pmora
Members-
Posts
10 -
Joined
-
Last visited
Reputation
0 Neutral-
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
Computer seems to be running fine to me. I don't see any signs of infection. All my exes work, and I'm not getting redirects anymore. -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
DDS (Ver_09-09-29.01) - NTFSx86 Run by morapj6 at 10:56:44.54 on Sun 10/04/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.358 [GMT -4:00] AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\SCardSvr.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Apoint\Apntex.exe c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\WebUpdateSvc4.exe C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Administrator\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://law.wfu.edu/ uInternet Connection Wizard,ShellNext = hxxp://law.wfu.edu/ BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe mPolicies-system: AllowMultipleTSSessions = 1 (0x1) mPolicies-system: HideFastUserSwitching = 0 (0x0) IE: &Search - ?p=ZRfox000 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153323251440 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\jz1r33jx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [2006-7-18 218112] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\AAC.SYS [2006-7-18 48140] R0 aarich;aarich;c:\windows\system32\drivers\AARICH.SYS [2006-7-18 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\MEGASAS.SYS [2006-7-18 17664] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664] R2 SSIRuntimeService;SSIRuntimeService;c:\program files\software secure, inc\ssiruntimeservice\SSIRuntimeService.exe [2007-10-4 45056] R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-5-18 229856] S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?] =============== Created Last 30 ================ 2009-10-02 13:17 10,752 a------- c:\windows\system32\PSS108E8.DLL 2009-10-02 12:14 3,153,920 a------- c:\windows\system32\secsetup.sdb 2009-10-02 11:55 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-10-01 15:46 274,288 a------- c:\windows\system32\mucltui.dll 2009-10-01 15:46 215,920 a------- c:\windows\system32\muweb.dll 2009-10-01 15:46 16,736 a------- c:\windows\system32\mucltui.dll.mui 2009-10-01 14:29 55,656 a------- c:\windows\system32\drivers\avgntflt.sys 2009-10-01 11:45 195,440 -------- c:\windows\system32\MpSigStub.exe 2009-10-01 11:39 <DIR> --d----- c:\program files\Microsoft Security Essentials 2009-09-29 21:18 411,368 a------- c:\windows\system32\deploytk.dll 2009-09-29 21:18 73,728 a------- c:\windows\system32\javacpl.cpl 2009-09-29 20:43 <DIR> --d----- c:\program files\CCleaner 2009-09-29 20:29 <DIR> --d----- c:\windows\system32\appmgmt 2009-09-28 21:40 <DIR> --d----- c:\program files\ESET 2009-09-28 21:18 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-28 21:18 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-09-28 19:32 <DIR> --d----- c:\program files\Trend Micro 2009-09-28 19:09 <DIR> a-dshr-- C:\cmdcons 2009-09-28 19:08 229,888 a------- c:\windows\PEV.exe 2009-09-28 19:08 161,792 a------- c:\windows\SWREG.exe 2009-09-28 19:08 98,816 a------- c:\windows\sed.exe 2009-09-21 21:11 <DIR> --d----- c:\program files\Deep System Explorer 2009-09-21 13:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-09-21 10:04 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes 2009-09-21 10:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-09-19 23:30 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE 2009-09-08 19:51 153,088 -c------ c:\windows\system32\dllcache\triedit.dll ==================== Find3M ==================== 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 13:21 233,472 a------- c:\windows\system32\wmpdxm.dll 2007-10-04 13:26 2,244,608 a------- c:\program files\SecurexamStudent.exe 2008-07-28 15:59 952 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 10:57:59.39 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-29.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 7/19/2006 10:48:51 AM System Uptime: 10/3/2009 10:58:21 AM (24 hours ago) Motherboard: Dell Inc. | | 0UF597 Processor: Genuine Intel® CPU U1300 @ 1.06GHz | Microprocessor | 1063/133mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 56 GiB total, 42.907 GiB free. ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA ==== System Restore Points =================== RP1: 9/28/2009 7:18:33 PM - System Checkpoint RP2: 9/28/2009 7:57:06 PM - System Checkpoint RP3: 9/29/2009 8:29:10 PM - Removed J2SE Runtime Environment 5.0 Update 7 RP4: 9/29/2009 9:17:25 PM - Installed Java 6 Update 16 RP5: 10/1/2009 11:27:15 AM - Removed Symantec AntiVirus RP6: 10/1/2009 11:44:59 AM - Software Distribution Service 3.0 RP7: 10/1/2009 1:32:26 PM - Software Distribution Service 3.0 RP8: 10/1/2009 1:54:15 PM - Software Distribution Service 3.0 RP9: 10/1/2009 2:27:44 PM - Avira AntiVir Personal - 10/1/2009 13:27 RP10: 10/1/2009 3:09:27 PM - Avira AntiVir Personal - 10/1/2009 14:09 RP11: 10/1/2009 3:14:38 PM - Installed Windows XP WgaNotify. RP12: 10/1/2009 3:17:24 PM - Software Distribution Service 3.0 RP13: 10/2/2009 11:43:44 AM - Software Distribution Service 3.0 RP14: 10/2/2009 12:14:06 PM - Installed Microsoft Fix it 50198 RP15: 10/2/2009 1:13:25 PM - Software Distribution Service 3.0 ==== Installed Programs ====================== -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
I followed your instructions and here is the combofix log. ComboFix 09-10-01.05 - morapj6 10/02/2009 11:35.4.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.558 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . The following files were disabled during the run: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL ((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 ))))))))))))))))))))))))))))))) . 2009-10-02 15:55 . 2009-10-02 15:55 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-10-01 19:46 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-10-01 19:46 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll 2009-10-01 18:29 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-10-01 15:45 . 2009-08-20 22:51 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-10-01 15:39 . 2009-10-01 19:16 -------- d-----w- c:\program files\Microsoft Security Essentials 2009-09-30 01:25 . 2009-09-30 01:25 -------- d-----w- c:\windows\Sun 2009-09-30 01:18 . 2009-09-30 01:17 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-30 01:17 . 2009-09-30 01:17 -------- d-----w- c:\program files\Java 2009-09-30 00:43 . 