Jump to content

MBAM/rootkit/HJT won't run


Recommended Posts

OK, I consider myself pretty good with computers but have never had such a problem getting rid of a virus. My friends computer has whatever the virus that comes up as Windows Antivirus Pro and also Advanced Virus Remover (which I currently have removed- but it has reinstalled once already when trying to get rid of the other).

I have downloaded your MBAM and am able to install it, but it won't run.

So I then tried the rename- but it won't allow me to rename.

So I then tried the rootkit, I was able to install it and it does open. when I select scan it appears to run but then the everything closes.

So I then tried Hi Jack This- I was able to install it and it also opens. I can start it and appears to start running but then closes.

I then did the win32kdiag. It runs but then that window closes also. It did put this file on my desktop so I've pasted it at the bottom.

So I don't know if I have any logs from these

The computer will not do anything in regular mode. I am able to work pretty well in Safe Mode, but do get some spyware warnings every 5 minutes.

Also- I was able to run Norton's toolkit on bootup- once. It did find stuff- but didn't get rid of everything and so when I went to run it again (like it said to), it locks up so that is when I came here to try all the above suggestions.

Any help would be greatly appreciated.

Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\Debug\UserMode\gptext.log

[1] 2009-08-20 22:24:30 404 C:\WINDOWS\Debug\UserMode\gptext.log ()

Cannot access: C:\WINDOWS\eSellerateControl350.dll

[1] 2009-04-16 14:14:42 81920 C:\WINDOWS\eSellerateControl350.dll ()

Cannot access: C:\WINDOWS\inf\AegisP.inf

[1] 2009-08-19 18:56:24 13786 C:\WINDOWS\inf\AegisP.inf ()

Cannot access: C:\WINDOWS\inf\AegisP.PNF

[1] 2009-08-19 18:56:24 9976 C:\WINDOWS\inf\AegisP.PNF ()

Cannot access: C:\WINDOWS\inf\oem87.inf

[1] 2007-12-18 07:41:12 12164 C:\WINDOWS\inf\oem87.inf ()

Cannot access: C:\WINDOWS\inf\oem87.PNF

[1] 2009-08-19 18:56:20 17310 C:\WINDOWS\inf\oem87.PNF ()

Cannot access: C:\WINDOWS\inf\oem88.inf

[1] 2009-08-20 23:28:14 2514 C:\WINDOWS\inf\oem88.inf ()

Cannot access: C:\WINDOWS\inf\oem88.PNF

[1] 2009-08-20 23:28:50 7416 C:\WINDOWS\inf\oem88.PNF ()

Cannot access: C:\WINDOWS\inf\oem89.inf

[1] 2009-08-20 23:28:14 1300 C:\WINDOWS\inf\oem89.inf ()

Cannot access: C:\WINDOWS\inf\oem89.PNF

[1] 2009-08-20 23:28:50 5592 C:\WINDOWS\inf\oem89.PNF ()

Found mount point : C:\WINDOWS\Installer\Installer

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\msa.exe

[1] 2009-08-15 20:36:06 155648 C:\WINDOWS\msa.exe ()

Cannot access: C:\WINDOWS\msb.exe

[1] 2009-08-15 20:39:43 155648 C:\WINDOWS\msb.exe ()

Cannot access: C:\WINDOWS\msc.exe

[1] 2009-08-16 08:24:45 155648 C:\WINDOWS\msc.exe ()

Cannot access: C:\WINDOWS\msd.exe

[1] 2009-08-19 19:10:15 140288 C:\WINDOWS\msd.exe ()

Cannot access: C:\WINDOWS\network diagnostic\Sqm\NetDiag02.sqm

[1] 2009-08-20 23:54:02 816 C:\WINDOWS\network diagnostic\Sqm\NetDiag02.sqm ()

Cannot access: C:\WINDOWS\network diagnostic\xpnetdiag.xml

[1] 2009-08-20 23:53:51 23262 C:\WINDOWS\network diagnostic\xpnetdiag.xml ()

Cannot access: C:\WINDOWS\OPTIONS\CABS\blkwgu.cat

[1] 2008-02-13 21:30:30 10629 C:\WINDOWS\OPTIONS\CABS\blkwgu.cat ()

