15:55 34 ----a-w- c:\program files\TRAN.RAT 2009-07-11 15:55 . 2009-07-11 15:55 25 ----a-w- c:\program files\TRAN.SYM 2009-07-11 13:34 . 2008-08-22 17:59 -------- d-----w- c:\program files\Seagate Software 2009-07-11 13:34 . 2009-07-11 13:34 -------- d-----w- c:\program files\ValMatic 2009-07-11 12:47 . 2008-06-13 14:54 -------- d-----w- c:\program files\TransAM 2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll 2009-07-01 21:34 . 2009-07-01 21:34 99678 -c--a-r- c:\documents and settings\Djordje\Application Data\Microsoft\Installer\{E942407D-3261-476C-850B-9546BCA72499}\_1C13ED278AAF63E67C5DE6.exe 2009-07-01 21:34 . 2009-07-01 21:34 99678 -c--a-r- c:\documents and settings\Djordje\Application Data\Microsoft\Installer\{E942407D-3261-476C-850B-9546BCA72499}\_0BBC25476C38B6119E41D8.exe 2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2008-05-08 00:16 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll 2008-05-03 23:08 . 2008-05-03 23:08 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-18 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "RoxWatch9"=2 (0x2) "RoxMediaDB9"=3 (0x3) "Roxio Upnp Server 9"=2 (0x2) "Roxio UPnP Renderer 9"=3 (0x3) "MSSQL$VALMATIC8"=2 (0x2) "GoogleDesktopManager-022208-143751"=3 (0x3) "FileZilla Server"=3 (0x3) "Fax"=2 (0x2) "DefWatch"=2 (0x2) "Adobe LM Service"=3 (0x3) "CiSvc"=3 (0x3) "Autodesk Licensing Service"=3 (0x3) "Ati HotKey Poller"=2 (0x2) "MDM"=2 (0x2) "WDBtnMgrSvc.exe"=2 (0x2) "usnjsvc"=3 (0x3) "IDriverT"=3 (0x3) "Pml Driver HPZ12"=3 (0x3) "gusvc"=3 (0x3) "RasMan"=3 (0x3) "SwPrv"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\lxcgcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Qameleon\\QViewPlus\\QViewPlus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "135:TCP"= 135:TCP:TCP Port 135 "5000:TCP"= 5000:TCP:TCP Port 5000 "5001:TCP"= 5001:TCP:TCP Port 5001 "5002:TCP"= 5002:TCP:TCP Port 5002 "5003:TCP"= 5003:TCP:TCP Port 5003 "5004:TCP"= 5004:TCP:TCP Port 5004 "5005:TCP"= 5005:TCP:TCP Port 5005 "5006:TCP"= 5006:TCP:TCP Port 5006 "5007:TCP"= 5007:TCP:TCP Port 5007 "5008:TCP"= 5008:TCP:TCP Port 5008 "5009:TCP"= 5009:TCP:TCP Port 5009 "5010:TCP"= 5010:TCP:TCP Port 5010 "5011:TCP"= 5011:TCP:TCP Port 5011 "5012:TCP"= 5012:TCP:TCP Port 5012 "5013:TCP"= 5013:TCP:TCP Port 5013 "5014:TCP"= 5014:TCP:TCP Port 5014 "5015:TCP"= 5015:TCP:TCP Port 5015 "5016:TCP"= 5016:TCP:TCP Port 5016 "5017:TCP"= 5017:TCP:TCP Port 5017 "5018:TCP"= 5018:TCP:TCP Port 5018 "5019:TCP"= 5019:TCP:TCP Port 5019 "5020:TCP"= 5020:TCP:TCP Port 5020 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [29/08/2009 8:34 AM 28544] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/08/2009 11:30 AM 102448] S3 EraserUtilDrv10821;EraserUtilDrv10821; [x] S3 P0230BBK;Creative PC-CAM 750 (Still Image);c:\windows\system32\DRIVERS\P0230bbk.sys --> c:\windows\system32\DRIVERS\P0230bbk.sys [?] S3 P0230BVD;Creative PC-CAM 750 (Video);c:\windows\system32\DRIVERS\P0230bVd.sys --> c:\windows\system32\DRIVERS\P0230bVd.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27/09/2006 9:33 PM 116464] S3 SQLAgent$VALMATIC8;SQLAgent$VALMATIC8;c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlagent.EXE -i VALMATIC8 --> c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlagent.EXE -i VALMATIC8 [?] S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [03/05/2008 7:08 PM 29744] S4 MSSQL$VALMATIC8;MSSQL$VALMATIC8;c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlservr.exe -sVALMATIC8 --> c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlservr.exe -sVALMATIC8 [?] S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [19/02/2008 2:15 AM 106496] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrv10910 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-30 c:\windows\Tasks\HP Usg Daily.job - c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2006-12-23 04:55] . . ------- Supplementary Scan ------- . uStart Page = about:blank uLocal Page = mStart Page = about:blank IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Djordje\Application Data\Mozilla\Firefox\Profiles\yg7pgu13.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . . ------- File Associations ------- . inifile=%SystemRoot%\System32\NOTEPAD.EXE %1" . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-30 20:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(728) c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll - - - - - - - > 'explorer.exe'(3848) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\progra~1\MICROS~3\rapimgr.exe c:\program files\Dell\QuickSet\NicConfigSvc.exe c:\windows\system32\searchindexer.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Adobe\Reader 8.0\Reader\AcroRd32.exe . ************************************************************************** . Completion time: 2009-08-31 20:17 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-31 00:17 Pre-Run: 15,776,403,456 bytes free Post-Run: 15,577,014,272 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 345 --- E O F --- 2009-08-26 19:51
  6. Asterix
    Log file is located at: C:\Documents and Settings\Djordje\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMCommon\BCMCommon Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMRes\BCMRes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BusinessLayer\BusinessLayer Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.DataDictionary\Iris.DataDictionary Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.Mapi.MessageStore\Iris.Mapi.MessageStore Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn\Microsoft.BusinessSolutions.eCRM.OutlookAddIn Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.Office\Microsoft.eCRM.Office Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.stdole\Microsoft.eCRM.stdole Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.msforms\Microsoft.Interop.eCRM.msforms Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.Outlook\Microsoft.Interop.eCRM.Outlook Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.OutlookViewCtl\Microsoft.Interop.eCRM.OutlookViewCtl Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Impl\Microsoft.Interop.Mapi.Impl Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Interfaces\Microsoft.Interop.Mapi.Interfaces Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10A.tmp\ZAP10A.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F7.tmp\ZAP1F7.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F9.tmp\ZAP1F9.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Debug\UserMode\UserMode Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.1\CONFLICT.1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\ScanFile\ScanFile Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B} Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3605528693-2071937770-1032885014-1003\S-1-5-21-3605528693-2071937770-1032885014-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3605528693-2071937770-1032885014-1003\S-1-5-21-3605528693-2071937770-1032885014-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\dumprep.exe [1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe () Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll () [2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\fas\fas Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\hex\hex Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\s2\s2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\sX3i19\sX3i19 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\TX\TX Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\twain_32\Creative\PD0230b\PD0230b Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Finished!
  7. Asterix
    I have been following your site for several months and now I may actually need your expertise. My problem seems to be very popular at the moment, albeit slightly different, with the following symptoms: - Running Windows XP Home, Norton Corporate Edition, Mozilla Firefox - I could not close an unexpected pop-up close enough and it seems to have attacked and disabled my Norton AV - Since then, only certain .exe files cannot be run, and new programs cannot be installed. - I cannot run the following, without them either crashing or giving the "windows cannot access the specified....you may not have the appropriate permissions...": HijackThis, MBAM, Spybot, Norton - Other programs such as MSOffice, etc, run fine. - Firefox and IE often redirect to random search sites, and some links cannot open, unless you directly paste them - I have deleted several files that started with UAC, msb.exe, b.exe, etc. - Cannot boot into safe mode - blue screen - The only thing I was able to do was run a couple of online scans, e.g. Kaspersky, but they did not find anything else - The win32kdiag.exe log is posted in the following post. What should I do, and is there a place to donate via Paypal if you help me fix this problem? Regards, Asterix
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.