2009-09-30 00:43 -------- d-----w- c:\program files\CCleaner 2009-09-29 01:40 . 2009-09-29 01:40 -------- d-----w- c:\program files\ESET 2009-09-29 01:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-29 01:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-28 23:32 . 2009-09-28 23:32 -------- d-----w- c:\program files\Trend Micro 2009-09-22 01:11 . 2009-09-22 01:11 -------- d-----w- c:\program files\Deep System Explorer 2009-09-21 17:46 . 2009-09-29 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-20 03:30 . 2009-09-20 03:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-08 23:51 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-02 16:08 . 2006-07-18 12:42 77592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-01 15:28 . 2006-07-19 16:41 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-29 22:55 . 2008-06-07 18:35 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-29 22:55 . 2008-06-07 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\MSBuild 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\Reference Assemblies 2009-08-07 00:24 . 2004-12-05 21:52 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-07 00:24 . 2004-12-05 21:52 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-07 00:24 . 2006-07-19 15:34 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-07 00:24 . 2004-12-05 21:52 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-07 00:24 . 2004-12-05 21:52 53472 ----a-w- c:\windows\system32\wuauclt.exe 2009-08-07 00:24 . 2004-12-05 22:41 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-07 00:23 . 2004-12-05 21:52 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-07 00:23 . 2004-12-05 21:52 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2004-12-05 22:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-12-05 22:41 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 17:21 . 2004-12-05 22:44 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2007-10-04 17:26 . 2007-10-04 17:26 2244608 ----a-w- c:\program files\SecurexamStudent.exe 2008-07-28 19:59 . 2006-07-19 16:30 952 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-09-28_23.22.23 ))))))))))))))))))))))))))))))))))))))))) . + 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll + 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll + 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll + 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll + 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll + 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll + 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll + 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll + 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll + 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll + 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll + 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll + 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll + 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll + 2006-07-18 12:50 . 2007-04-09 18:23 46472 c:\windows\system32\spool\drivers\w32x86\mdiui.dll + 2006-07-18 12:50 . 2007-04-09 18:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll + 2009-09-30 22:51 . 2009-08-07 00:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll + 2009-09-30 22:51 . 2009-08-07 00:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll + 2004-12-05 22:43 . 2009-09-29 23:19 72306 c:\windows\system32\perfc009.dat - 2004-12-05 22:43 . 2009-09-23 19:18 72306 c:\windows\system32\perfc009.dat + 2007-03-23 00:17 . 2007-03-23 00:17 35440 c:\windows\system32\FM20ENU.DLL + 2004-12-05 21:52 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll + 2004-12-05 21:52 . 2009-08-07 00:24 53472 c:\windows\system32\dllcache\wuauclt.exe + 2004-12-05 22:41 . 2009-08-07 00:24 96480 c:\windows\system32\dllcache\cdm.dll - 2006-07-18 12:50 . 2006-08-10 19:02 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe + 2006-07-18 12:50 . 2009-10-02 16:03 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe - 2006-07-18 12:50 . 2006-08-10 19:02 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe + 2006-07-18 12:50 . 2009-10-02 16:03 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe + 2006-07-18 12:50 . 2009-10-02 16:03 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe - 2006-07-18 12:50 . 2006-08-10 19:02 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe + 2006-07-18 12:50 . 2009-10-02 16:03 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe - 2006-07-18 12:50 . 2006-08-10 19:02 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe - 2006-07-18 12:50 . 2006-08-10 19:02 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe + 2006-07-18 12:50 . 2009-10-02 16:03 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe + 2006-07-18 12:50 . 2009-10-02 16:03 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe - 2006-07-18 12:50 . 2006-08-10 19:02 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe + 2007-03-23 00:07 . 2007-03-23 00:07 78168 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RM.DLL + 2007-03-23 00:07 . 2007-03-23 00:07 41824 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RECALL.DLL + 2007-04-19 18:53 . 2007-04-19 18:53 69984 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLRPC.DLL + 2001-06-05 13:13 . 2001-06-05 13:13 40972 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OCRVC.DAT + 2001-10-23 05:13 . 2001-10-23 05:13 53260 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OCRHC.DAT + 2001-06-05 13:13 . 2001-06-05 13:13 65536 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\LOOKUP.DAT + 2001-06-05 13:13 . 2001-06-05 13:13 18844 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\JFONT.DAT + 2001-06-05 13:13 . 2001-06-05 13:13 34168 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ENGIDX.DAT + 2007-03-23 00:07 . 2007-03-23 00:07 80224 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\DLGSETP.DLL + 2007-03-23 00:07 . 2007-03-23 00:07 91488 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL + 2003-01-17 19:03 . 2003-01-17 19:03 59466 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\XSCAN32.DAT + 2006-07-18 12:49 . 2006-07-18 12:49 64088 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL + 2003-07-15 03:57 . 2003-07-15 03:57 59960 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\UNBIND.EXE + 2002-10-07 14:49 . 2002-10-07 14:49 81983 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWRECS.DLL + 2003-07-15 03:53 . 