Jump to content

Need help please


OLEO
 Share

Recommended Posts

Hey! I cant open mbam. Tried renaming and that wont work. What do you need from me?

Thank you so much!

Log file is located at: C:\Documents and Settings\OLEO\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP76C.tmp\ZAP76C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP76C.tmp\ZAP76C.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP78D.tmp\ZAP78D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP78D.tmp\ZAP78D.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP92.tmp\ZAP92.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP92.tmp\ZAP92.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\templates\policies\policies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\templates\policies\policies

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\98fab4ecd9d5b9c5e3d70294da82509b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\98fab4ecd9d5b9c5e3d70294da82509b\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-682003330-1844823847-839522115-1003\S-1-5-21-682003330-1844823847-839522115-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-682003330-1844823847-839522115-1003\S-1-5-21-682003330-1844823847-839522115-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Applications\Applications

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Applications\Applications

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\SecEdit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\SecEdit

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Applications\Applications

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Applications\Applications

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Documents & Settings\Documents & Settings

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Documents & Settings\Documents & Settings

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\RemoteInstall\RemoteInstall

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\RemoteInstall\RemoteInstall

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\RsFx\RsFx

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\RsFx\RsFx

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : C:\WINDOWS\Temp\TempPatchMgrDir\TempPatchMgrDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\TempPatchMgrDir\TempPatchMgrDir

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "aoixvyyr" found!

Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

ComboFix 09-08-28.06 - OLEO 08/29/2009 15:06.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1613 [GMT -4:00]

Running from: c:\documents and settings\OLEO\Desktop\afadsfeiw.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

c:\documents and settings\OLEO\Application Data\inst.exe

c:\windows\Installer\143b68.msi

c:\windows\Installer\4d771e6.msi

c:\windows\system32\drivers\msqpdxmxctoity.sys

c:\windows\system32\drivers\UACkombgnqype.sys

c:\windows\system32\msqpdxvoqlnvuo.dll

c:\windows\system32\UACaxskoyaebh.db

c:\windows\system32\UACdpmebwjnbm.dat

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjdaubwtxtu.dll

c:\windows\system32\UAClgblwgihdw.dll

c:\windows\system32\UACnykpqbmgix.dll

c:\windows\system32\UACswmgqjqiwb.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_msqpdxserv.sys

-------\Legacy_msqpdxserv.sys

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))

.

2009-08-29 15:55 . 2009-08-29 15:55 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2009-08-29 15:55 . 2009-08-29 15:55 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2009-08-29 15:54 . 2009-08-29 18:01 -------- d--h--w- c:\windows\PIF

2009-08-29 13:26 . 2009-08-29 13:36 691420 ----a-w- c:\windows\system32\Client.exe

2009-08-27 15:24 . 2009-08-27 15:24 33215 ----a-w- c:\program files\Common Files\alg.exe

2009-08-17 02:44 . 2008-07-11 00:28 92184 ----a-w- c:\windows\system32\SQSRVRES.DLL

2009-08-17 02:36 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-10 18:26 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-08-10 18:26 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-08-10 18:26 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-08-10 18:25 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-08-08 23:08 . 2009-08-08 23:08 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-08-08 23:08 . 2009-08-08 23:09 -------- d-----w- c:\program files\Roxio

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-29 18:25 . 2008-09-04 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan

2009-08-29 17:18 . 2008-05-23 22:07 -------- d-----w- c:\documents and settings\OLEO\Application Data\LimeWire

2009-08-29 16:04 . 2008-07-09 20:56 256 ----a-w- c:\windows\system32\pool.bin

2009-08-29 14:48 . 2008-05-21 16:49 384156 ----a-w- c:\windows\system32\nvModes.dat

2009-08-29 14:14 . 2008-09-13 17:36 -------- d-----w- c:\program files\Starcraft

2009-08-29 00:37 . 2008-05-22 00:37 -------- d-----w- c:\documents and settings\OLEO\Application Data\Azureus

2009-08-27 00:17 . 2008-05-23 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-22 20:25 . 2009-02-21 17:14 -------- d-----w- c:\documents and settings\OLEO\Application Data\Orbit

2009-08-17 23:16 . 2008-05-21 21:35 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-17 02:41 . 2008-05-23 19:57 -------- d-----w- c:\program files\Microsoft.NET

2009-08-17 02:39 . 2009-01-15 16:33 -------- d-----w- c:\program files\Microsoft SQL Server

2009-08-10 18:44 . 2008-06-09 13:18 -------- d-----w- c:\documents and settings\OLEO\Application Data\Apple Computer

2009-08-10 18:27 . 2008-06-02 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-08 23:55 . 2008-05-21 20:55 85456 ----a-w- c:\documents and settings\OLEO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-08 23:10 . 2009-03-28 16:32 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-08-08 23:08 . 2009-03-28 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2009-08-08 22:59 . 2008-07-09 20:53 -------- d-----w- c:\program files\Common Files\Research In Motion

2009-08-06 11:07 . 2009-03-24 02:45 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-05 09:01 . 2008-05-16 18:08 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 17:36 . 2008-12-10 01:31 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2008-12-10 01:31 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-29 04:37 . 2008-05-16 18:09 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2008-05-16 18:07 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-26 02:33 . 2008-07-25 17:50 256 ----a-w- c:\documents and settings\OLEO\pool.bin

2009-07-17 19:01 . 2008-05-16 18:06 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2008-05-16 18:09 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 20:48 . 2009-07-09 20:48 158112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-06 20:42 . 2009-07-06 20:41 -------- d-----w- c:\program files\Microsoft LifeCam

2009-07-03 17:09 . 2008-05-16 18:09 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-03 09:25 . 2008-10-27 04:45 -------- d-----w- c:\program files\DivX

2009-07-03 09:25 . 2009-07-03 09:25 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-06-25 08:25 . 2008-05-16 18:09 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2008-05-16 18:08 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2008-05-16 18:08 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2008-05-16 18:08 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2008-05-16 18:08 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2008-05-16 18:08 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2008-05-16 18:08 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-23 14:41 . 2009-06-23 14:41 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-12 12:31 . 2008-05-16 18:09 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2008-05-16 18:09 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2008-05-16 18:07 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2008-05-21 15:15 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2008-05-16 18:09 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 15:42 . 2009-06-23 14:43 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-05 15:42 . 2009-06-23 14:43 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-03 19:09 . 2008-05-16 18:08 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-01 12:50 . 2009-06-01 12:50 1878984 ----a-w- c:\documents and settings\OLEO\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-22 13594624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\katrack.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OLEO^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]

path=c:\documents and settings\OLEO\Start Menu\Programs\Startup\Microsoft Office Groove.lnk

backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OLEO^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\OLEO\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OLEO^Start Menu^Programs^Startup^rncsys32.exe]

path=c:\documents and settings\OLEO\Start Menu\Programs\Startup\rncsys32.exe

backup=c:\windows\pss\rncsys32.exeStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\tools

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\tools\Bandwidth Monitor

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\tools\Bandwidth Monitor\NetMeter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Nero BackItUp Scheduler 3"=2 (0x2)

"idsvc"=2 (0x2)

"WinVNC4"=2 (0x2)

"TVersityMediaServer"=2 (0x2)

"ose"=3 (0x3)

"NMIndexingService"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"odserv"=3 (0x3)

"usnjsvc"=3 (0x3)

"Intel PDS"=2 (0x2)

"Intel Targeted Multicast"=2 (0x2)

"OracleServiceORCL"=3 (0x3)

"OracleDBConsoleorcl"=3 (0x3)

"PLFlash DeviceIoControl Service"=2 (0x2)

"KeyAccess"=2 (0x2)

"OracleOraDb11g_home1TNSListener"=3 (0x3)

"OracleJobSchedulerORCL"=2 (0x2)

"LightScribeService"=2 (0x2)

"Softmon"=2 (0x2)

"CBA8"=2 (0x2)

"SR_Watchdog"=2 (0x2)

"SR_Service"=2 (0x2)

"gusvc"=2 (0x2)

"SQLWriter"=2 (0x2)

"MSSQL$SQLEXPRESS"=2 (0x2)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"rpcapd"=3 (0x3)

"gupdate1c99437b290d79e"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"RoxWatch9"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"Viewpoint Manager Service"=2 (0x2)

"IDriverT"=3 (0x3)

"WMPNetworkSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Java\\jdk1.6.0_07\\bin\\java.exe"=

