Can't open Norton, Spybot, HJT, MBAM, Safe Mode

Asterix · August 30, 2009

I have been following your site for several months and now I may actually need your expertise. My problem seems to be very popular at the moment, albeit slightly different, with the following symptoms:

- Running Windows XP Home, Norton Corporate Edition, Mozilla Firefox

- I could not close an unexpected pop-up close enough and it seems to have attacked and disabled my Norton AV

- Since then, only certain .exe files cannot be run, and new programs cannot be installed.

- I cannot run the following, without them either crashing or giving the "windows cannot access the specified....you may not have the appropriate permissions...": HijackThis, MBAM, Spybot, Norton

- Other programs such as MSOffice, etc, run fine.

- Firefox and IE often redirect to random search sites, and some links cannot open, unless you directly paste them

- I have deleted several files that started with UAC, msb.exe, b.exe, etc.

- Cannot boot into safe mode - blue screen

- The only thing I was able to do was run a couple of online scans, e.g. Kaspersky, but they did not find anything else

- The win32kdiag.exe log is posted in the following post.

What should I do, and is there a place to donate via Paypal if you help me fix this problem?

Regards,

Asterix

Asterix · August 30, 2009

Log file is located at: C:\Documents and Settings\Djordje\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMCommon\BCMCommon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMRes\BCMRes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BusinessLayer\BusinessLayer

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.DataDictionary\Iris.DataDictionary

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.Mapi.MessageStore\Iris.Mapi.MessageStore

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn\Microsoft.BusinessSolutions.eCRM.OutlookAddIn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.Office\Microsoft.eCRM.Office

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.stdole\Microsoft.eCRM.stdole

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.msforms\Microsoft.Interop.eCRM.msforms

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.Outlook\Microsoft.Interop.eCRM.Outlook

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.OutlookViewCtl\Microsoft.Interop.eCRM.OutlookViewCtl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Impl\Microsoft.Interop.Mapi.Impl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Interfaces\Microsoft.Interop.Mapi.Interfaces

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10A.tmp\ZAP10A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F7.tmp\ZAP1F7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F9.tmp\ZAP1F9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3605528693-2071937770-1032885014-1003\S-1-5-21-3605528693-2071937770-1032885014-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3605528693-2071937770-1032885014-1003\S-1-5-21-3605528693-2071937770-1032885014-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\fas\fas

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\hex\hex

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\s2\s2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\sX3i19\sX3i19

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\TX\TX

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\twain_32\Creative\PD0230b\PD0230b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

sUBs · August 30, 2009

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Asterix · August 31, 2009

Combofix log posted:

ComboFix 09-08-30.01 - Djordje 30/08/2009 19:46.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1642 [GMT -4:00]

Running from: c:\documents and settings\Djordje\Desktop\Combo-Fix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk

C:\vvv.exe

c:\windows\Fonts\AcadEref.ttf

c:\windows\Installer\106a98.msi

c:\windows\Installer\10b328c.msp

c:\windows\Installer\10b328f.msp

c:\windows\Installer\11dfbe.msp

c:\windows\Installer\1423b3.msp

c:\windows\Installer\1499cd.msp

c:\windows\Installer\1499d0.msp

c:\windows\Installer\17e966.msp

c:\windows\Installer\17e969.msp

c:\windows\Installer\26922a.msi

c:\windows\Installer\284f9b5.msp

c:\windows\Installer\3b0038.msp

c:\windows\Installer\3b003b.msp

c:\windows\Installer\3b003e.msp

c:\windows\Installer\3b0041.msp

c:\windows\Installer\3b0044.msp

c:\windows\Installer\3b0047.msp

c:\windows\Installer\3b004a.msp

c:\windows\Installer\3b004d.msp

c:\windows\Installer\3b0050.msp

c:\windows\Installer\7a97aa.msp

c:\windows\Installer\8c37f1.msi

c:\windows\Installer\d1379.msp

c:\windows\Installer\d137c.msp

c:\windows\Installer\ea0fcc.msp

c:\windows\run.log

c:\windows\system32\drivers\kbiwkmvtuebwkt.sys

c:\windows\system32\kbiwkmdtfnsdoq.dat

c:\windows\system32\kbiwkmfnmnaoex.dat

c:\windows\system32\kbiwkmpxmjutpq.dll

c:\windows\system32\kbiwkmqwhxvmtk.dat

c:\windows\system32\kbiwkmrnsbruem.dat

c:\windows\system32\kbiwkmrxyhorgi.dll

c:\windows\system32\kbiwkmwnstlnkl.dat

c:\windows\system32\kbiwkmxboeyanr.dat

c:\windows\system32\prunnet.exe

c:\windows\system32\s2

c:\windows\system32\sX3i19

C:\winlogon.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmkaomyndo

-------\Legacy_kbiwkmkaomyndo

-------\Legacy_CMDSERVICE

-------\Legacy_NETWORK_MONITOR

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))

.