2003-07-15 03:53 11848 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL.EXE + 2003-07-15 03:57 . 2003-07-15 03:57 58944 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL + 2003-07-15 03:44 . 2003-07-15 03:44 66616 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SENDTO.DLL + 2002-10-07 14:49 . 2002-10-07 14:49 81984 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REVERSE.DLL + 2003-07-15 03:57 . 2003-07-15 03:57 40512 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL + 2003-05-09 02:54 . 2003-05-09 02:54 77824 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL + 2003-07-15 03:40 . 2003-07-15 03:40 51256 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PUBTRAP.DLL + 2003-07-15 08:18 . 2003-07-15 08:18 93752 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PP7X32.DLL + 2003-07-15 03:43 . 2003-07-15 03:43 49208 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 35448 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OLCTLPIA.DLL + 2003-07-15 03:56 . 2003-07-15 03:56 13888 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL + 2003-07-15 03:57 . 2003-07-15 03:57 56888 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\NAME.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 20080 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSTAGPIA.DLL + 2003-07-15 03:52 . 2003-07-15 03:52 41528 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSSH.DLL + 2003-06-18 22:31 . 2003-06-18 22:31 16384 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL + 2003-07-15 03:45 . 2003-07-15 03:45 39488 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL + 2003-07-15 03:45 . 2003-07-15 03:45 55360 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE + 2003-07-15 03:46 . 2003-07-15 03:46 42040 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL + 2003-07-15 03:53 . 2003-07-15 03:53 39488 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL + 2003-07-15 03:53 . 2003-07-15 03:53 55872 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSVABW.DLL + 2003-07-15 03:52 . 2003-07-15 03:52 35896 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL + 2003-07-15 03:52 . 2003-07-15 03:52 28224 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL + 2003-07-15 03:56 . 2003-07-15 03:56 54328 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOMSE.DLL + 2003-07-15 03:52 . 2003-07-15 03:52 55360 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE + 2003-07-15 03:44 . 2003-07-15 03:44 25144 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOEURO.DLL + 2003-07-15 03:52 . 2003-07-15 03:52 27704 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL + 2003-07-15 03:52 . 2003-07-15 03:52 17464 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSMH.DLL + 2003-07-15 03:51 . 2003-07-15 03:51 87104 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL + 2003-07-15 03:56 . 2003-07-15 03:56 40504 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSE7.EXE + 2003-07-15 04:12 . 2003-07-15 04:12 47872 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSB1XTOR.DLL + 2003-07-15 03:45 . 2003-07-15 03:45 58944 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\INLAUNCH.DLL + 2003-07-15 03:41 . 2003-07-15 03:41 13368 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FINDER.EXE + 2003-07-15 03:57 . 2003-07-15 03:57 98360 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DSSM.EXE + 2003-07-15 03:56 . 2003-07-15 03:56 14904 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DSITF.DLL + 2003-07-15 03:53 . 2003-07-15 03:53 46144 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\BLNMGRPS.DLL + 2003-07-15 03:53 . 2003-07-15 03:53 94768 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\AW.DLL + 2003-07-15 03:57 . 2003-07-15 03:57 38968 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL + 2009-10-02 15:47 . 2009-10-02 15:47 66936 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll + 2009-10-02 15:48 . 2009-10-02 15:48 22928 c:\windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll + 2009-10-02 15:48 . 2009-10-02 15:48 38304 c:\windows\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OutlookViewCtl.dll + 2009-10-02 15:49 . 2009-10-02 15:49 91488 c:\windows\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll + 2006-07-18 12:50 . 2009-10-02 16:03 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe - 2006-07-18 12:50 . 2006-08-10 19:02 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe + 2003-06-18 22:31 . 2003-06-18 22:31 6144 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OCRPS.DLL + 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll + 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll + 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll + 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll + 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll + 2006-06-19 20:19 . 2009-03-11 03:18 934792 c:\windows\system32\WgaTray.exe + 2006-06-19 20:20 . 2009-03-11 03:18 239496 c:\windows\system32\WgaLogon.dll + 2006-07-18 12:50 . 2007-04-09 18:24 758664 c:\windows\system32\spool\drivers\w32x86\mdigraph.dll + 2006-07-18 12:50 . 2007-04-09 18:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll - 2004-12-05 22:43 . 2009-09-23 19:18 444596 c:\windows\system32\perfh009.dat + 2004-12-05 22:43 . 2009-09-29 23:19 444596 c:\windows\system32\perfh009.dat + 2009-09-30 01:18 . 2009-09-30 01:17 149280 c:\windows\system32\javaws.exe + 2009-09-30 01:18 . 2009-09-30 01:17 145184 c:\windows\system32\javaw.exe + 2009-09-30 01:18 . 2009-09-30 01:17 145184 c:\windows\system32\java.exe - 2004-12-05 15:47 . 2009-08-25 15:24 282928 c:\windows\system32\FNTCACHE.DAT + 2004-12-05 15:47 . 2009-10-02 16:05 282928 c:\windows\system32\FNTCACHE.DAT + 2009-06-18 23:48 . 2009-06-18 23:48 142832 c:\windows\system32\drivers\MpFilter.sys + 2004-12-05 21:52 . 2009-08-07 00:24 209632 c:\windows\system32\dllcache\wuweb.dll + 2004-12-05 21:52 . 2009-08-07 00:24 327896 c:\windows\system32\dllcache\wucltui.dll + 2004-12-05 21:52 . 2009-08-07 00:23 575704 c:\windows\system32\dllcache\wuapi.dll + 2006-06-19 20:19 . 2009-03-11 03:18 934792 c:\windows\system32\dllcache\WgaTray.exe + 2006-06-19 20:20 . 2009-03-11 03:18 239496 c:\windows\system32\dllcache\wgaLogon.dll + 2009-10-01 18:27 . 2009-10-01 18:27 228352 c:\windows\Installer\9d48e8.msi + 2009-10-01 19:16 . 2009-10-01 19:16 259072 c:\windows\Installer\48ece.msi + 2009-10-01 19:16 . 2009-10-01 19:16 211968 c:\windows\Installer\48ec9.msi + 2009-10-01 19:16 . 2009-10-01 19:16 301056 c:\windows\Installer\48ec4.msi + 2009-10-02 15:55 . 