"c:\\Program Files\\Java\\jdk1.6.0_07\\jre\\bin\\java.exe"=

"c:\\WINDOWS\\keyacc32.exe"=

"c:\\WINDOWS\\system32\\cba\\pds.exe"=

"c:\\WINDOWS\\system32\\msgsys.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

"c:\\Program Files\\Java\\jdk1.6.0_07\\jre\\bin\\javaw.exe"=

"c:\\Sun\\AppServer\\lib\\appserv.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\tools\\GNS3\\Dynamips\\dynamips-wxp.exe"=

"c:\\tools\\Orbit Downloader\\Orbitdownloader\\orbitdm.exe"=

"c:\\tools\\Orbit Downloader\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\tools\\hfs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\tools\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/6/2008 11:50 PM 114768]

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [4/9/2009 1:53 PM 181120]

R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [4/9/2009 1:53 PM 51072]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/6/2008 11:50 PM 20560]

S0 enxobpmx;enxobpmx;c:\windows\system32\drivers\ssnjesaz.sys --> c:\windows\system32\drivers\ssnjesaz.sys [?]

S2 awtfm;awtfm;c:\windows\system32\drivers\gxfskns.sys --> c:\windows\system32\drivers\gxfskns.sys [?]

S2 bgjcb;bgjcb;c:\windows\system32\drivers\alutykca.sys --> c:\windows\system32\drivers\alutykca.sys [?]

S2 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2/21/2009 1:35 PM 19824]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\OLEO\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\OLEO\LOCALS~1\Temp\ALSysIO.sys [?]

S3 cpuz130;cpuz130;\??\c:\docume~1\OLEO\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\OLEO\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]

S3 PIOdriver;PIOdriver;c:\windows\system32\drivers\PIOdriver.sys [2/21/2009 1:38 PM 3712]

S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]

S4 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [1/9/2007 11:03 AM 122880]

S4 gupdate1c99437b290d79e;Google Update Service (gupdate1c99437b290d79e);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2009 11:18 AM 133104]

S4 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [8/1/2007 1:00 PM 753664]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]

S4 Softmon;LANDesk® Software Monitoring Service;c:\progra~1\LANDesk\LDClient\softmon.exe [9/4/2008 9:42 AM 266240]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/19/2008 5:37 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - Ndisprot.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 15:18]

2009-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 15:18]

2009-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1844823847-839522115-1003Core.job

- c:\documents and settings\OLEO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:42]

2009-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1844823847-839522115-1003UA.job

- c:\documents and settings\OLEO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:42]

.

- - - - ORPHANS REMOVED - - - -

BHO-{49382bc1-b2ee-4e19-9399-3f8c4f6b2f7d} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/ig?hl=en&source=iglk

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/204

IE: Append to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Do&wnload selected by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/202

TCP: {05539B53-B65E-42B8-A41F-286D0EA3BE91} = 24.226.1.93,24.226.10.193

DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://192.168.1.222/dsview/applets/viewerLauncher.cab

DPF: {E448F884-5E2E-4216-84DE-3DF9F387F11E} - hxxps://issxp14/zenworks/ext/NFileUpload.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-29 15:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1296)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\LANDesk\LDClient\LocalSch.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\system32\nvsvc32.exe

c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\stacsv.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2009-08-29 15:24 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-29 19:24

Pre-Run: 67,472,769,024 bytes free

Post-Run: 67,622,432,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

318

Link to post
Share on other sites

  • Staff

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=23003&st=0entry116879
Collect::
c:\Program Files\Common Files\alg.exe
FILE::
c:\windows\pss\rncsys32.exeStartup
REGISTRY::
[-HKLM\~\startupfolder\C:^Documents and Settings^OLEO^Start Menu^Programs^Startup^rncsys32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

Save this as "CFScript"

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

---------------

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------

In your next post, please include fresh logs from:

  1. Online scan
  2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Link to post
Share on other sites

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, August 30, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, August 30, 2009 02:56:45

Records in database: 2714059

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

M:\

X:\

Scan statistics

Objects scanned 183636

Threats found 10

Infected objects found 32

Suspicious objects found 0

Scan duration 03:04:02

File name Threat Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACkombgnqype.sys.vir Infected: Rootkit.Win32.Agent.oxr 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjdaubwtxtu.dll.vir Infected: Trojan.Win32.Tdss.anrc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClgblwgihdw.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnykpqbmgix.dll.vir Infected: Trojan.Win32.TDSS.amwo 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACswmgqjqiwb.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000001.sys Infected: Rootkit.Win32.Agent.oxr 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000002.dll Infected: Trojan.Win32.TDSS.amwo 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000003.dll Infected: Trojan.Win32.Tdss.anrc 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000004.dll Infected: Packed.Win32.TDSS.y 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000005.dll Infected: Packed.Win32.TDSS.y 1

C:\tools\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a 1

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.j 1

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 3

X:\tools\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.j 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 3

Selected area has been scanned.

---------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, August 30, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, August 30, 2009 02:56:45

Records in database: 2714059

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

M:\

X:\

Scan statistics

Objects scanned 183636

Threats found 10

Infected objects found 32

Suspicious objects found 0

Scan duration 03:04:02

File name Threat Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACkombgnqype.sys.vir Infected: Rootkit.Win32.Agent.oxr 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjdaubwtxtu.dll.vir Infected: Trojan.Win32.Tdss.anrc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClgblwgihdw.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnykpqbmgix.dll.vir Infected: Trojan.Win32.TDSS.amwo 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACswmgqjqiwb.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000001.sys Infected: Rootkit.Win32.Agent.oxr 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000002.dll Infected: Trojan.Win32.TDSS.amwo 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000003.dll Infected: Trojan.Win32.Tdss.anrc 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000004.dll Infected: Packed.Win32.TDSS.y 1

C:\System Volume Information\_restore{4CA015DD-3FF5-4D28-A21B-34E2461E3B7C}\RP0\A0000005.dll Infected: Packed.Win32.TDSS.y 1

C:\tools\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a 1

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.j 1

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

C:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 3

X:\tools\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.j 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 3

Selected area has been scanned.

Link to post
Share on other sites

whooooops

ComboFix 09-08-28.06 - OLEO 08/29/2009 15:41.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1420 [GMT -4:00]

Running from: c:\documents and settings\OLEO\Desktop\afadsfeiw.exe

Command switches used :: c:\documents and settings\OLEO\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1335 [VPS 090829-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\windows\pss\rncsys32.exeStartup"

file zipped: c:\program files\Common Files\alg.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common Files\alg.exe

.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))

.

2009-08-29 15:55 . 2009-08-29 15:55 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2009-08-29 15:55 . 2009-08-29 15:55 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2009-08-29 15:54 . 2009-08-29 18:01 -------- d--h--w- c:\windows\PIF

2009-08-29 13:26 . 2009-08-29 13:36 691420 ----a-w- c:\windows\system32\Client.exe

2009-08-17 02:44 . 2008-07-11 00:28 92184 ----a-w- c:\windows\system32\SQSRVRES.DLL

2009-08-17 02:36 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-10 18:26 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2009-08-10 18:26 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2009-08-10 18:26 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2009-08-10 18:25 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

2009-08-08 23:08 . 2009-08-08 23:08 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-08-08 23:08 . 2009-08-08 23:09 -------- d-----w- c:\program files\Roxio

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-29 18:25 . 2008-09-04 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan

2009-08-29 17:18 . 2008-05-23 22:07 -------- d-----w- c:\documents and settings\OLEO\Application Data\LimeWire

2009-08-29 16:04 . 2008-07-09 20:56 256 ----a-w- c:\windows\system32\pool.bin

2009-08-29 14:48 . 2008-05-21 16:49 384156 ----a-w- c:\windows\system32\nvModes.dat

2009-08-29 14:14 . 2008-09-13 17:36 -------- d-----w- c:\program files\Starcraft

2009-08-29 00:37 . 2008-05-22 00:37 -------- d-----w- c:\documents and settings\OLEO\Application Data\Azureus

2009-08-27 00:17 . 2008-05-23 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-22 20:25 . 2009-02-21 17:14 -------- d-----w- c:\documents and settings\OLEO\Application Data\Orbit

2009-08-17 23:16 . 2008-05-21 21:35 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-17 02:41 . 2008-05-23 19:57 -------- d-----w- c:\program files\Microsoft.NET

2009-08-17 02:39 . 2009-01-15 16:33 -------- d-----w- c:\program files\Microsoft SQL Server

2009-08-10 18:44 . 2008-06-09 13:18 -------- d-----w- c:\documents and settings\OLEO\Application Data\Apple Computer

2009-08-10 18:27 . 2008-06-02 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-08 23:55 . 2008-05-21 20:55 85456 ----a-w- c:\documents and settings\OLEO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-08 23:10 . 2009-03-28 16:32 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-08-08 23:08 . 2009-03-28 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2009-08-08 22:59 . 2008-07-09 20:53 -------- d-----w- c:\program files\Common Files\Research In Motion

2009-08-06 11:07 . 2009-03-24 02:45 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-05 09:01 . 2008-05-16 18:08 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 17:36 . 2008-12-10 01:31 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2008-12-10 01:31 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-29 04:37 . 2008-05-16 18:09 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:37 . 2008-05-16 18:07 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-26 02:33 . 2008-07-25 17:50 256 ----a-w- c:\documents and settings\OLEO\pool.bin

2009-07-17 19:01 . 2008-05-16 18:06 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2008-05-16 18:09 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 20:48 . 2009-07-09 20:48 158112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-06 20:42 . 2009-07-06 20:41 -------- d-----w- c:\program files\Microsoft LifeCam

2009-07-03 17:09 . 2008-05-16 18:09 915456 ------w- c:\windows\system32\wininet.dll

2009-07-03 09:25 . 2008-10-27 04:45 -------- d-----w- c:\program files\DivX

2009-07-03 09:25 . 2009-07-03 09:25 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-06-25 08:25 . 2008-05-16 18:09 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2008-05-16 18:08 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2008-05-16 18:08 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2008-05-16 18:08 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2008-05-16 18:08 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2008-05-16 18:08 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2008-05-16 18:08 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-23 14:41 . 2009-06-23 14:41 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-12 12:31 . 2008-05-16 18:09 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2008-05-16 18:09 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2008-05-16 18:07 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2008-05-21 15:15 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2008-05-16 18:09 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 15:42 . 2009-06-23 14:43 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-05 15:42 . 2009-06-23 14:43 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-03 19:09 . 2008-05-16 18:08 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-01 12:50 . 2009-06-01 12:50 1878984 ----a-w- c:\documents and settings\OLEO\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-08-29_19.18.12 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-16 18:08 . 2009-08-29 19:09 96708 c:\windows\system32\perfc009.dat

+ 2008-05-16 18:08 . 2009-08-29 19:21 96708 c:\windows\system32\perfc009.dat

+ 2008-05-16 18:08 . 2009-08-29 19:21 509908 c:\windows\system32\perfh009.dat

- 2008-05-16 18:08 . 2009-08-29 19:09 509908 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-22 13594624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\katrack.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OLEO^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]

path=c:\documents and settings\OLEO\Start Menu\Programs\Startup\Microsoft Office Groove.lnk

backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OLEO^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\OLEO\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Nero BackItUp Scheduler 3"=2 (0x2)

"idsvc"=2 (0x2)

"WinVNC4"=2 (0x2)

"TVersityMediaServer"=2 (0x2)

"ose"=3 (0x3)

"NMIndexingService"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"odserv"=3 (0x3)

"usnjsvc"=3 (0x3)

"Intel PDS"=2 (0x2)

"Intel Targeted Multicast"=2 (0x2)

"OracleServiceORCL"=3 (0x3)

"OracleDBConsoleorcl"=3 (0x3)

"PLFlash DeviceIoControl Service"=2 (0x2)

"KeyAccess"=2 (0x2)

"OracleOraDb11g_home1TNSListener"=3 (0x3)

"OracleJobSchedulerORCL"=2 (0x2)

"LightScribeService"=2 (0x2)

"Softmon"=2 (0x2)

"CBA8"=2 (0x2)

"SR_Watchdog"=2 (0x2)

"SR_Service"=2 (0x2)

"gusvc"=2 (0x2)

"SQLWriter"=2 (0x2)

"MSSQL$SQLEXPRESS"=2 (0x2)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"rpcapd"=3 (0x3)

"gupdate1c99437b290d79e"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"RoxWatch9"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"Viewpoint Manager Service"=2 (0x2)

"IDriverT"=3 (0x3)

"WMPNetworkSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Java\\jdk1.6.0_07\\bin\\java.exe"=

"c:\\Program Files\\Java\\jdk1.6.0_07\\jre\\bin\\java.exe"=

"c:\\WINDOWS\\keyacc32.exe"=

"c:\\WINDOWS\\system32\\cba\\pds.exe"=

"c:\\WINDOWS\\system32\\msgsys.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

"c:\\Program Files\\Java\\jdk1.6.0_07\\jre\\bin\\javaw.exe"=

"c:\\Sun\\AppServer\\lib\\appserv.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\tools\\GNS3\\Dynamips\\dynamips-wxp.exe"=

"c:\\tools\\Orbit Downloader\\Orbitdownloader\\orbitdm.exe"=

"c:\\tools\\Orbit Downloader\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\tools\\hfs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\tools\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/6/2008 11:50 PM 114768]

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [4/9/2009 1:53 PM 181120]

R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [4/9/2009 1:53 PM 51072]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/6/2008 11:50 PM 20560]

S0 enxobpmx;enxobpmx;c:\windows\system32\drivers\ssnjesaz.sys --> c:\windows\system32\drivers\ssnjesaz.sys [?]

S2 awtfm;awtfm;c:\windows\system32\drivers\gxfskns.sys --> c:\windows\system32\drivers\gxfskns.sys [?]

S2 bgjcb;bgjcb;c:\windows\system32\drivers\alutykca.sys --> c:\windows\system32\drivers\alutykca.sys [?]

S2 Parclass;Parclass;c:\windows\system32\drivers\parclass.sys [2/21/2009 1:35 PM 19824]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\OLEO\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\OLEO\LOCALS~1\Temp\ALSysIO.sys [?]

S3 cpuz130;cpuz130;\??\c:\docume~1\OLEO\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\OLEO\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]

S3 PIOdriver;PIOdriver;c:\windows\system32\drivers\PIOdriver.sys [2/21/2009 1:38 PM 3712]

S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]

S4 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [1/9/2007 11:03 AM 122880]

S4 gupdate1c99437b290d79e;Google Update Service (gupdate1c99437b290d79e);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2009 11:18 AM 133104]

S4 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [8/1/2007 1:00 PM 753664]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]

S4 Softmon;LANDesk® Software Monitoring Service;c:\progra~1\LANDesk\LDClient\softmon.exe [9/4/2008 9:42 AM 266240]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/19/2008 5:37 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - Ndisprot.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 15:18]

2009-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 15:18]

2009-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1844823847-839522115-1003Core.job

- c:\documents and settings\OLEO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:42]

2009-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1844823847-839522115-1003UA.job

- c:\documents and settings\OLEO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/ig?hl=en&source=iglk

uInternet Settings,ProxyOverride = *.local

IE: &Download by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/204

IE: Append to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Do&wnload selected by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\tools\Orbit Downloader\Orbitdownloader\orbitmxt.dll/202

TCP: {05539B53-B65E-42B8-A41F-286D0EA3BE91} = 24.226.1.93,24.226.10.193

DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://192.168.1.222/dsview/applets/viewerLauncher.cab

DPF: {E448F884-5E2E-4216-84DE-3DF9F387F11E} - hxxps://issxp14/zenworks/ext/NFileUpload.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-29 15:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-08-29 15:46

ComboFix-quarantined-files.txt 2009-08-29 19:46

ComboFix2.txt 2009-08-29 19:24

Pre-Run: 67,624,308,736 bytes free

Post-Run: 67,606,560,768 bytes free

264

Upload was successful

THANK YOU SO MUCH FOR YOUR HELP!!!!!!

Link to post
Share on other sites

  • Staff

Of the stuff Kaspersky found,

X:\tools\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.j 1

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

X:\tools\VNCScan.2008.6.25.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 3

The above are riskware that you downloaded. You get to decide whether to keep them.

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u
  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  3. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  4. http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  5. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  6. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955

After doing all these, your system will be optimised against future threats.

.

Have a safe & happy computing day. wave.gif

Kindly respond to this thread once more so we can mark this thread as resolved.

Link to post
Share on other sites

Hey Subs, I'm back with another question!

I have two instances of iexplore.exe running all the time and I dont use IE...

They appeared a couple days ago with the other stuff. I can run mbam and avast and they both came up clean.

Any ideas?

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.