Jump to content

another malwarebytes wont run topic please help


Recommended Posts

Have a laptop with win xp pro. svc pack 3. mcafee not working, malwarebytes shuts down after 5 sec's. read on forum, did the rename, same results. once it runs and shuts down, you cant rename it, no permissions. mcafee is disabled. Interent explore not working either. thanks for helping.

Link to post
Share on other sites

Also... hijack this wont run. get error 75, it says I should editt he hosts file, but when i try that, i get access denied. ran the mcafee dos scan from safe mode c prompt, but that doesn't help.

Have a laptop with win xp pro. svc pack 3. mcafee not working, malwarebytes shuts down after 5 sec's. read on forum, did the rename, same results. once it runs and shuts down, you cant rename it, no permissions. mcafee is disabled. Interent explore not working either. thanks for helping.
Link to post
Share on other sites

screen317... Thanks for helping. Downloaded file on my other laptop. Put on desktop of infected laptop and ran win32kdiag. Got error. Win32kdiag has encountered a problem and needs to close.

Hi tweet3219 and welcome to Malwarebytes.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

-screen317

post-18327-1251252755_thumb.jpg

Link to post
Share on other sites

Screen317,

Thanks for getting back to me. I downloaded new copy and got same error as first time. I ran it in safe mode and it did finish. Not sure if that will help but here it is. Also, since last time we spoke I uninstalled macafee and installed avira. Scan picked up some stuff... but still have problem. MBAM still shutting down after 5 seconds and no internet access. I can ping websites, internet explorer wont go anywhere. here is the log, from running win32kdiag in safe mode.

Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch

[1] 2009-08-25 00:53:58 46048 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch ()

Cannot access: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch

[1] 2009-08-25 00:53:58 53729 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch ()

[1] 2007-09-08 13:41:33 22240 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch ()

[1] 2007-09-08 13:41:33 22240 C:\i386\security.config.cch ()

Cannot access: C:\WINDOWS\network diagnostic\Sqm\NetDiag18.sqm

[1] 2009-08-16 08:52:47 492 C:\WINDOWS\network diagnostic\Sqm\NetDiag18.sqm ()

Cannot access: C:\WINDOWS\network diagnostic\Sqm\NetDiag19.sqm

[1] 2009-08-16 08:52:53 492 C:\WINDOWS\network diagnostic\Sqm\NetDiag19.sqm ()

Cannot access: C:\WINDOWS\network diagnostic\xpnetdiag.xml

[1] 2009-08-16 08:52:51 5668 C:\WINDOWS\network diagnostic\xpnetdiag.xml ()

Cannot access: C:\WINDOWS\OFCNT.LOG

[1] 2009-08-24 18:35:49 506380 C:\WINDOWS\OFCNT.LOG ()

Cannot access: C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[1] 2009-08-24 15:57:56 2337 C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[1] 2007-11-17 10:14:44 1800 C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\boot.ini.backup

[1] 2009-08-24 16:18:51 211 C:\WINDOWS\pss\boot.ini.backup ()

Cannot access: C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[1] 2009-08-24 15:58:13 2333 C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[1] 2007-09-08 13:31:15 1618 C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\system.ini.backup

[1] 2004-08-11 18:07:24 231 C:\WINDOWS\pss\system.ini.backup ()

Cannot access: C:\WINDOWS\pss\win.ini.backup

[1] 2009-08-24 10:18:31 657 C:\WINDOWS\pss\win.ini.backup ()

Cannot access: C:\WINDOWS\system32\drivers\avgntdd.sys

[1] 2009-02-13 12:17:49 45416 C:\WINDOWS\system32\drivers\avgntdd.sys ()

Cannot access: C:\WINDOWS\system32\drivers\avgntflt.sys

[1] 2009-07-28 16:33:56 55656 C:\WINDOWS\system32\drivers\avgntflt.sys ()

Cannot access: C:\WINDOWS\system32\drivers\avgntmgr.sys

[1] 2009-02-13 12:29:11 22360 C:\WINDOWS\system32\drivers\avgntmgr.sys ()

Cannot access: C:\WINDOWS\system32\drivers\avipbb.sys

[1] 2009-03-30 10:33:07 96104 C:\WINDOWS\system32\drivers\avipbb.sys ()

Cannot access: C:\WINDOWS\system32\drivers\mbam.sys

[1] 2009-08-03 13:36:06 19096 C:\WINDOWS\system32\drivers\mbam.sys ()

Cannot access: C:\WINDOWS\system32\drivers\mbamswissarmy.sys

[1] 2009-08-03 13:36:28 38160 C:\WINDOWS\system32\drivers\mbamswissarmy.sys ()

Cannot access: C:\WINDOWS\system32\drivers\ssmdrv.sys

[1] 2009-05-11 10:12:24 28520 C:\WINDOWS\system32\drivers\ssmdrv.sys ()

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 60928 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\Restore\rstrlog.dat

[1] 2009-08-24 11:11:07 2774204 C:\WINDOWS\system32\Restore\rstrlog.dat ()

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-26 22:09:55 17019 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

[1] 2004-08-11 18:12:20 260 C:\i386\FrameWork.log ()

Cannot access: C:\WINDOWS\Temp\Cookies\ann@avira[1].txt

[1] 2009-08-26 11:14:29 356 C:\WINDOWS\Temp\Cookies\ann@avira[1].txt ()