Cannot access: C:\WINDOWS\OPTIONS\CABS\BLKWGU.inf

[1] 2007-12-18 07:41:12 12164 C:\WINDOWS\OPTIONS\CABS\BLKWGU.inf ()

Cannot access: C:\WINDOWS\OPTIONS\CABS\BLKWGU.sys

[1] 2007-12-18 07:41:10 273280 C:\WINDOWS\OPTIONS\CABS\BLKWGU.sys ()

[1] 2007-12-18 07:41:10 273280 C:\WINDOWS\system\BLKWGU.sys (Belkin Corporation. )

[1] 2007-12-18 07:41:10 273280 C:\WINDOWS\system32\drivers\BLKWGU.sys (Belkin Corporation. )

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\ed49db3e3eb4e8cd7de32a9e4fb59630\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\ee626d72680ff2619246a1cf5516f892\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f29eba4fac3ab17c766d661ddeebef0f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f7a4b3723a3aad7955ede9785b307e88\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f7a4b3723a3aad7955ede9785b307e88\sp2qfe\sp2qfe

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f7c10c2b68f88196f082e36f7313e169\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f90f6c0c452945125b5a22f96ec4c469\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\351631\351631

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2185990308-3991101986-39276087-1008\S-1-5-21-2185990308-3991101986-39276087-1008

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\AVR09.exe

[1] 2009-08-24 21:59:19 1926144 C:\WINDOWS\system32\AVR09.exe ()

Cannot access: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem88.CAT

[1] 2009-08-20 23:28:09 11146 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem88.CAT ()

Cannot access: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem89.CAT

[1] 2009-08-20 23:28:09 11146 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem89.CAT ()

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\system.sav\system.sav

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\alot\alot

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\{D190EE07-1887-4595-8F62-6253114299D2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Money\15.0\Webcache\Webcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.CAT

[1] 2009-08-20 23:28:09 10613 C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.CAT ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.inf

[1] 2009-08-20 23:28:14 641 C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.inf ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.sys

[1] 2009-08-20 23:28:26 254512 C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.cat

[1] 2009-08-20 23:28:09 10609 C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.cat ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.inf

[1] 2009-08-20 23:28:14 1754 C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.inf ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.sys

[1] 2009-08-20 23:28:26 362544 C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\isolate.ini

[1] 2009-08-20 23:28:14 172 C:\WINDOWS\system32\drivers\NIS\1000000.07D\isolate.ini ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtsp.cat

[1] 2009-08-20 23:28:09 10617 C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtsp.cat ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtsp.inf

[1] 2009-08-20 23:28:14 1383 C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtsp.inf ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtsp.sys

[1] 2009-08-20 23:28:27 305712 C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtsp.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtspx.cat

[1] 2009-08-20 23:28:09 10621 C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtspx.cat ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtspx.inf

[1] 2009-08-20 23:28:14 1389 C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtspx.inf ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtspx.sys

[1] 2009-08-20 23:28:27 43696 C:\WINDOWS\system32\drivers\NIS\1000000.07D\srtspx.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\symdns.sys

[1] 2009-08-20 23:28:27 12976 C:\WINDOWS\system32\drivers\NIS\1000000.07D\symdns.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymEFA.cat

[1] 2009-08-20 23:28:09 10659 C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymEFA.cat ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymEFA.inf

[1] 2009-08-20 23:28:14 3375 C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymEFA.inf ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymEFA.sys

[1] 2009-08-20 23:28:27 309296 C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymEFA.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\symfw.sys

[1] 2009-08-20 23:28:27 89904 C:\WINDOWS\system32\drivers\NIS\1000000.07D\symfw.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\symids.sys

[1] 2009-08-20 23:28:27 34608 C:\WINDOWS\system32\drivers\NIS\1000000.07D\symids.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\symndis.sys

[1] 2009-08-20 23:28:27 37424 C:\WINDOWS\system32\drivers\NIS\1000000.07D\symndis.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\symndisv.sys

[1] 2009-08-20 23:28:27 40496 C:\WINDOWS\system32\drivers\NIS\1000000.07D\symndisv.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymNet.cat