2009-10-02 15:55 470528 c:\windows\Installer\46853ef.msi + 2008-06-11 19:02 . 2008-06-11 19:02 830464 c:\windows\Installer\4685203.msp + 2008-07-28 19:59 . 2008-07-28 19:59 180736 c:\windows\Installer\46851ea.msp + 2009-10-02 15:44 . 2009-10-02 15:44 195584 c:\windows\Installer\46851d6.msi + 2006-07-18 12:50 . 2009-10-02 16:03 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe - 2006-07-18 12:50 . 2006-08-10 19:02 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe + 2006-07-18 12:50 . 2009-10-02 16:03 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe - 2006-07-18 12:50 . 2006-08-10 19:02 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe - 2006-07-18 12:50 . 2006-08-10 19:02 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe + 2006-07-18 12:50 . 2009-10-02 16:03 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe - 2006-07-18 12:50 . 2006-08-10 19:02 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe + 2006-07-18 12:50 . 2009-10-02 16:03 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe - 2006-07-18 12:50 . 2006-08-10 19:02 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe + 2006-07-18 12:50 . 2009-10-02 16:03 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe + 2006-07-18 12:50 . 2009-10-02 16:03 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe - 2006-07-18 12:50 . 2006-08-10 19:02 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe + 2007-03-23 00:22 . 2007-03-23 00:22 103264 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL + 2007-05-10 18:34 . 2007-05-10 18:34 562528 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PUBCONV.DLL + 2007-05-31 18:36 . 2007-05-31 18:36 612184 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PTXT9.DLL + 2007-05-31 18:35 . 2007-05-31 18:35 133976 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PRTF9.DLL + 2007-04-19 18:53 . 2007-04-19 18:53 149856 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLPH.DLL + 2007-05-31 18:42 . 2007-05-31 18:42 200032 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLOOK.EXE + 2007-04-19 18:53 . 2007-04-19 18:53 106336 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL + 2005-05-04 07:06 . 2005-05-04 07:06 199408 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSMDUN80.DLL + 2005-05-04 07:06 . 2005-05-04 07:06 465640 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSDMENG.DLL + 2007-04-19 18:54 . 2007-04-19 18:54 183136 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MIMEDIR.DLL + 2007-04-19 18:53 . 2007-04-19 18:53 127328 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL + 2007-04-19 19:09 . 2007-04-19 19:09 167256 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IETAG.DLL + 2007-04-19 18:53 . 2007-04-19 18:53 137568 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ENVELOPE.DLL + 2001-06-05 13:13 . 2001-06-05 13:13 289926 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ENGDIC.DAT + 2006-07-18 12:49 . 2006-07-18 12:49 662120 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\WORDPIA.DLL + 2002-10-07 14:51 . 2002-10-07 14:51 221252 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWSTRUCT.DLL + 2002-10-07 14:50 . 2002-10-07 14:50 118847 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWRECE.DLL + 2002-10-07 14:51 . 2002-10-07 14:51 102467 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWORIENT.DLL + 2002-10-07 14:51 . 2002-10-07 14:51 147520 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWLAY32.DLL + 2002-10-07 14:51 . 2002-10-07 14:51 180289 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWCUTLIN.DLL + 2002-10-07 14:50 . 2002-10-07 14:50 241729 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWCUTCHR.DLL + 2002-10-07 14:53 . 2002-10-07 14:53 106561 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\THOCRAPI.DLL + 2003-07-15 03:57 . 2003-07-15 03:57 349248 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SELFCERT.EXE + 2003-07-21 16:46 . 2003-07-21 16:46 390712 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 211568 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PUBPIA.DLL + 2002-10-07 15:11 . 2002-10-07 15:11 167997 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PSOM.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 223856 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PPTPIA.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 461416 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OWC11PIA.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 408176 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLPIA.DLL + 2003-07-15 03:44 . 2003-07-15 03:44 102968 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL + 2003-07-15 08:14 . 2003-07-15 08:14 242240 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 223800 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL + 2003-07-15 04:00 . 2003-07-15 04:00 145984 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL + 2003-07-15 04:02 . 2003-07-15 04:02 637496 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSQRY32.EXE + 2003-06-19 21:05 . 2003-06-19 21:05 364648 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE + 2003-06-19 21:05 . 2003-06-19 21:05 128104 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPSCAN.EXE + 2003-06-18 22:31 . 2003-06-18 22:31 788480 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPFILT.DLL + 2003-07-15 08:18 . 2003-07-15 08:18 376888 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL + 2003-07-15 03:57 . 2003-07-15 03:57 120888 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL + 2003-07-15 03:57 . 2003-07-15 03:57 124480 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSB1CORE.DLL + 2003-07-15 03:46 . 2003-07-15 03:46 176696 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MIMEDIR.DLL + 2003-06-18 22:31 . 2003-06-18 22:31 252928 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 141928 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\GRAPHPIA.DLL + 2003-07-15 03:40 . 2003-07-15 03:40 165944 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL + 2003-07-15 03:40 . 2003-07-15 03:40 179768 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 371296 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FORMSPIA.DLL + 2002-10-07 14:49 . 2002-10-07 14:49 192573 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FORM.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 997992 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\ACCESS.DLL + 2009-10-02 15:47 . 2009-10-02 15:47 226656 c:\windows\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL + 2009-10-02 15:47 . 2009-10-02 15:47 374152 c:\windows\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.Forms.dll + 2009-10-02 15:48 . 2009-10-02 15:48 664968 c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll + 2009-10-02 15:49 . 2009-10-02 15:49 214424 c:\windows\assembly\GAC\Microsoft.Office.Interop.Publisher\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Publisher.dll + 2009-10-02 15:49 . 2009-10-02 15:49 226712 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll + 2009-10-02 15:48 . 2009-10-02 15:48 464272 c:\windows\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Owc11.dll + 2009-10-02 15:48 . 2009-10-02 15:48 411024 c:\windows\assembly\GAC\Microsoft.Office.Interop.Outlook\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll + 2009-10-02 15:49 . 2009-10-02 15:49 103776 c:\windows\assembly\GAC\Microsoft.Office.Interop.InfoPath\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.dll + 2009-10-02 15:47 . 2009-10-02 15:47 144784 c:\windows\assembly\GAC\Microsoft.Office.Interop.Graph\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll + 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll + 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll + 2006-05-17 15:23 . 2009-03-11 03:18 1482112 c:\windows\system32\LegitCheckControl.dll + 2007-06-06 15:53 . 2007-06-06 15:53 1195888 c:\windows\system32\FM20.DLL + 2004-12-05 21:52 . 2009-08-07 00:23 1929952 c:\windows\system32\dllcache\wuaueng.dll + 2008-06-11 20:05 . 2008-06-11 20:05 9994240 c:\windows\Installer\4685473.msp + 2009-08-25 19:57 . 2009-08-25 19:57 5518336 c:\windows\Installer\4685430.msp + 2008-04-01 19:33 . 2008-04-01 19:33 5479936 c:\windows\Installer\4685406.msp + 2008-01-31 15:30 . 2008-01-31 15:30 9947648 c:\windows\Installer\46853d4.msp + 2008-01-14 21:53 . 2008-01-14 21:53 5213696 c:\windows\Installer\46853b8.msp + 2008-07-08 16:27 . 2008-07-08 16:27 8436736 c:\windows\Installer\468538f.msp + 2007-11-08 16:42 . 2007-11-08 16:42 4158464 c:\windows\Installer\46851d0.msp + 2009-09-30 01:17 . 2009-09-30 01:17 1757696 c:\windows\Installer\10d268.msi + 2007-05-09 22:19 . 2007-05-09 22:19 2585936 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\VBE6.DLL + 2007-05-31 18:35 . 2007-05-31 18:35 6420320 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\POWERPNT.EXE + 2007-05-31 18:43 . 2007-05-31 18:43 7613280 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLLIB.DLL + 2007-05-10 18:35 . 2007-05-10 18:35 6747480 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSPUB.EXE + 2005-05-04 07:06 . 2005-05-04 07:06 1411816 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSDMINE.DLL + 2003-04-30 16:52 . 2003-04-30 16:52 1581120 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\XPAGE3C.DLL + 2002-10-07 15:03 . 2002-10-07 15:03 1794113 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\XIMAGE3B.DLL + 2003-07-15 04:05 . 2003-07-15 04:05 1054264 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OMFC.DLL + 2003-07-11 07:15 . 2003-07-11 07:15 1292872 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL + 2006-07-18 12:49 . 2006-07-18 12:49 1100392 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\EXCELPIA.DLL + 2009-10-02 15:48 . 2009-10-02 15:48 1103248 c:\windows\assembly\GAC\Microsoft.Office.Interop.Excel\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll + 2009-10-02 15:46 . 2009-10-02 15:46 1000848 c:\windows\assembly\GAC\Microsoft.Office.Interop.Access\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Access.dll + 2008-08-13 19:49 . 2008-08-13 19:49 11816960 c:\windows\Installer\468545a.msp + 2008-07-30 13:50 . 2008-07-30 13:50 12506112 c:\windows\Installer\4685445.msp + 2008-07-08 15:09 . 2008-07-08 15:09 11887616 c:\windows\Installer\468541b.msp + 2008-06-04 18:29 . 2008-06-04 18:29 16905728 c:\windows\Installer\46853e9.msp + 2008-01-14 20:24 . 2008-01-14 20:24 10721280 c:\windows\Installer\46853a3.msp + 2007-05-31 18:37 . 2007-05-31 18:37 12310368 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\WINWORD.EXE + 2007-06-18 22:16 . 2007-06-18 22:16 12259160 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSO.DLL + 2007-05-31 18:41 . 2007-05-31 18:41 10352472 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\EXCEL.EXE + 2007-07-27 14:03 . 2007-07-27 14:03 119977472 c:\windows\Installer\468537a.msp . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 149280] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) "HideFastUserSwitching"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [7/18/2006 7:51 AM 218112] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\AAC.SYS [7/18/2006 7:51 AM 48140] R0 aarich;aarich;c:\windows\system32\drivers\AARICH.SYS [7/18/2006 7:51 AM 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\MEGASAS.SYS [7/18/2006 7:51 AM 17664] R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [10/4/2007 12:17 PM 45056] R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [5/18/2007 11:57 AM 229856] S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57] 2009-10-02 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://law.wfu.edu/ uInternet Connection Wizard,ShellNext = hxxp://law.wfu.edu/ IE: &Search - ?p=ZRfox000 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jz1r33jx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - Notify-NavLogon - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-02 11:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc28.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3592) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll . Completion time: 2009-10-02 11:44 ComboFix-quarantined-files.txt 2009-10-02 16:44 ComboFix2.txt 2009-09-29 23:19 ComboFix3.txt 2009-09-29 01:13 ComboFix4.txt 2009-09-28 23:28 Pre-Run: 46,127,673,344 bytes free Post-Run: 46,226,202,624 bytes free 389 --- E O F --- 2009-10-02 16:03 -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
sorry about the delay. I couldn't get permissions back so I uninstalled symantec and installed Microsoft security essentials. Malwarebytes' Anti-Malware 1.41 Database version: 2869 Windows 5.1.2600 Service Pack 3 10/1/2009 12:27:34 PM mbam-log-2009-10-01 (12-27-34).txt Scan type: Quick Scan Objects scanned: 102712 Time elapsed: 12 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:28:10 PM, on 10/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\WebUpdateSvc4.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://law.wfu.edu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://law.wfu.edu/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Search - ?p=ZRfox000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153323251440 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7799 bytes -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
Computer seems to be running fine. Internet browsing doesn't seem to result in any redirects. Although I still can't open symantec, I get the "you don't have permission" thing. Anyway thanks for all the help so far. Here are my logs. JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Tue Sep 29 19:35:11 2009 Found and removed: Software\JavaSoft\Java2D\1.5.0_07 Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} Found and removed: SOFTWARE\Classes\JavaPlugin.150_07 Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_07\ ------------------------------------ Finished reporting. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Wednesday, September 30, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Wednesday, September 30, 2009 03:43:07 Records in database: 2935570 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ Scan statistics: Objects scanned: 49239 Threats found: 2 Infected objects found: 5 Suspicious objects found: 0 Scan duration: 01:51:15 File name / Threat / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0000.VBN Infected: Exploit.Java.Gimsh.a 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0001.VBN Infected: Exploit.Java.Gimsh.a 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0002.VBN Infected: Exploit.Java.Gimsh.a 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DFC0003.VBN Infected: Exploit.Java.Gimsh.a 1 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1 Selected area has been scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:21:43 AM, on 9/30/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\WebUpdateSvc4.exe C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Apoint\Apntex.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\java.exe C:\Documents and Settings\Administrator\Local Settings\temp\jkos-morapj6\binaries\ScanningProcess.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://law.wfu.edu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://law.wfu.edu/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Search - ?p=ZRfox000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153323251440 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9153 bytes -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
Spybot was still locked so I couldn't open it and disable teatimer like you said, but I uninstalled spybot and ran combofix again with the CFScript. ComboFix 09-09-28.01 - morapj6 09/29/2009 18:06.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.552 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . The following files were disabled during the run: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 ))))))))))))))))))))))))))))))) . 2009-09-29 01:40 . 2009-09-29 01:40 -------- d-----w- c:\program files\ESET 2009-09-29 01:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-29 01:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-28 23:32 . 2009-09-28 23:32 -------- d-----w- c:\program files\Trend Micro 2009-09-22 01:11 . 2009-09-22 01:11 -------- d-----w- c:\program files\Deep System Explorer 2009-09-21 17:46 . 2009-09-29 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-20 03:30 . 2009-09-20 03:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-08 23:51 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-29 23:04 . 2006-07-19 16:41 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-29 22:55 . 2008-06-07 18:35 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-29 22:55 . 2008-06-07 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-21 18:17 . 2006-07-18 12:42 77592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\MSBuild 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\Reference Assemblies 2009-08-05 09:01 . 2004-12-05 22:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-12-05 22:41 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 17:21 . 2004-12-05 22:44 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-12-05 22:43 915456 ------w- c:\windows\system32\wininet.dll 2007-10-04 17:26 . 2007-10-04 17:26 2244608 ----a-w- c:\program files\SecurexamStudent.exe 2008-07-28 19:59 . 2006-07-19 16:30 952 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-09-28_23.22.23 ))))))))))))))))))))))))))))))))))))))))) . + 2004-12-05 22:43 . 2009-09-29 23:03 72306 c:\windows\system32\perfc009.dat - 2004-12-05 22:43 . 2009-09-23 19:18 72306 c:\windows\system32\perfc009.dat + 2004-12-05 22:43 . 2009-09-29 23:03 444596 c:\windows\system32\perfh009.dat - 2004-12-05 22:43 . 2009-09-23 19:18 444596 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) "HideFastUserSwitching"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [7/18/2006 7:51 AM 218112] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\AAC.SYS [7/18/2006 7:51 AM 48140] R0 aarich;aarich;c:\windows\system32\drivers\AARICH.SYS [7/18/2006 7:51 AM 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\MEGASAS.SYS [7/18/2006 7:51 AM 17664] R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [10/4/2007 12:17 PM 45056] R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [5/18/2007 11:57 AM 229856] S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 6:27 PM 124608] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrvI9 *Deregistered* - mchInjDrv [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57] 2009-09-29 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-05-28 02:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://law.wfu.edu/ uInternet Connection Wizard,ShellNext = hxxp://law.wfu.edu/ IE: &Search - ?p=ZRfox000 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jz1r33jx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-29 18:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc29.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2380) c:\windows\system32\WININET.dll c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\igfxsrvc.exe c:\windows\system32\scardsvr.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-29 18:19 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-29 23:19 ComboFix2.txt 2009-09-29 01:13 ComboFix3.txt 2009-09-28 23:28 Pre-Run: 47,556,435,968 bytes free Post-Run: 47,527,567,360 bytes free 185 --- E O F --- 2009-09-09 13:13 HIJACK THIS Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:22:39 PM, on 9/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\WebUpdateSvc4.exe C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://law.wfu.edu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://law.wfu.edu/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Search - ?p=ZRfox000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153323251440 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 8860 bytes -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
COMBOFIX LOG ComboFix 09-09-28.01 - morapj6 09/28/2009 19:58.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.553 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . The following files were disabled during the run: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 ))))))))))))))))))))))))))))))) . 2009-09-28 23:32 . 2009-09-28 23:32 -------- d-----w- c:\program files\Trend Micro 2009-09-22 01:11 . 2009-09-22 01:11 -------- d-----w- c:\program files\Deep System Explorer 2009-09-21 17:46 . 2009-09-23 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-20 03:30 . 2009-09-20 03:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-20 02:22 . 2009-09-28 23:11 0 ----a-w- c:\windows\win32k.sys 2009-09-08 23:51 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-29 00:55 . 2006-07-19 16:41 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-21 18:17 . 2006-07-18 12:42 77592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\MSBuild 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\Reference Assemblies 2009-08-05 09:01 . 2004-12-05 22:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-12-05 22:41 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 17:21 . 2004-12-05 22:44 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-12-05 22:43 915456 ------w- c:\windows\system32\wininet.dll 2007-10-04 17:26 . 2007-10-04 17:26 2244608 ----a-w- c:\program files\SecurexamStudent.exe 2008-07-28 19:59 . 2006-07-19 16:30 952 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-09-28_23.22.23 ))))))))))))))))))))))))))))))))))))))))) . + 2004-12-05 22:43 . 2009-09-28 23:28 72306 c:\windows\system32\perfc009.dat - 2004-12-05 22:43 . 2009-09-23 19:18 72306 c:\windows\system32\perfc009.dat + 2004-12-05 22:43 . 2009-09-28 23:28 444596 c:\windows\system32\perfh009.dat - 2004-12-05 22:43 . 2009-09-23 19:18 444596 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) "HideFastUserSwitching"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [7/18/2006 7:51 AM 218112] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\AAC.SYS [7/18/2006 7:51 AM 48140] R0 aarich;aarich;c:\windows\system32\drivers\AARICH.SYS [7/18/2006 7:51 AM 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\MEGASAS.SYS [7/18/2006 7:51 AM 17664] R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [10/4/2007 12:17 PM 45056] R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [5/18/2007 11:57 AM 229856] S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 6:27 PM 124608] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrvI9 *Deregistered* - mchInjDrv [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57] 2009-09-29 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-05-28 02:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://law.wfu.edu/ uInternet Connection Wizard,ShellNext = hxxp://law.wfu.edu/ IE: &Search - ?p=ZRfox000 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jz1r33jx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-28 20:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc29.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3736) c:\windows\system32\WININET.dll c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\igfxsrvc.exe c:\windows\system32\scardsvr.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-29 20:13 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-29 01:13 ComboFix2.txt 2009-09-28 23:28 Pre-Run: 47,654,551,552 bytes free Post-Run: 47,617,282,048 bytes free 180 --- E O F --- 2009-09-09 13:13 MBAM LOG Malwarebytes' Anti-Malware 1.41 Database version: 2869 Windows 5.1.2600 Service Pack 3 9/28/2009 8:27:31 PM mbam-log-2009-09-28 (20-27-31).txt Scan type: Quick Scan Objects scanned: 101483 Time elapsed: 6 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully. HIJACKTHIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:35:40 PM, on 9/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\WebUpdateSvc4.exe C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://law.wfu.edu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://law.wfu.edu/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Search - ?p=ZRfox000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153323251440 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9293 bytes ESET LOG ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=b9f5aa64dcb76f4f999b167f3d216a7a # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-09-29 02:17:39 # local_time=2009-09-28 09:17:39 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=3585 63 50 0 0 # scanned=49230 # found=2 # cleaned=0 # scan_time=1878 C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{BDB705D4-3642-4902-B5C1-5721D3A7DDC5}\RP1\A0000010.dll a variant of Win32/Kryptik.YQ trojan 00000000000000000000000000000000 I -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
COMBO FIX LOG ComboFix 09-09-27.05 - morapj6 09/28/2009 18:11.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.530 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . The following files were disabled during the run: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk c:\recycler\S-1-5-21-1123561945-1364589140-839522115-500 c:\recycler\S-1-5-21-2067384465-1423527793-488439985-500 Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll -- Previous Run -- Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll -------- . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 ))))))))))))))))))))))))))))))) . 2009-09-22 01:11 . 2009-09-22 01:11 -------- d-----w- c:\program files\Deep System Explorer 2009-09-21 23:32 . 2009-09-21 23:32 -------- d-----w- c:\program files\Trend Micro 2009-09-21 17:46 . 2009-09-23 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-09-21 14:04 . 2009-09-21 14:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-20 03:30 . 2009-09-20 03:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-20 02:22 . 2009-09-28 23:11 0 ----a-w- c:\windows\win32k.sys 2009-09-08 23:51 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-28 22:56 . 2006-07-19 16:41 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-21 18:17 . 2006-07-18 12:42 77592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\MSBuild 2009-08-25 15:06 . 2009-08-25 15:06 -------- d-----w- c:\program files\Reference Assemblies 2009-08-05 09:01 . 2004-12-05 22:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-12-05 22:41 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 17:21 . 2004-12-05 22:44 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-12-05 22:43 915456 ----a-w- c:\windows\system32\wininet.dll 2007-10-04 17:26 . 2007-10-04 17:26 2244608 ----a-w- c:\program files\SecurexamStudent.exe 2008-07-28 19:59 . 2006-07-19 16:30 952 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "AllowMultipleTSSessions"= 1 (0x1) "HideFastUserSwitching"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [7/18/2006 7:51 AM 218112] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\AAC.SYS [7/18/2006 7:51 AM 48140] R0 aarich;aarich;c:\windows\system32\drivers\AARICH.SYS [7/18/2006 7:51 AM 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\MEGASAS.SYS [7/18/2006 7:51 AM 17664] R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [10/4/2007 12:17 PM 45056] R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [5/18/2007 11:57 AM 229856] S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 6:27 PM 124608] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrvI9 *Deregistered* - mchInjDrv [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57] 2009-09-28 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-05-28 02:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://law.wfu.edu/ uInternet Connection Wizard,ShellNext = hxxp://law.wfu.edu/ IE: &Search - ?p=ZRfox000 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jz1r33jx.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - AddRemove-ExtegrityExam40 - c:\program files\Extegrity\Exam4\Uninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-28 18:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc29.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3584) c:\windows\system32\WININET.dll c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\igfxsrvc.exe c:\windows\system32\scardsvr.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\PHAROS~1\Core\CTskMstr.exe c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe . ************************************************************************** . Completion time: 2009-09-28 18:28 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-28 23:28 Pre-Run: 47,184,154,624 bytes free Post-Run: 47,666,446,336 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 194 --- E O F --- 2009-09-09 13:13 HIJACKTHIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:32:40 PM, on 9/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\WebUpdateSvc4.exe C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://law.wfu.edu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://law.wfu.edu/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Search - ?p=ZRfox000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153323251440 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 8982 bytes -
MBAM shuts down when I run it and wont run again
pmora replied to pmora's topic in Resolved Malware Removal Logs
Sorry about the format of the previous post. I'm still having trouble. I realized I failed to say the virus disabled hjt also, and I cut off part of the win32diag log I posted. I realize you haven't asked me to do anything yet, but I noticed its a common first thing asked. I realize how busy you guys are, thanks again for your time. Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP289.tmp\ZAP289.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EA.tmp\ZAP2EA.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 00:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll () [2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Mount point destination : \Device\__max++>\^ Finished! -
I downloaded a virus yesterday that claimed to be a flash update but was actually an .exe file. Msa.exe and b.exe showed up in my process list and I killed them as well as deleting associated files, and registry entries. I found some a.exe files as well I deleted. I am getting webpage redirects now. My symatec antivirus currently will not open. Spybot won't run. mbam runs for a little bit than closes, and I cannot open it again unless I reinstall. It says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" Rootkit repealer scans for a couple seconds than shuts down and I cannot open it again and I get the same message as MBAM. Ad aware ran in safe mode but didnt find anything meaningful. I am using windows xp and mozilla firefox. I was thinking about using ComboFix, but I don't really know what I'm doing so I wanted to ask here first thanks for your time my win32diag.txt follows Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exeLog file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\addins\addinsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2 0B.tmp\ZAP20B.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2 89.tmp\ZAP289.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2 EA.tmp\ZAP2EA.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d1\d1Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d2\d2Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d3\d3Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d4\d4Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d5\d5Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d6\d6Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d7\d7Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d8\d8Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\chsime\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\CHTIME\Applets\AppletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imjp8_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\shared\res\resMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231 838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2 F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLESMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCHMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUsM ount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEMMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\TempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PIF\PIFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Re gisteredMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDelMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\eventlog.dll[1] 2004-08-04 00:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)