Cannot access: C:\WINDOWS\Temp\Cookies\ann@www.avira[1].txt

[1] 2009-08-26 10:43:44 72 C:\WINDOWS\Temp\Cookies\ann@www.avira[1].txt ()

Cannot access: C:\WINDOWS\Temp\Cookies\index.dat

[1] 2008-07-24 13:42:29 87643 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-25 00:57:06 32768 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-25 00:57:06 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2007-09-15 06:05:59 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007091520070916\index.dat ()

[1] 2009-08-25 00:57:06 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-26 11:14:26 32768 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-26 11:14:26 32768 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-26 11:14:26 65536 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2007-09-15 06:06:03 16384 C:\i386\index.dat ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\BPMNT.DLL

[1] 2006-11-22 17:48:28 91744 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\BPMNT.DLL ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\debug\TSCDebug.log

[1] 2009-08-24 18:32:35 56 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\debug\TSCDebug.log ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\lpt$vpn.389

[1] 2009-08-23 15:16:30 26537989 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\lpt$vpn.389 ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\OFCSCAN.INI

[1] 2009-08-24 18:13:13 31486 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\OFCSCAN.INI ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\report\20090824.log

[1] 2009-08-24 18:32:35 1270 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\report\20090824.log ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmCfwApi.dll

[1] 2007-03-22 10:54:58 98304 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmCfwApi.dll ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.dll

[1] 2007-02-02 00:55:12 329432 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.dll ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.exe

[1] 2007-02-02 00:55:26 71384 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.exe ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.ptn

[1] 2007-04-09 14:30:46 79969 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.ptn ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TMVAmain.ptn

[1] 2009-08-06 00:16:14 123024 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TMVAmain.ptn ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.EXE

[1] 2009-03-27 17:38:14 366344 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.EXE ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.ini

[1] 2003-09-15 17:06:28 679 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.ini ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tsc.ptn

[1] 2009-08-18 22:34:36 2008851 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tsc.ptn ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\VSAPI32.DLL

[1] 2006-11-16 16:57:36 1107552 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\VSAPI32.DLL ()

Finished!

Hi tweet3219 and welcome to Malwarebytes.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

-screen317

Link to post
Share on other sites

Screen317,

Also here is the error I get when running hijack this, maybe it will help.

Screen317,

Thanks for getting back to me. I downloaded new copy and got same error as first time. I ran it in safe mode and it did finish. Not sure if that will help but here it is. Also, since last time we spoke I uninstalled macafee and installed avira. Scan picked up some stuff... but still have problem. MBAM still shutting down after 5 seconds and no internet access. I can ping websites, internet explorer wont go anywhere. here is the log, from running win32kdiag in safe mode.

Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch

[1] 2009-08-25 00:53:58 46048 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch ()

Cannot access: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch

[1] 2009-08-25 00:53:58 53729 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch ()

[1] 2007-09-08 13:41:33 22240 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch ()

[1] 2007-09-08 13:41:33 22240 C:\i386\security.config.cch ()

Cannot access: C:\WINDOWS\network diagnostic\Sqm\NetDiag18.sqm

[1] 2009-08-16 08:52:47 492 C:\WINDOWS\network diagnostic\Sqm\NetDiag18.sqm ()

Cannot access: C:\WINDOWS\network diagnostic\Sqm\NetDiag19.sqm

[1] 2009-08-16 08:52:53 492 C:\WINDOWS\network diagnostic\Sqm\NetDiag19.sqm ()

Cannot access: C:\WINDOWS\network diagnostic\xpnetdiag.xml

[1] 2009-08-16 08:52:51 5668 C:\WINDOWS\network diagnostic\xpnetdiag.xml ()

Cannot access: C:\WINDOWS\OFCNT.LOG

[1] 2009-08-24 18:35:49 506380 C:\WINDOWS\OFCNT.LOG ()

Cannot access: C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[1] 2009-08-24 15:57:56 2337 C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[1] 2007-11-17 10:14:44 1800 C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\boot.ini.backup

[1] 2009-08-24 16:18:51 211 C:\WINDOWS\pss\boot.ini.backup ()

Cannot access: C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[1] 2009-08-24 15:58:13 2333 C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[1] 2007-09-08 13:31:15 1618 C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup ()

Cannot access: C:\WINDOWS\pss\system.ini.backup

[1] 2004-08-11 18:07:24 231 C:\WINDOWS\pss\system.ini.backup ()

Cannot access: C:\WINDOWS\pss\win.ini.backup

[1] 2009-08-24 10:18:31 657 C:\WINDOWS\pss\win.ini.backup ()

Cannot access: C:\WINDOWS\system32\drivers\avgntdd.sys

[1] 2009-02-13 12:17:49 45416 C:\WINDOWS\system32\drivers\avgntdd.sys ()

Cannot access: C:\WINDOWS\system32\drivers\avgntflt.sys

[1] 2009-07-28 16:33:56 55656 C:\WINDOWS\system32\drivers\avgntflt.sys ()

Cannot access: C:\WINDOWS\system32\drivers\avgntmgr.sys

[1] 2009-02-13 12:29:11 22360 C:\WINDOWS\system32\drivers\avgntmgr.sys ()

Cannot access: C:\WINDOWS\system32\drivers\avipbb.sys

[1] 2009-03-30 10:33:07 96104 C:\WINDOWS\system32\drivers\avipbb.sys ()

Cannot access: C:\WINDOWS\system32\drivers\mbam.sys

[1] 2009-08-03 13:36:06 19096 C:\WINDOWS\system32\drivers\mbam.sys ()

Cannot access: C:\WINDOWS\system32\drivers\mbamswissarmy.sys

[1] 2009-08-03 13:36:28 38160 C:\WINDOWS\system32\drivers\mbamswissarmy.sys ()

Cannot access: C:\WINDOWS\system32\drivers\ssmdrv.sys

[1] 2009-05-11 10:12:24 28520 C:\WINDOWS\system32\drivers\ssmdrv.sys ()

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 60928 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\Restore\rstrlog.dat

[1] 2009-08-24 11:11:07 2774204 C:\WINDOWS\system32\Restore\rstrlog.dat ()

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-26 22:09:55 17019 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

[1] 2004-08-11 18:12:20 260 C:\i386\FrameWork.log ()

Cannot access: C:\WINDOWS\Temp\Cookies\ann@avira[1].txt

[1] 2009-08-26 11:14:29 356 C:\WINDOWS\Temp\Cookies\ann@avira[1].txt ()

Cannot access: C:\WINDOWS\Temp\Cookies\ann@www.avira[1].txt

[1] 2009-08-26 10:43:44 72 C:\WINDOWS\Temp\Cookies\ann@www.avira[1].txt ()

Cannot access: C:\WINDOWS\Temp\Cookies\index.dat

[1] 2008-07-24 13:42:29 87643 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-25 00:57:06 32768 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-25 00:57:06 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2007-09-15 06:05:59 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007091520070916\index.dat ()

[1] 2009-08-25 00:57:06 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-26 11:14:26 32768 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-26 11:14:26 32768 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-26 11:14:26 65536 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2007-09-15 06:06:03 16384 C:\i386\index.dat ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\BPMNT.DLL

[1] 2006-11-22 17:48:28 91744 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\BPMNT.DLL ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\debug\TSCDebug.log

[1] 2009-08-24 18:32:35 56 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\debug\TSCDebug.log ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\lpt$vpn.389

[1] 2009-08-23 15:16:30 26537989 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\lpt$vpn.389 ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\OFCSCAN.INI

[1] 2009-08-24 18:13:13 31486 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\OFCSCAN.INI ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\report\20090824.log

[1] 2009-08-24 18:32:35 1270 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\report\20090824.log ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmCfwApi.dll

[1] 2007-03-22 10:54:58 98304 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmCfwApi.dll ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.dll

[1] 2007-02-02 00:55:12 329432 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.dll ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.exe

[1] 2007-02-02 00:55:26 71384 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.exe ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.ptn

[1] 2007-04-09 14:30:46 79969 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tmuninst.ptn ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TMVAmain.ptn

[1] 2009-08-06 00:16:14 123024 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TMVAmain.ptn ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.EXE

[1] 2009-03-27 17:38:14 366344 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.EXE ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.ini

[1] 2003-09-15 17:06:28 679 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\TSC.ini ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tsc.ptn

[1] 2009-08-18 22:34:36 2008851 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\tsc.ptn ()

Cannot access: C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\VSAPI32.DLL

[1] 2006-11-16 16:57:36 1107552 C:\WINDOWS\Temp\{1DA87147-F0FF-46AA-94A1-5792A51FA43B}\{6A8804AF-A6E7-4775-BAA3-E11E76A8EF50}\VSAPI32.DLL ()

Finished!

post-18327-1251415770_thumb.jpg

Link to post
Share on other sites

  • Staff

It's because you are running Vista (which would have been nice to mention to me) and you didn't click Run as Admin.

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Screen

I am running xp pro. Not sure where you go vista from. Anyway...do you want me to run the avenger2 knowing I have xp pro?

Thanks,

It's because you are running Vista (which would have been nice to mention to me) and you didn't click Run as Admin.

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Screen317,

Ran avenger, combofix, got log from combo. still waiting for clock to change back. here is the avenger and combo logs.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Combofix log:

ComboFix 09-08-27.02 - Ann 08/27/2009 22:26.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1668 [GMT -4:00]

Running from: c:\documents and settings\Ann\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ann\Application Data\FunWebProducts

c:\documents and settings\Ann\Application Data\FunWebProducts\Data\Ann\avatar.dat

c:\documents and settings\Ann\Application Data\FunWebProducts\Data\Ann\zbucks.dat

c:\program files\FunWebProducts

c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html

c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html

c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html

c:\program files\MyWebSearch

c:\windows\system32\404Fix.exe

c:\windows\system32\6to4v32.dll

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\certstore.dat

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\netskt.sys

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_FAD

-------\Legacy_MYWEBSEARCHSERVICE

-------\Legacy_QQ

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_6to4

-------\Service_MyWebSearchService

-------\Service_QQ

-------\Legacy_netskt

-------\Service_netskt

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-27 23:21 . 2009-08-27 23:21 -------- d-----w- c:\program files\test

2009-08-26 21:31 . 2009-08-26 21:31 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-08-26 21:13 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 21:13 . 2009-08-26 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 21:13 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 21:11 . 2009-08-27 22:37 -------- d-----w- c:\program files\Unlocker

2009-08-26 14:34 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-26 14:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-26 14:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-26 14:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-26 14:34 . 2009-08-26 14:34 -------- d-----w- c:\program files\Avira

2009-08-26 14:34 . 2009-08-26 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-25 03:12 . 2009-08-25 03:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-25 03:03 . 2009-08-26 14:33 -------- d-sh--w- c:\windows\Installer

2009-08-25 02:37 . 2009-08-25 02:37 -------- d-----w- c:\program files\Trend Micro

2009-08-24 22:04 . 2009-08-24 22:04 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2009-08-24 22:03 . 2009-08-24 22:03 -------- d-----w- c:\windows\ERUNT

2009-08-24 16:10 . 2009-08-24 16:00 114525527 ----a-w- C:\sdat5719.exe

2009-08-24 15:11 . 2009-08-24 15:11 -------- d-----w- c:\documents and settings\Ann\Application Data\Malwarebytes

2009-08-24 15:11 . 2009-08-24 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-24 14:32 . 2009-08-24 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-15 20:49 . 2009-08-15 20:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2009-08-13 02:40 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-26 14:33 . 2007-09-08 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-08-25 04:22 . 2007-09-08 17:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-06 12:30 . 2007-09-08 17:13 77677 ----a-w- c:\windows\system32\nvModes.dat

2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 16:21 . 2004-08-11 22:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-11 22:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2004-08-11 22:11 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-11 22:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-01 17:36 . 2009-06-01 17:36 721912 ----a-w- c:\documents and settings\Ann\gotomypc_428.exe

.

------- Sigcheck -------

[-] 2004-08-04 10:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2009-08-24 22:04 578560 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\dllcache\user32.dll

[-] 2004-08-04 10:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys

[-] 2004-08-04 10:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-04 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 10:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe

[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2004-08-04 10:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2004-08-04 10:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-04 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe

[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe

[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2004-08-04 10:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2004-08-04 10:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-04 10:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2004-08-04 03:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys

[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 10:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\$NtServicePackUninstall$\comres.dll

[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll

[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll

[-] 2004-08-04 10:00 22016 74D66B3DE265E8789153414E75175F26 c:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll

[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll

[-] 2004-08-04 10:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2004-08-04 10:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys

[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$NtServicePackUninstall$\aec.sys

[-] 2004-08-04 03:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys

[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\$NtServicePackUninstall$\mfc40u.dll

[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll

[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll

[-] 2004-08-04 10:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\$NtServicePackUninstall$\msgsvc.dll

[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll

[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll

[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll

[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll

[-] 2004-08-04 10:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[-] 2004-08-04 10:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[-] 2006-08-25 13:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2004-08-04 10:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-04 10:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll

[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll

[-] 2004-08-04 10:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll

[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll

[-] 2004-08-04 10:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\$NtServicePackUninstall$\qmgr.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll

[-] 2004-08-04 10:00 180224 0F78E27F563F2AAF74B91A49E2ABF19A c:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll

[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll

[-] 2004-08-04 10:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[-] 2004-08-04 10:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys

[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys

[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys

[-] 2004-08-04 10:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys

[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys

[-] 2004-08-04 10:00 52224 C086483E3DBA8C1C0A687EC8D5B3D4C1 c:\windows\$NtServicePackUninstall$\mspmsnsv.dll

[-] 2008-04-14 00:12 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\mspmsnsv.dll

[-] 2008-04-14 00:12 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-04 10:00 129536 EEF46DAB68229A14DA3D8E73C99E2959 c:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\ServicePackFiles\i386\xmlprov.dll

[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\xmlprov.dll

[-] 2004-08-04 10:00 60416 10654F9DDCEA9C46CFB77554231BE73B c:\windows\$NtServicePackUninstall$\cryptsvc.dll

[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\cryptsvc.dll

[-] 2004-08-04 10:00 77312 E3CFCCDDA4EDD1D0DC9168B2E18F27B8 c:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\ServicePackFiles\i386\browser.dll

[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\browser.dll

[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll

[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\$NtServicePackUninstall$\tapisrv.dll

[-] 2004-08-04 10:00 246272 EB4A4187D74A8EFDCBEA3EA2CB1BDFBD c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll

[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\tapisrv.dll

[-] 2008-06-20 17:36 245248 1DFCA7713EA5A70D5D93B436AEA0317A c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll

[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll

[-] 2008-06-20 17:43 245248 FCEE5FCB99F7C724593365C706D28388 c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll

[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\$NtServicePackUninstall$\mswsock.dll

[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2004-08-04 10:00 245248 4E74AF063C3271FBEA20DD940CFD1184 c:\windows\$NtUninstallKB951748_0$\mswsock.dll

[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\ServicePackFiles\i386\mswsock.dll

[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\mswsock.dll

[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\dllcache\mswsock.dll

[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll

[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\$NtServicePackUninstall$\netman.dll

[-] 2004-08-04 10:00 198144 DAB9E6C7105D2EF49876FE92C524F565 c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll

[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\netman.dll

[-] 2005-07-26 04:20 243200 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

[-] 2008-07-07 20:23 253952 F17F6226BDC0CD5F0BEF0DAF84D29BEC c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll

[-] 2005-07-26 04:39 243200 34BBD9ACC1538818F2C878898C64E793 c:\windows\$NtServicePackUninstall$\es.dll

[-] 2004-08-04 10:00 243200 ACD36A2DD7D1E9D8A060AA651DC07E63 c:\windows\$NtUninstallKB902400$\es.dll

[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\$NtUninstallKB950974$\es.dll

[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\ServicePackFiles\i386\es.dll

[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\es.dll

[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\dllcache\es.dll

[-] 2005-09-01 01:44 19968 648BF0B4DDE4F7A1156DAE7174D36EFA c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll

[-] 2005-09-01 01:41 19968 A1A688EE56CF3BBD24EDEB815D48E9BA c:\windows\$NtServicePackUninstall$\linkinfo.dll

[-] 2004-08-04 10:00 18944 C2BBD044C741EA4292016C36F718D2E4 c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\ServicePackFiles\i386\linkinfo.dll

[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\system32\linkinfo.dll

[-] 2004-08-04 10:00 71680 4B8D61792F7175BED48859CC18CE4E38 c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\ServicePackFiles\i386\ssdpsrv.dll

[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\ssdpsrv.dll

[-] 2007-02-05 20:19 185344 36ACA6CDC19C95FF468A1426EB7F32F0 c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll

[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\$NtServicePackUninstall$\upnphost.dll

[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\ServicePackFiles\i386\upnphost.dll

[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\upnphost.dll

[-] 2004-08-04 10:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\$NtServicePackUninstall$\srsvc.dll

[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll

[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll

[-] 2004-08-04 10:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe

[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe

[-] 2004-08-04 10:00 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\$NtServicePackUninstall$\ntmssvc.dll

[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\ServicePackFiles\i386\ntmssvc.dll

[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 10:00 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\$NtServicePackUninstall$\rasauto.dll

[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\ServicePackFiles\i386\rasauto.dll

[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\rasauto.dll

[-] 2004-08-04 10:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 10:00 190976 92360854316611F6CC471612213C3D92 c:\windows\$NtServicePackUninstall$\schedsvc.dll

[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\ServicePackFiles\i386\schedsvc.dll

[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\schedsvc.dll

[-] 2004-08-04 10:00 59904 3151427DB7D87107D1C5BE58FAC53960 c:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\ServicePackFiles\i386\regsvc.dll

[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll

[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll

[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\$NtServicePackUninstall$\shsvcs.dll

[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll

[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-25 148888]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk

backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1189890187\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 10:34 AM 108289]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/10/2007 11:17 PM 24652]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/8/2007 1:40 PM 29744]

S4 NetLogin;Net Login;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]

.

Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe

.

------- Supplementary Scan -------

.

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm319YYUS

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-27 22:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2052)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\aol\acs\AOLacsd.exe

c:\program files\Dell Network Assistant\hnm_svc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\pchealth\helpctr\binaries\helpsvc.exe

.

**************************************************************************

.

Completion time: 2009-08-28 22:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 02:38

Pre-Run: 133,553,426,432 bytes free

Post-Run: 133,782,417,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

396 --- E O F --- 2009-08-26 21:00

Thanks for getting it this far..:)

What next?

Link to post
Share on other sites

Screen317,

Got hijackthis to run by installing in different folder. here is log.

Thanks again..:)

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:50:44, on 8/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Test2\test\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070908

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm319YYUS

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7452 bytes

Link to post
Share on other sites

Screen317 Hi. Since malewarebytes would run now. I did some scans and it found items and I selected remove items. I did several full scans in safe mode and would reboot, then shut down and go back into safe mode for more full scans until it showed clean. Here are the logs from mbam and a new hijackthis.

Hope I haven't done anything wwrong by running the scans. I haven't installed anything. Waiting for your next instructions.

1st mbam scan log.

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 3

8/27/2009 11:18:56 PM

mbam-log-2009-08-27 (23-18-43).txt

Scan type: Quick Scan

Objects scanned: 95167

Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 60

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogin (Trojan.Downloader) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2nd mbam scan:

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/28/2009 10:02:03 AM

mbam-log-2009-08-28 (10-01-32).txt

Scan type: Full Scan (C:\|)

Objects scanned: 148160

Time elapsed: 20 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

3rd mbam scan:

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/28/2009 10:02:09 AM

mbam-log-2009-08-28 (10-02-09).txt

Scan type: Full Scan (C:\|)

Objects scanned: 148160

Time elapsed: 20 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

4th mbam scan:

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/28/2009 10:33:42 AM

mbam-log-2009-08-28 (10-33-42).txt

Scan type: Full Scan (C:\|)

Objects scanned: 148133

Time elapsed: 20 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

5th mbam scan:

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/28/2009 10:54:49 AM

mbam-log-2009-08-28 (10-54-49).txt

Scan type: Full Scan (C:\|)

Objects scanned: 148174

Time elapsed: 19 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:58:53 AM, on 8/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Test2\test\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070908

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7468 bytes

And one more mbam scan. note the rootkit it found, which it appears combofix had removed or quarenteened.

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 3

8/28/2009 7:33:00 AM

mbam-log-2009-08-28 (07-33-00).txt

Scan type: Full Scan (C:\|)

Objects scanned: 142437

Time elapsed: 38 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\netskt.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

Thanks again for getting this much progress...:)

Screen317,

Also Internet explorer is working now.

Link to post
Share on other sites

screen317,

Did you forget me?

Have a laptop with win xp pro. svc pack 3. mcafee not working, malwarebytes shuts down after 5 sec's. read on forum, did the rename, same results. once it runs and shuts down, you cant rename it, no permissions. mcafee is disabled. Interent explore not working either. thanks for helping.
Link to post
Share on other sites

  • Staff

tweet3219,

Did you forget me?
No, every additional reply you make puts you back at the bottom of my reply list. Please be patient.

Navigate to Start --> Run, and enter this command:

net start CryptSvc

Press Enter.

Restart your computer.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Run it after disabling your protection programs, and post its log.

-screen317

Link to post
Share on other sites

Screen,

Thanks. Here is the combofix log.

ComboFix 09-08-30.01 - Ann 08/30/2009 19:15.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1661 [GMT -4:00]

Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))

.

2009-08-30 17:12 . 2009-08-30 17:12 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\PCHealth

2009-08-28 02:50 . 2009-08-28 02:50 -------- d-----w- c:\program files\Test2

2009-08-27 23:21 . 2009-08-27 23:21 -------- d-----w- c:\program files\test

2009-08-26 21:31 . 2009-08-26 21:31 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-08-26 21:13 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 21:13 . 2009-08-28 03:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 21:13 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 21:11 . 2009-08-27 22:37 -------- d-----w- c:\program files\Unlocker

2009-08-26 14:34 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-26 14:34 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-26 14:34 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-26 14:34 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-26 14:34 . 2009-08-26 14:34 -------- d-----w- c:\program files\Avira

2009-08-26 14:34 . 2009-08-26 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-25 03:03 . 2009-08-30 17:12 -------- d-sh--w- c:\windows\Installer

2009-08-25 02:37 . 2009-08-25 02:37 -------- d-----w- c:\program files\Trend Micro

2009-08-24 22:04 . 2009-08-24 22:04 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2009-08-24 22:03 . 2009-08-24 22:03 -------- d-----w- c:\windows\ERUNT

2009-08-24 16:10 . 2009-08-24 16:00 114525527 ----a-w- C:\sdat5719.exe

2009-08-24 15:11 . 2009-08-24 15:11 -------- d-----w- c:\documents and settings\Ann\Application Data\Malwarebytes

2009-08-24 15:11 . 2009-08-24 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-24 14:32 . 2009-08-24 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-15 20:49 . 2009-08-15 20:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2009-08-13 02:40 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-30 17:12 . 2007-09-15 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-26 14:33 . 2007-09-08 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-08-25 04:22 . 2007-09-08 17:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-06 12:30 . 2007-09-08 17:13 77677 ----a-w- c:\windows\system32\nvModes.dat

2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 16:21 . 2004-08-11 22:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-11 22:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2004-08-11 22:11 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-11 22:00 1291264 ----a-w- c:\windows\system32\quartz.dll

.

------- Sigcheck -------

[-] 2004-08-04 10:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2009-08-24 22:04 578560 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\dllcache\user32.dll

[-] 2004-08-04 10:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys

[-] 2004-08-04 10:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-04 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 10:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe

[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2004-08-04 10:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2004-08-04 10:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-04 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe

[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe

[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2004-08-04 10:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2004-08-04 10:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2004-08-04 10:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-04 10:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2004-08-04 03:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys

[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 10:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\$NtServicePackUninstall$\comres.dll

[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll

[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll

[-] 2004-08-04 10:00 22016 74D66B3DE265E8789153414E75175F26 c:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll

[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll

[-] 2004-08-04 10:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2004-08-04 10:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\$NtServicePackUninstall$\mfc40u.dll

[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll

[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll

[-] 2004-08-04 10:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\$NtServicePackUninstall$\msgsvc.dll

[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll

[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll

[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll

[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll

[-] 2004-08-04 10:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[-] 2004-08-04 10:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[-] 2006-08-25 13:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2004-08-04 10:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-04 10:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll

[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll

[-] 2004-08-04 10:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll

[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll

[-] 2004-08-04 10:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\$NtServicePackUninstall$\qmgr.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll

[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll

[-] 2004-08-04 10:00 180224 0F78E27F563F2AAF74B91A49E2ABF19A c:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll

[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll

[-] 2004-08-04 10:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[-] 2004-08-04 10:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys

[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys

[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys

[-] 2004-08-04 10:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys

[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys

[-] 2004-08-04 10:00 52224 C086483E3DBA8C1C0A687EC8D5B3D4C1 c:\windows\$NtServicePackUninstall$\mspmsnsv.dll

[-] 2008-04-14 00:12 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\mspmsnsv.dll

[-] 2008-04-14 00:12 52224 C7E39EA41233E9F5B86C8DA3A9F1E4A8 c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-04 10:00 129536 EEF46DAB68229A14DA3D8E73C99E2959 c:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\ServicePackFiles\i386\xmlprov.dll

[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\xmlprov.dll

[-] 2004-08-04 10:00 60416 10654F9DDCEA9C46CFB77554231BE73B c:\windows\$NtServicePackUninstall$\cryptsvc.dll

[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\cryptsvc.dll

[-] 2004-08-04 10:00 77312 E3CFCCDDA4EDD1D0DC9168B2E18F27B8 c:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\ServicePackFiles\i386\browser.dll

[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\browser.dll

[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll

[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\$NtServicePackUninstall$\tapisrv.dll

[-] 2004-08-04 10:00 246272 EB4A4187D74A8EFDCBEA3EA2CB1BDFBD c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll

[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\tapisrv.dll

[-] 2008-06-20 17:36 245248 1DFCA7713EA5A70D5D93B436AEA0317A c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll

[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll

[-] 2008-06-20 17:43 245248 FCEE5FCB99F7C724593365C706D28388 c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll

[-] 2008-06-20 17:41 245248 097722F235A1FB698BF9234E01B52637 c:\windows\$NtServicePackUninstall$\mswsock.dll

[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2004-08-04 10:00 245248 4E74AF063C3271FBEA20DD940CFD1184 c:\windows\$NtUninstallKB951748_0$\mswsock.dll

[-] 2008-04-14 00:12 245248 B4138E99236F0F57D4CF49BAE98A0746 c:\windows\ServicePackFiles\i386\mswsock.dll

[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\mswsock.dll

[-] 2008-06-20 17:46 245248 832E4DD8964AB7ACC880B2837CB1ED20 c:\windows\system32\dllcache\mswsock.dll

[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll

[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\$NtServicePackUninstall$\netman.dll

[-] 2004-08-04 10:00 198144 DAB9E6C7105D2EF49876FE92C524F565 c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll

[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\netman.dll

[-] 2005-07-26 04:20 243200 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

[-] 2008-07-07 20:23 253952 F17F6226BDC0CD5F0BEF0DAF84D29BEC c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll

[-] 2005-07-26 04:39 243200 34BBD9ACC1538818F2C878898C64E793 c:\windows\$NtServicePackUninstall$\es.dll

[-] 2004-08-04 10:00 243200 ACD36A2DD7D1E9D8A060AA651DC07E63 c:\windows\$NtUninstallKB902400$\es.dll

[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\$NtUninstallKB950974$\es.dll

[-] 2008-04-14 00:11 246272 19A799805B24990867B00C120D300C3A c:\windows\ServicePackFiles\i386\es.dll

[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\es.dll

[-] 2008-07-07 20:26 253952 D4991D98F2DB73C60D042F1AEF79EFAE c:\windows\system32\dllcache\es.dll

[-] 2005-09-01 01:44 19968 648BF0B4DDE4F7A1156DAE7174D36EFA c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll

[-] 2005-09-01 01:41 19968 A1A688EE56CF3BBD24EDEB815D48E9BA c:\windows\$NtServicePackUninstall$\linkinfo.dll

[-] 2004-08-04 10:00 18944 C2BBD044C741EA4292016C36F718D2E4 c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\ServicePackFiles\i386\linkinfo.dll

[-] 2008-04-14 00:11 19968 2DC5A8019E2387987905F77C664E4BE2 c:\windows\system32\linkinfo.dll

[-] 2004-08-04 10:00 71680 4B8D61792F7175BED48859CC18CE4E38 c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\ServicePackFiles\i386\ssdpsrv.dll

[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\ssdpsrv.dll

[-] 2007-02-05 20:19 185344 36ACA6CDC19C95FF468A1426EB7F32F0 c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll

[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\$NtServicePackUninstall$\upnphost.dll

[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\ServicePackFiles\i386\upnphost.dll

[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\upnphost.dll

[-] 2004-08-04 10:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\$NtServicePackUninstall$\srsvc.dll

[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll

[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll

[-] 2004-08-04 10:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe

[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe

[-] 2004-08-04 10:00 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\$NtServicePackUninstall$\ntmssvc.dll

[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\ServicePackFiles\i386\ntmssvc.dll

[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 10:00 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\$NtServicePackUninstall$\rasauto.dll

[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\ServicePackFiles\i386\rasauto.dll

[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\rasauto.dll

[-] 2004-08-04 10:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 10:00 190976 92360854316611F6CC471612213C3D92 c:\windows\$NtServicePackUninstall$\schedsvc.dll

[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\ServicePackFiles\i386\schedsvc.dll

[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\schedsvc.dll

[-] 2004-08-04 10:00 59904 3151427DB7D87107D1C5BE58FAC53960 c:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\ServicePackFiles\i386\regsvc.dll

[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll

[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll

[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\$NtServicePackUninstall$\shsvcs.dll

[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll

[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll

[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys

[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$NtServicePackUninstall$\aec.sys

[-] 2004-08-04 03:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys

[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2004-08-04 10:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll

[-] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll

[-] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-28_02.33.55 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-30 17:11 . 2009-08-30 17:11 48128 c:\windows\Installer\ac88fa3.msi

+ 2004-08-11 22:06 . 2009-08-30 23:10 274168 c:\windows\system32\FNTCACHE.DAT

- 2004-08-11 22:06 . 2009-06-11 16:10 274168 c:\windows\system32\FNTCACHE.DAT

+ 2009-08-30 17:12 . 2009-08-30 17:12 516608 c:\windows\Installer\ac88ff1.msi

+ 2009-08-30 17:12 . 2009-08-30 17:12 513024 c:\windows\Installer\ac88fea.msi

+ 2009-08-30 17:12 . 2009-08-30 17:12 506880 c:\windows\Installer\ac88fe4.msi

+ 2009-08-30 17:12 . 2009-08-30 17:12 501248 c:\windows\Installer\ac88fd2.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 501248 c:\windows\Installer\ac88fb9.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 501248 c:\windows\Installer\ac88fae.msi

+ 2009-08-30 17:12 . 2009-08-30 17:12 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe

+ 2009-08-30 17:12 . 2009-08-30 17:12 2397184 c:\windows\Installer\ac88fde.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 1652736 c:\windows\Installer\ac88fcd.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 2022912 c:\windows\Installer\ac88fc8.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 1652736 c:\windows\Installer\ac88fc3.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 1640960 c:\windows\Installer\ac88fbe.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 1713152 c:\windows\Installer\ac88fb3.msi

+ 2009-08-30 17:11 . 2009-08-30 17:11 1652736 c:\windows\Installer\ac88fa8.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-25 148888]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk

backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1189890187\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 10:34 AM 108289]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/10/2007 11:17 PM 24652]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/8/2007 1:40 PM 29744]

.

Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

.

.

------- Supplementary Scan -------

.

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: &Search

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-30 19:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2420)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2009-08-30 19:23

ComboFix-quarantined-files.txt 2009-08-30 23:23

ComboFix2.txt 2009-08-28 02:38

Pre-Run: 133,500,370,944 bytes free

Post-Run: 133,502,500,864 bytes free

364 --- E O F --- 2009-08-26 21:00

Thanks.

tweet3219,

No, every additional reply you make puts you back at the bottom of my reply list. Please be patient.

Navigate to Start --> Run, and enter this command:

net start CryptSvc

Press Enter.

Restart your computer.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Run it after disabling your protection programs, and post its log.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Please use the ADDREPLY button to reply instead of the "Reply button.

Next, please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as RegExport.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@echo off
REGEDIT.exe /E "%userprofile%\DESKTOP\Cryptsvc.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc"
REGEDIT.exe /E "%userprofile%\DESKTOP\seclogon.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon"
REGEDIT.exe /E "%userprofile%\DESKTOP\spooler.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler"
EXIT

Now navigate to your Desktop, and double click RegExport.bat

A black window will open and close quickly. This is normal.

Now, open Notepad, navigate to your Desktop, and open the three .reg files that were just created. Post the contents of each.

-screen317

Link to post
Share on other sites

Here they are:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc]

"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00

"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."

"DisplayName"="CryptSvc"

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

"ObjectName"="LocalSystem"

"Start"=dword:00000002

"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Parameters]

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\

00

"ServiceMain"="CryptServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Security]

"Security"=hex:00,00,0e,00,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Enum]

"0"="Root\\LEGACY_CRYPTSVC\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

2nd one:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]

"Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."

"DisplayName"="Secondary Logon"

"ErrorControl"=dword:00000000

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

"Objectname"="LocalSystem"

"Start"=dword:00000002

"Type"=dword:00000120

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters]

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

73,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,\

00

"ServiceMain"="SvcEntry_Seclogon"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\

05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\

23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\

02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Enum]

"0"="Root\\LEGACY_SECLOGON\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

3rd one:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler]

"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00

"Description"="Loads files to memory for later printing."

"DisplayName"="Print Spooler"

"ErrorControl"=dword:00000001

"Group"="SpoolerGroup"

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,70,00,6f,00,6f,00,6c,00,73,00,76,00,2e,00,65,00,78,00,65,00,00,00

"ObjectName"="LocalSystem"

"Start"=dword:00000002

"Type"=dword:00000110

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Performance]

"Close"="PerfClose"

"Collect"="PerfCollect"

"Collect Timeout"=dword:000007d0

"Library"="winspool.drv"

"Object List"="1450"

"Open"="PerfOpen"

"Open Timeout"=dword:00000fa0

"WbemAdapFileSignature"=hex:bd,83,ab,a6,1e,8a,cc,c8,d9,ff,b8,69,f2,94,18,ce

"WbemAdapFileTime"=hex:00,29,52,e3,7a,79,c4,01

"WbemAdapFileSize"=dword:00023c00

"WbemAdapStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\

05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\

23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\

02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Enum]

"0"="Root\\LEGACY_SPOOLER\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

Let me know what is next

Thanks again.

Link to post
Share on other sites

  • Staff

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    proquota.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Here it is.

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 21:34 on 31/08/2009 by Ann (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"

C:\i386\proquota.exe --a--- 50176 bytes [22:03 16/09/2007] [10:00 04/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4

C:\WINDOWS\$NtServicePackUninstall$\proquota.exe -----c 50176 bytes [17:26 24/07/2008] [10:00 04/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4

C:\WINDOWS\ServicePackFiles\i386\proquota.exe ------ 50176 bytes [11:10 23/07/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

Link to post
Share on other sites

Chet,

Screen317 has been helpful. I was able to run mbam and combofix after running the avenger2 with script he provided. Now I can get on internet and run the different programs. Still finishing clean up with Screen317.

If you read the full thread you will see the section about avenger2 and script. I recommend posting as I did and waiting on the experts to help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.