[1] 2009-08-20 23:28:09 13089 C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymNet.cat ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymNet.inf

[1] 2009-08-20 23:28:14 1611 C:\WINDOWS\system32\drivers\NIS\1000000.07D\SymNet.inf ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\symredrv.sys

[1] 2009-08-20 23:28:27 24752 C:\WINDOWS\system32\drivers\NIS\1000000.07D\symredrv.sys ()

Cannot access: C:\WINDOWS\system32\drivers\NIS\1000000.07D\symtdi.sys

[1] 2009-08-20 23:28:27 198192 C:\WINDOWS\system32\drivers\NIS\1000000.07D\symtdi.sys ()

Cannot access: C:\WINDOWS\system32\drivers\SymIM.sys

[1] 2009-08-20 23:28:27 35888 C:\WINDOWS\system32\drivers\SymIM.sys ()

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\dumprep.exe (Microsoft Corporation)

[1] 2004-08-09 23:00:00 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)

[1] 2004-08-09 23:00:00 10752 C:\WINDOWS\system32\dumprep.exe ()

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-09 23:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-09 23:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-09 23:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\sysnet.dat

[1] 2009-08-24 21:59:43 36 C:\WINDOWS\system32\sysnet.dat ()

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 04:41:05 227840 C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-09 23:00:00 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 11:39:29 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 11:39:29 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job

[1] 2009-08-20 21:09:29 262 C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job ()

Cannot access: C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

[1] 2009-08-24 23:11:22 306 C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job ()

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\ONE1D42.tmp\ONE1D42.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\ONE3CA.tmp\ONE3CA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\ONE74C.tmp\ONE74C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SBCYahoo_SMB_600000\SBCYahoo_SMB_600000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1048.tmp\slu1048.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1237.tmp\slu1237.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu12af.tmp\slu12af.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1302.tmp\slu1302.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu13ae.tmp\slu13ae.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu13b7.tmp\slu13b7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu13f7.tmp\slu13f7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu13fa.tmp\slu13fa.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1567.tmp\slu1567.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu158b.tmp\slu158b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu166a.tmp\slu166a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu166d.tmp\slu166d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu16c.tmp\slu16c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1735.tmp\slu1735.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu18a1.tmp\slu18a1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1959.tmp\slu1959.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1b91.tmp\slu1b91.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1ba9.tmp\slu1ba9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1bf.tmp\slu1bf.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1cfb.tmp\slu1cfb.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1d36.tmp\slu1d36.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1ecd.tmp\slu1ecd.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1f03.tmp\slu1f03.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1f78.tmp\slu1f78.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1fd5.tmp\slu1fd5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2074.tmp\slu2074.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2136.tmp\slu2136.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu21bf.tmp\slu21bf.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu23a8.tmp\slu23a8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2470.tmp\slu2470.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2520.tmp\slu2520.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2afe.tmp\slu2afe.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2c38.tmp\slu2c38.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3170.tmp\slu3170.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu333d.tmp\slu333d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu36cb.tmp\slu36cb.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3864.tmp\slu3864.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu39e8.tmp\slu39e8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3ec6.tmp\slu3ec6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu408c.tmp\slu408c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu40f.tmp\slu40f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4108.tmp\slu4108.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu424f.tmp\slu424f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu43f9.tmp\slu43f9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4409.tmp\slu4409.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu476e.tmp\slu476e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4839.tmp\slu4839.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu484e.tmp\slu484e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4949.tmp\slu4949.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu49b1.tmp\slu49b1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4e56.tmp\slu4e56.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4e9d.tmp\slu4e9d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5254.tmp\slu5254.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu540e.tmp\slu540e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5771.tmp\slu5771.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu586a.tmp\slu586a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5973.tmp\slu5973.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu59ef.tmp\slu59ef.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5a4a.tmp\slu5a4a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5bbb.tmp\slu5bbb.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5c3e.tmp\slu5c3e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5c81.tmp\slu5c81.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu618f.tmp\slu618f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu6492.tmp\slu6492.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu65c4.tmp\slu65c4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu65e9.tmp\slu65e9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu669e.tmp\slu669e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu671.tmp\slu671.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu70bf.tmp\slu70bf.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7497.tmp\slu7497.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7597.tmp\slu7597.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu75b3.tmp\slu75b3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu76c2.tmp\slu76c2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu780.tmp\slu780.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7822.tmp\slu7822.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7992.tmp\slu7992.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7c94.tmp\slu7c94.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7c96.tmp\slu7c96.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7d3a.tmp\slu7d3a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7e36.tmp\slu7e36.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7f2e.tmp\slu7f2e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu9d.tmp\slu9d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slue10.tmp\slue10.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\TempRec\TempSBE\TempSBE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\~nsu.tmp\~nsu.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Alycia

Link to post
Share on other sites

  • Staff

Hi,

1. Please download The Avenger2 by SwanDog46

2. Unzip avenger.exe to your desktop.

3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.

5. Read the prompt that appears, and press OK.

6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

7. Press the "Execute" button.

8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Link to post
Share on other sites

Ok I go the confirmation prompts. I clicked yes on the first one and the a window comes up that says: Error: Invalid script. A valid script must begin with a command directive. Aborting execution!

I did copy and paste and double checked that it matched exactly.

So what next?

And thank you very much for the help.

Link to post
Share on other sites

here is the info from Avenger

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation

"C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll"

completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

  • Staff

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Here is the log from Combofix. HijackThis will still not run, it says it cannot find the file or I may not have rights to it (I did try running in safe-mode too)

ComboFix 09-08-28.01 - HP_Administrator 08/28/2009 17:34.1.1 - NTFSx86

Running from: C:\Combo-Fix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\cleanup.exe

C:\djos.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\0.EXE

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\csrss.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\services.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\svchost.exe

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\winlogon.exe

c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk

c:\documents and settings\HP_Administrator\Application Data\alot

c:\documents and settings\HP_Administrator\Application Data\alot\BrowserSearch\BrowserSearch.xml

c:\documents and settings\HP_Administrator\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_0\Button_0.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_0\Button_0.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_1\Button_1.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_1\Button_1.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_2\Button_2.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_2\Button_2.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_3\Button_3.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_3\Button_3.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_4\Button_4.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_4\Button_4.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_5\Button_5.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_5\Button_5.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_6\Button_6.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_6\Button_6.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_7\Button_7.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_7\Button_7.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_8\Button_8.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_8\Button_8.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Button_9\Button_9.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Button_9\Button_9.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\configurator\configurator.xml

c:\documents and settings\HP_Administrator\Application Data\alot\configurator\configurator.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\contextMenu\contextMenu.xml

c:\documents and settings\HP_Administrator\Application Data\alot\contextMenu\contextMenu.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\ErrorSearch\ErrorSearch.xml

c:\documents and settings\HP_Administrator\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\postInstallLayout\postInstallLayout.xml

c:\documents and settings\HP_Administrator\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\products\products.xml

c:\documents and settings\HP_Administrator\Application Data\alot\products\products.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\BrowserSearch\images\favicon.ico

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_0\images\alot_logo_button.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_1\images\alot_search_button.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_2\images\default_1310_alot_mus_lyrics.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_2\images\default_1310_alot_mus_lyrics.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_3\images\default_2097_music_videos.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_3\images\default_2097_music_videos.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_4\images\default_1365_music_news.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_4\images\default_1365_music_news.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_5\images\default_1363_alot_widget_radio.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_5\images\default_1363_alot_widget_radio.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_6\images\default_1103_alot_lottery_dollar.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_6\images\default_1103_alot_lottery_dollar.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_7\images\default_1726_rhapsody.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_7\images\default_1726_rhapsody.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_8\images\default_1602_alot_mrkt_livinghealthy.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_8\images\default_1602_alot_mrkt_livinghealthy.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_9\images\default_1795_default_1795_alot_configure.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Button_9\images\default_1795_default_1795_alot_configure.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\contextMenu\images\alot_icon.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\domains.dat

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\alot_brand.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\alot_splitter.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\discover.png

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\spinner.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\widget_bottom.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\widget_caption.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\widget_error_close.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp

c:\documents and settings\HP_Administrator\Application Data\alot\SiteMetrics\SiteMetrics.xml

c:\documents and settings\HP_Administrator\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\TimerManager\TimerManager.xml

c:\documents and settings\HP_Administrator\Application Data\alot\TimerManager\TimerManager.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\toolbar.xml

c:\documents and settings\HP_Administrator\Application Data\alot\toolbar.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml

c:\documents and settings\HP_Administrator\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\ToolbarSearch\ToolbarSearch.xml

c:\documents and settings\HP_Administrator\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup

c:\documents and settings\HP_Administrator\Application Data\alot\Updater\Updater.xml

c:\documents and settings\HP_Administrator\Application Data\alot\Updater\Updater.xml.backup

c:\documents and settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk

c:\documents and settings\HP_Administrator\Desktop\Advanced Virus Remover.lnk

c:\documents and settings\HP_Administrator\protect.dll

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ChkDisk.dll

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ChkDisk.lnk

c:\documents and settings\LocalService\protect.dll

c:\documents and settings\NetworkService\Application Data\alot

c:\documents and settings\NetworkService\protect.dll

C:\ekxfnpkm.exe

C:\lcbckjms.exe

c:\program files\AdvancedVirusRemover

c:\program files\AdvancedVirusRemover\PAVRM.exe

c:\program files\alot

c:\program files\alot\alotUninst.exe

c:\program files\alot\bin\alot.dll

c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll

c:\program files\Common

c:\program files\Freeze.com Toolbar

c:\program files\TinyProxy

c:\recycler\S-1-5-21-1711605578-3068294409-739734832-1008

c:\recycler\S-1-5-21-2871628685-1081871091-549211060-1008

c:\recycler\S-1-5-21-4612077726-3912092305-448497824-4014

c:\recycler\S-1-5-21-4612077726-3912092305-448497824-4014\msimfo32.exe

c:\recycler\S-1-5-21-527237240-179605362-725345543-500

c:\windows\Downloaded Program Files\CpnMgr.dll

c:\windows\eSellerateEngine.dll

c:\windows\f49f4daa.dat

c:\windows\kb913800.exe

c:\windows\msa.exe

c:\windows\mse.exe

c:\windows\msf.exe

c:\windows\msg.exe

c:\windows\system32\autochk.dll

c:\windows\system32\config\systemprofile\Application Data\alot

c:\windows\system32\config\systemprofile\protect.dll

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\critical_warning.html

c:\windows\system32\drivers\1c5abfc.sys

c:\windows\system32\drivers\kbiwkmxyhdduff.sys

c:\windows\system32\hs7f3uhduhfukde.dll

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\kbiwkmbpjwftym.dat

c:\windows\system32\kbiwkmdfggoflq.dll

c:\windows\system32\kbiwkmnxvrievm.dll

c:\windows\system32\kbiwkmsrsdmtsd.dll

c:\windows\system32\kbiwkmwisotafv.dat

c:\windows\system32\msxml71.dll

c:\windows\system32\sonhelp.htm

c:\windows\system32\sysnet.dat

c:\windows\system32\tapi.nfo

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\winhelper.dll

c:\windows\system32\wisdstr.exe

c:\windows\system32\wispex.html

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmqkudoqhv

-------\Legacy_kbiwkmqkudoqhv

-------\Legacy_ONESTEP_SEARCH_SERVICE

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_OneStep Search Service

-------\Service_1c5abfc

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-28 22:25 . 2009-08-28 22:25 3187537 -c--a-r- C:\Combo-Fix.exe

2009-08-28 22:24 . 2009-08-28 22:24 -------- dc----w- C:\spoolerlogs

2009-08-28 16:48 . 2009-08-28 16:48 574 -c--a-w- C:\cleanup.bat

2009-08-28 16:48 . 2009-08-28 16:48 135168 -c--a-w- C:\zip.exe

2009-08-25 23:36 . 2009-08-25 23:38 15 ----a-w- c:\documents and settings\Administrator\settings.dat

2009-08-25 22:33 . 2009-08-25 22:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-25 22:33 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-25 22:33 . 2009-08-25 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-25 22:33 . 2009-08-25 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-25 22:33 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-25 04:51 . 2009-08-25 07:56 137363456 --sha-w- C:\NRTPage.sys

2009-08-21 04:53 . 2009-08-21 04:53 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Symantec

2009-08-21 04:34 . 2009-08-21 04:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2009-08-21 04:28 . 2009-08-21 04:28 35888 ----a-r- c:\windows\system32\drivers\SymIM.sys

2009-08-21 04:28 . 2009-08-21 04:28 -------- d-----w- c:\windows\system32\drivers\NIS

2009-08-21 03:40 . 2009-08-21 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2009-08-21 03:40 . 2009-08-25 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-21 03:20 . 2009-08-25 04:32 -------- d-----w- c:\program files\Rundll Errors Fix Wizard

2009-08-21 03:20 . 2009-05-20 19:23 44544 ----a-w- c:\windows\rv.dat

2009-08-21 03:20 . 2009-05-20 19:23 33280 ----a-w- c:\windows\rxp.dat

2009-08-21 03:20 . 2009-04-16 19:14 81920 ----a-w- c:\windows\eSellerateControl350.dll

2009-08-21 03:11 . 2009-08-21 03:11 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-08-21 02:15 . 2009-08-21 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-20 00:16 . 2009-08-20 00:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-20 00:10 . 2009-08-21 03:04 -------- dc----w- C:\downloads

2009-08-20 00:10 . 2009-08-20 00:10 140288 ----a-w- c:\windows\msd.exe

2009-08-19 23:56 . 2009-08-19 23:56 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-08-19 23:56 . 2009-08-19 23:56 -------- d-----w- c:\windows\OPTIONS

2009-08-19 23:56 . 2007-12-18 12:41 273280 ----a-r- c:\windows\system32\drivers\BLKWGU.sys

2009-08-19 23:56 . 2007-12-18 12:41 273280 ------r- c:\windows\system\BLKWGU.sys

2009-08-19 23:55 . 2009-08-19 23:55 -------- d-----w- c:\windows\system32\Belkin Wireless G USB Adapter Software

2009-08-19 23:55 . 2009-08-19 23:55 -------- d-----w- c:\program files\Belkin

2009-08-19 23:55 . 2009-08-19 23:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\InstallShield

2009-08-19 23:47 . 2009-08-19 23:47 552 ----a-w- c:\windows\system32\d3d8caps.dat

2009-08-17 18:16 . 2009-08-16 13:24 155648 ----a-w- c:\windows\msc.exe

2009-08-16 01:46 . 2009-08-26 02:06 -------- d-----w- c:\windows\Installer

2009-08-16 01:44 . 2009-08-16 01:39 155648 ----a-w- c:\windows\msb.exe

2009-08-16 01:35 . 2009-08-16 01:35 705 -c--a-w- C:\cuopy.exe

2009-08-16 01:34 . 2009-08-16 01:35 705 -c--a-w- C:\sndanmiw.exe

2009-08-16 01:34 . 2009-08-16 01:34 203535 -c--a-w- C:\jybmkssu.exe

2009-08-14 18:10 . 2009-08-14 18:10 -------- d-----w- c:\program files\Off Road Arena

2009-08-14 18:09 . 2009-08-14 18:09 -------- d-----w- c:\program files\ReflexiveArcade

2009-08-14 17:51 . 2009-08-14 17:51 17 ----a-w- c:\documents and settings\HP_Administrator\Application Data\godzHell\jag2png.bat

2009-08-14 17:49 . 2009-08-14 17:51 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\godzHell

2009-08-13 14:56 . 2009-08-13 15:02 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Roblox

2009-08-13 14:56 . 2009-08-13 14:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\RobloxDownloads

2009-08-13 14:56 . 2009-08-13 14:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\RobloxVersions

2009-08-11 01:22 . 2009-08-11 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft

2009-08-11 01:21 . 2009-08-11 01:21 -------- d-----w- c:\program files\Build-a-lot

2009-08-11 01:20 . 2009-08-11 01:21 46313128 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\GameDB\F2151T1L1\setup_gF2151T1L1_d603719427_l1_s1.exe

2009-08-11 01:20 . 2009-08-11 01:20 -------- d-----w- c:\program files\bfgclient

2009-08-11 00:37 . 2009-08-11 00:37 -------- d-----w- c:\program files\Common Files\DirectX

2009-08-11 00:37 . 2009-08-13 14:26 36734 ----a-w- c:\windows\system32\OggDSuninst.exe

2009-08-11 00:35 . 2009-08-11 00:35 -------- d-----w- c:\program files\Trymedia

2009-08-11 00:35 . 2009-08-11 00:35 -------- d-----w- c:\program files\Valusoft

2009-08-11 00:29 . 2009-08-11 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

2009-08-11 00:29 . 2009-08-11 01:18 2383904 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe

2009-08-06 22:13 . 2009-08-06 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard

2009-08-06 22:11 . 2009-08-06 22:11 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-06 22:11 . 2009-08-07 15:00 -------- d-----w- c:\program files\World of Warcraft Trial

2009-08-06 20:14 . 2009-08-06 20:14 17 ----a-w- c:\documents and settings\HP_Administrator\Application Data\pkClient\jag2png.bat

2009-08-06 20:12 . 2009-08-06 20:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\pkClient

2009-08-06 20:10 . 2009-08-13 17:00 -------- d-----w- c:\program files\Registry Easy

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-25 23:41 . 2006-05-26 22:10 -------- d-----w- c:\program files\Trend Micro

2009-08-25 01:45 . 2006-03-10 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-25 01:45 . 2006-03-10 00:34 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-21 03:45 . 2009-01-19 21:34 256 ----a-w- c:\windows\system32\pool.bin

2009-08-19 23:55 . 2006-03-10 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-11 02:23 . 2007-10-09 15:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-07 19:53 . 2009-04-29 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-06 21:42 . 2008-07-13 18:39 34 ----a-w- c:\documents and settings\HP_Administrator\jagex_runescape_preferences.dat

2009-08-05 18:09 . 2007-01-10 02:54 962 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2009-07-31 14:42 . 2008-11-30 19:55 -------- d-----w- c:\program files\Microsoft Silverlight

2009-06-29 16:12 . 2004-08-10 04:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-10 04:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-16 14:55 . 2004-08-10 04:00 82432 ------w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-10 04:00 119808 ------w- c:\windows\system32\t2embed.dll

2009-06-03 19:24 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2006-06-12 00:14 . 2006-06-12 00:14 251 ----a-w- c:\program files\wt3d.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]

"AbacastDistributedOnDemand:11"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2008-09-30 54776]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-25 7311360]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]

"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-10 53760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58843:TCP"= 58843:TCP:Pando Media Booster

"58843:UDP"= 58843:UDP:Pando Media Booster

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\Schedule Task Weekly.job

- c:\program files\Registry Easy\RE.exe [2009-08-06 21:42]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{2fbf9890-6c46-4a4a-a910-c05bceea7fd4} - (no file)

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

Trusted Zone: motive.com\patttbc.att

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-28 17:44

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3492)

c:\windows\system32\WININET.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\arservice.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2009-08-28 17:48 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 22:48

Pre-Run: 163,508,428,800 bytes free

Post-Run: 163,836,723,200 bytes free

393 --- E O F --- 2009-07-31 01:29

Link to post
Share on other sites

  • Staff

Hi,

First of all, navigate to and delete the following files:

c:\windows\msd.exe

c:\windows\msc.exe

c:\windows\msb.exe

C:\cuopy.exe

C:\sndanmiw.exe

C:\jybmkssu.exe

HijackThis will still not run, it says it cannot find the file or I may not have rights to it (I did try running in safe-mode too)
Yes, that's the malware that has set permissions on the files.

To restore this, assuming Win32kDiag is ON your desktop..

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Well there is much improvement already. Here is the HijackThis log. I'm also assuming that I should be able to install Norton now without issues.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:00:06 AM, on 8/29/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AT&T\Internet Security Wizard\ISW.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [iSW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [AbacastDistributedOnDemand:11] C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-2185990308-3991101986-39276087-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-21-2185990308-3991101986-39276087-1008\..\Run: [AbacastDistributedOnDemand:11] C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1 (User '?')

O4 - HKUS\S-1-5-21-2185990308-3991101986-39276087-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')

O4 - HKUS\S-1-5-21-2185990308-3991101986-39276087-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} -

O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 7969 bytes

Link to post
Share on other sites

  • Staff

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.