2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\Djordje\Application Data\Malwarebytes

2009-08-30 21:28 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-30 21:28 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-30 21:07 . 2005-02-16 15:06 218112 ----a-w- c:\documents and settings\All Users\jack.exe

2009-08-30 13:01 . 2009-08-30 23:44 -------- d-----w- c:\program files\NoAdware

2009-08-30 12:55 . 2009-08-30 12:55 -------- d-----w- C:\!KillBox

2009-08-29 12:34 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-08-29 12:33 . 2009-08-29 12:33 -------- d-----w- c:\program files\Panda Security

2009-08-28 19:10 . 2009-08-28 19:10 -------- d-----w- C:\spoolerlogs

2009-08-21 02:27 . 2009-08-21 02:27 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2009-08-21 02:27 . 2009-08-21 02:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-08-19 11:16 . 2009-08-19 11:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-12 11:42 . 2009-08-12 11:42 -------- d-sh--w- c:\documents and settings\Djordje\IECompatCache

2009-08-12 11:01 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-08 15:08 . 2009-08-08 15:08 70656 ----a-w- c:\windows\system32\drivers\bcxrvdbvtnxrquqs.sys

2009-08-08 13:53 . 2009-08-08 13:53 -------- d-----w- c:\windows\system32\IOSUBSYS

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 19:07 . 2008-02-07 16:50 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-14 16:25 . 2008-05-08 03:35 -------- d-----w- c:\documents and settings\Djordje\Application Data\FileZilla

2009-08-12 11:21 . 2009-06-11 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-10 20:05 . 2006-09-22 11:05 128144 ----a-w- c:\documents and settings\Djordje\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-10 17:19 . 2007-02-16 14:05 -------- d-----w- c:\documents and settings\Djordje\Application Data\Azureus

2009-08-08 13:53 . 2007-04-09 22:42 -------- d-----w- c:\program files\Google

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-12 13:23 . 2009-04-01 13:58 70920 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\Customer_rc.dll

2009-07-12 13:23 . 2009-04-01 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge

2009-07-12 03:00 . 2008-02-28 16:34 805952 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-11 16:23 . 2009-03-06 14:07 -------- d-----w- c:\program files\TransAM CC2

2009-07-11 15:55 . 2009-07-11 15:55 34 ----a-w- c:\program files\TRAN.RAT

2009-07-11 15:55 . 2009-07-11 15:55 25 ----a-w- c:\program files\TRAN.SYM

2009-07-11 13:34 . 2008-08-22 17:59 -------- d-----w- c:\program files\Seagate Software

2009-07-11 13:34 . 2009-07-11 13:34 -------- d-----w- c:\program files\ValMatic

2009-07-11 12:47 . 2008-06-13 14:54 -------- d-----w- c:\program files\TransAM

2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-01 21:34 . 2009-07-01 21:34 99678 -c--a-r- c:\documents and settings\Djordje\Application Data\Microsoft\Installer\{E942407D-3261-476C-850B-9546BCA72499}\_1C13ED278AAF63E67C5DE6.exe

2009-07-01 21:34 . 2009-07-01 21:34 99678 -c--a-r- c:\documents and settings\Djordje\Application Data\Microsoft\Installer\{E942407D-3261-476C-850B-9546BCA72499}\_0BBC25476C38B6119E41D8.exe

2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2008-05-08 00:16 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll

2008-05-03 23:08 . 2008-05-03 23:08 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"RoxWatch9"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"MSSQL$VALMATIC8"=2 (0x2)

"GoogleDesktopManager-022208-143751"=3 (0x3)

"FileZilla Server"=3 (0x3)

"Fax"=2 (0x2)

"DefWatch"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"CiSvc"=3 (0x3)

"Autodesk Licensing Service"=3 (0x3)

"Ati HotKey Poller"=2 (0x2)

"MDM"=2 (0x2)

"WDBtnMgrSvc.exe"=2 (0x2)

"usnjsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"Pml Driver HPZ12"=3 (0x3)

"gusvc"=3 (0x3)

"RasMan"=3 (0x3)

"SwPrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Qameleon\\QViewPlus\\QViewPlus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:TCP Port 5001

"5002:TCP"= 5002:TCP:TCP Port 5002

"5003:TCP"= 5003:TCP:TCP Port 5003

"5004:TCP"= 5004:TCP:TCP Port 5004

"5005:TCP"= 5005:TCP:TCP Port 5005

"5006:TCP"= 5006:TCP:TCP Port 5006

"5007:TCP"= 5007:TCP:TCP Port 5007

"5008:TCP"= 5008:TCP:TCP Port 5008

"5009:TCP"= 5009:TCP:TCP Port 5009

"5010:TCP"= 5010:TCP:TCP Port 5010

"5011:TCP"= 5011:TCP:TCP Port 5011

"5012:TCP"= 5012:TCP:TCP Port 5012

"5013:TCP"= 5013:TCP:TCP Port 5013

"5014:TCP"= 5014:TCP:TCP Port 5014

"5015:TCP"= 5015:TCP:TCP Port 5015

"5016:TCP"= 5016:TCP:TCP Port 5016

"5017:TCP"= 5017:TCP:TCP Port 5017

"5018:TCP"= 5018:TCP:TCP Port 5018

"5019:TCP"= 5019:TCP:TCP Port 5019

"5020:TCP"= 5020:TCP:TCP Port 5020

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [29/08/2009 8:34 AM 28544]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/08/2009 11:30 AM 102448]

S3 EraserUtilDrv10821;EraserUtilDrv10821; [x]

S3 P0230BBK;Creative PC-CAM 750 (Still Image);c:\windows\system32\DRIVERS\P0230bbk.sys --> c:\windows\system32\DRIVERS\P0230bbk.sys [?]

S3 P0230BVD;Creative PC-CAM 750 (Video);c:\windows\system32\DRIVERS\P0230bVd.sys --> c:\windows\system32\DRIVERS\P0230bVd.sys [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27/09/2006 9:33 PM 116464]

S3 SQLAgent$VALMATIC8;SQLAgent$VALMATIC8;c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlagent.EXE -i VALMATIC8 --> c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlagent.EXE -i VALMATIC8 [?]

S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [03/05/2008 7:08 PM 29744]

S4 MSSQL$VALMATIC8;MSSQL$VALMATIC8;c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlservr.exe -sVALMATIC8 --> c:\program files\Microsoft SQL Server\MSSQL$VALMATIC8\Binn\sqlservr.exe -sVALMATIC8 [?]

S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [19/02/2008 2:15 AM 106496]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\HP Usg Daily.job

- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2006-12-23 04:55]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uLocal Page =

mStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Djordje\Application Data\Mozilla\Firefox\Profiles\yg7pgu13.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll

FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

------- File Associations -------

.

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-30 20:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3848)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\progra~1\MICROS~3\rapimgr.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\windows\system32\searchindexer.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Adobe\Reader 8.0\Reader\AcroRd32.exe

.

**************************************************************************

.

Completion time: 2009-08-31 20:17 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-31 00:17

Pre-Run: 15,776,403,456 bytes free

Post-Run: 15,577,014,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

345 --- E O F --- 2009-08-26 19:51

Asterix · August 31, 2009

Hijack this can now run, log posted below. Not sure if this means that I am clean or not. Norton AV auto-protect did not start properly once comfofix rebooted the comp.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:23:16 PM, on 30/08/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Djordje\Desktop\sad.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188859060406

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204642936218

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 6175 bytes

sUBs · August 31, 2009

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=23114&pid=117622&st=0entry117622
COLLECT::
c:\documents and settings\All Users\jack.exe
c:\windows\system32\drivers\bcxrvdbvtnxrquqs.sys

Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

---------------

- Since then, only certain .exe files cannot be run, and new programs cannot be installed.
- I cannot run the following, without them either crashing or giving the "windows cannot access the specified....you may not have the appropriate permissions...": HijackThis, MBAM, Spybot, Norton
- Firefox and IE often redirect to random search sites, and some links cannot open, unless you directly paste them
- Cannot boot into safe mode - blue screen

Does any of above still persist?

For the files/programs that complain about "windows cannot access the specified....you may not have the appropriate permissions...", you can do something similar to this ....

1) Please download this file

2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\

3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe

Asterix · August 31, 2009

Combofix log attached below. I was unable to unlock hijackthis, malwarebytes and spybot. I ran malware and clicked "remove" the threats, and the log is posted. The hijackthis log is also posted.

Significant improvement right now, but I am not certain that we got them all. I was unable to unlock my Norton AV, but I cannot seem to get the autoprotect to come on. I will try after rebooting and see what happens.

ComboFix 09-08-30.04 - Djordje 31/08/2009 7:49.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1560 [GMT -4:00]

Running from: c:\documents and settings\Djordje\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Djordje\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\documents and settings\All Users\jack.exe

file zipped: c:\windows\system32\drivers\bcxrvdbvtnxrquqs.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\jack.exe

c:\windows\system32\drivers\bcxrvdbvtnxrquqs.sys

.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))

.

2009-08-31 03:38 . 2009-08-31 03:39 -------- d-----w- c:\program files\Spybot - Search and Destroy

2009-08-31 00:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-31 00:47 . 2009-08-31 00:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-31 00:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys