Jump to content

Malwarebytes/Hijackthis/nearly any exe won't run


Recommended Posts

Sorry I have no logs to produce as I can't run either Malwarebytes or Hijackthis.

I've got a virus or something that is affecting all my exe files. It was associated with a fakespyware thingy (which I was able to delete eventually, but the exe's still wont work properly), I believe the name was PCHelpTools or something to that effect, I was able to delete it out of the Windows folder after killing the associated process through taskmanager and msconfig. Despite the fakespyware interface being gone, I can still not run Malwarebytes or Hijackthis and every exe that loads both on startup or that I intiate comes with three pop up error windows. Nearly all the programs load despite this error message save Malwarebytes and Hijackthis. I was able to run Spyware Terminator, which found a few Trojans, but this didn't eliminate the problem. I was unable to install Avira antivirus as it says rctext.dll is missing.

I've looked at the FAQs and I'm not able to even rename the exe files (I get the pop up that says it's in use or it's write protected). So I'm kind of stuck at this point. Msconfig no longer seems to be working either (Windows suddenly can't find it).

Any help would be much appreciated. Thanks in advance.

Link to post
Share on other sites

  • Root Admin

Download and run Win32kDiag:

  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

[*]Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

[*]When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

[*]Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic, please do not attach the file.

Please let it run for at least an hour without bothering it regardless of what it says. Then post back the log.

Link to post
Share on other sites

Thanks for the reply, I left Win32KDiag open for more than an hour even though it said it was finished within a few minutes.

Log file is located at: C:\Documents and Settings\...\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942763\KB942763

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB950759\KB950759

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP132.tmp\ZAP132.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP20E.tmp\ZAP20E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPE06.tmp\ZAPE06.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPE1E.tmp\ZAPE1E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{45E59679-5366-4C69-A819-A518EF0A4162}\{45E59679-5366-4C69-A819-A518EF0A4162}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{EBC77CA6-6F40-41BB-93BF-12FF4032133E}\{EBC77CA6-6F40-41BB-93BF-12FF4032133E}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{EDCE51A5-2803-4D1E-B3D2-BB9529C4A0E2}\{EDCE51A5-2803-4D1E-B3D2-BB9529C4A0E2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ie8updates\ie8updates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\INF\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installing Adobe Acrobat Reader\Installing Adobe Acrobat Reader

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\helpctr\binaries\binaries

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\uploadlb\binaries\binaries

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setupupd\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1c57749e6715414b7025f8d316d91db9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2eef1638babab138d28fb79f2ed0bcc0\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3a4c74ad66aac0b11d953bbcf3937ae6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4ef3d14045039d25ac205cb37a6ae575\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64e2437d95199b5524dcb427cff47e97\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6d16348987bfa3ee3fd983361ac371cb\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6ebd16cfa495accd1804cd7de17cee70\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\730e45fefcdf343b61704b89c95d7cca\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a39d7c907193cb74dabeac9b04866368\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b386176bfcde202f7ed536e83198267a\backup\backup

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\avc.sys

[1] 2008-04-13 14:46:20 38912 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\avc.sys ()

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\capcam\capcam

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\U7Q7NX8M\U7Q7NX8M

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro 8\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VA6S9GZD\VA6S9GZD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3828210982-1163802806-3144815527-1003\S-1-5-21-3828210982-1163802806-3144815527-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3828210982-1163802806-3144815527-1003\S-1-5-21-3828210982-1163802806-3144815527-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Jasc Paint Shop Photo Album Images\Jasc Paint Shop Photo Album Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My PSP8 Files\Workspaces\Workspaces

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-12 09:57:17 55808 C:\WINDOWS\SYSTEM32\DLLCACHE\eventlog.dll (Microsoft Corporation)

[1] 2004-08-12 09:57:17 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2004-08-12 09:57:17 55808 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 07:00:00 55808 C:\i386\EVENTLOG.DLL (Microsoft Corporation)

Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\f10WtR\f10WtR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0013\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\IA64\IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32ALPHA\W32ALPHA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\x64\x64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\vMW02a\vMW02a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\2wswlog\2wswlog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Amazon Digital Video\upgrade\upgrade

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\fah\fah

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\cs\cs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\da\da

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\de\de

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\el\el

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\en\en

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\es\es

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\fi\fi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\HTML\HTML

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\it\it

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\nl\nl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\no\no

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\pl\pl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\ru\ru

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\sv\sv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\th\th

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\tr\tr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\i_setup\i_setup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\45ORI49L\45ORI49L

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6PMU80H7\6PMU80H7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7NVCITIK\7NVCITIK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8NVQNRPL\8NVQNRPL

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\95QR03JH\95QR03JH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CXUV41Y3\CXUV41Y3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\E7MNC7Z5\E7MNC7Z5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\EBZHM45E\EBZHM45E

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\EOL7WAHC\EOL7WAHC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G89JTLMN\G89JTLMN

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IA8ASHJB\IA8ASHJB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K37KXSBX\K37KXSBX

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KY378V21\KY378V21

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\P04BABEM\P04BABEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QRKZ2TO5\QRKZ2TO5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WIAR0GG5\WIAR0GG5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WPDNSE\WPDNSE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Tm9haCBIaWxnZXJ0\Tm9haCBIaWxnZXJ0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Root Admin

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Then post back the new log file.

Then try to run the following.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Here's the new Win32KDiag.txt (though some files still seemed to be inaccessible despite the command prompt you provided)

Log file is located at: C:\Documents and Settings\...\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942763\KB942763

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB950759\KB950759

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP132.tmp\ZAP132.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAP20E.tmp\ZAP20E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPE06.tmp\ZAPE06.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPE1E.tmp\ZAPE1E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{45E59679-5366-4C69-A819-A518EF0A4162}\{45E59679-5366-4C69-A819-A518EF0A4162}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{EBC77CA6-6F40-41BB-93BF-12FF4032133E}\{EBC77CA6-6F40-41BB-93BF-12FF4032133E}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{EDCE51A5-2803-4D1E-B3D2-BB9529C4A0E2}\{EDCE51A5-2803-4D1E-B3D2-BB9529C4A0E2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ie8updates\ie8updates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\INF\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installing Adobe Acrobat Reader\Installing Adobe Acrobat Reader

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\helpctr\binaries\binaries

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\uploadlb\binaries\binaries

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setupupd\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1c57749e6715414b7025f8d316d91db9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2eef1638babab138d28fb79f2ed0bcc0\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3a4c74ad66aac0b11d953bbcf3937ae6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4ef3d14045039d25ac205cb37a6ae575\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64e2437d95199b5524dcb427cff47e97\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6d16348987bfa3ee3fd983361ac371cb\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6ebd16cfa495accd1804cd7de17cee70\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\730e45fefcdf343b61704b89c95d7cca\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a39d7c907193cb74dabeac9b04866368\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b386176bfcde202f7ed536e83198267a\backup\backup

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\avc.sys

[1] 2008-04-13 14:46:20 38912 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\avc.sys ()

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\capcam\capcam

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\U7Q7NX8M\U7Q7NX8M

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro 8\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\VA6S9GZD\VA6S9GZD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3828210982-1163802806-3144815527-1003\S-1-5-21-3828210982-1163802806-3144815527-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3828210982-1163802806-3144815527-1003\S-1-5-21-3828210982-1163802806-3144815527-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Jasc Paint Shop Photo Album Images\Jasc Paint Shop Photo Album Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My PSP8 Files\Workspaces\Workspaces

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-12 09:57:17 55808 C:\WINDOWS\SYSTEM32\DLLCACHE\eventlog.dll (Microsoft Corporation)

[1] 2004-08-12 09:57:17 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2004-08-12 09:57:17 55808 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 07:00:00 55808 C:\i386\EVENTLOG.DLL (Microsoft Corporation)

Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\f10WtR\f10WtR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0013\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\IA64\IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32ALPHA\W32ALPHA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\x64\x64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\vMW02a\vMW02a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\2wswlog\2wswlog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Amazon Digital Video\upgrade\upgrade

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\fah\fah

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\cs\cs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\da\da

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\de\de

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\el\el

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\en\en

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\es\es

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\fi\fi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\HTML\HTML

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\it\it

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\nl\nl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\no\no

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\pl\pl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\ru\ru

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\sv\sv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\th\th

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\tr\tr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\gis110a9828\2.4.1368.5602\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\i_setup\i_setup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\45ORI49L\45ORI49L

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6PMU80H7\6PMU80H7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7NVCITIK\7NVCITIK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8NVQNRPL\8NVQNRPL

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\95QR03JH\95QR03JH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CXUV41Y3\CXUV41Y3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\E7MNC7Z5\E7MNC7Z5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\EBZHM45E\EBZHM45E

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\EOL7WAHC\EOL7WAHC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G89JTLMN\G89JTLMN

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IA8ASHJB\IA8ASHJB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K37KXSBX\K37KXSBX

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KY378V21\KY378V21

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\P04BABEM\P04BABEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QRKZ2TO5\QRKZ2TO5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WIAR0GG5\WIAR0GG5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WPDNSE\WPDNSE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Tm9haCBIaWxnZXJ0\Tm9haCBIaWxnZXJ0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Finished!

ComboFix seemed to clear up many of my problems, here's the log:

ComboFix 09-09-02.02 - Noah Hilgert 09/03/2009 10:47.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2302.1995 [GMT -4:00]

Running from: c:\documents and settings\Noah Hilgert\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\-2003765935

C:\check_LSA7.txt

c:\documents and settings\Noah Hilgert\Start Menu\Programs\Mafia

c:\program files\Common Files\curity~1

c:\program files\Windows NT\progyrta.html

c:\program files\Windows Police Pro

c:\program files\Windows Police Pro\msvcm80.dll

c:\program files\Windows Police Pro\msvcp80.dll

c:\program files\Windows Police Pro\msvcr80.dll

c:\program files\Windows Police Pro\tmp\dbsinit.exe

c:\program files\Windows Police Pro\tmp\images\i1.gif

c:\program files\Windows Police Pro\tmp\images\i2.gif

c:\program files\Windows Police Pro\tmp\images\i3.gif

c:\program files\Windows Police Pro\tmp\images\j1.gif

c:\program files\Windows Police Pro\tmp\images\j2.gif

c:\program files\Windows Police Pro\tmp\images\j3.gif

c:\program files\Windows Police Pro\tmp\images\jj1.gif

c:\program files\Windows Police Pro\tmp\images\jj2.gif

c:\program files\Windows Police Pro\tmp\images\jj3.gif

c:\program files\Windows Police Pro\tmp\images\l1.gif

c:\program files\Windows Police Pro\tmp\images\l2.gif

c:\program files\Windows Police Pro\tmp\images\l3.gif

c:\program files\Windows Police Pro\tmp\images\pix.gif

c:\program files\Windows Police Pro\tmp\images\t1.gif

c:\program files\Windows Police Pro\tmp\images\t2.gif

c:\program files\Windows Police Pro\tmp\images\up1.gif

c:\program files\Windows Police Pro\tmp\images\up2.gif

c:\program files\Windows Police Pro\tmp\images\w1.gif

c:\program files\Windows Police Pro\tmp\images\w11.gif

c:\program files\Windows Police Pro\tmp\images\w2.gif

c:\program files\Windows Police Pro\tmp\images\w3.gif

c:\program files\Windows Police Pro\tmp\images\w3.jpg

c:\program files\Windows Police Pro\tmp\images\wt1.gif

c:\program files\Windows Police Pro\tmp\images\wt2.gif

c:\program files\Windows Police Pro\tmp\images\wt3.gif

c:\program files\Windows Police Pro\tmp\wispex.html

c:\program files\Windows Police Pro\windows Police Pro.exe

c:\temp\1cb

c:\temp\1cb\syscheck.log

c:\temp\fse

c:\temp\fse\tmpZTF.log

c:\temp\xOe

c:\temp\xOe\tOasF.log

c:\windows\Installer\4b943cc4.msi

c:\windows\Mafia

c:\windows\Mafia \uninstall.exe

c:\windows\ppp3.dat

c:\windows\ppp4.dat

c:\windows\system\oeminfo.ini

c:\windows\system32\aphdjqeb.ini

c:\windows\system32\bbadd.ini

c:\windows\system32\bennuar.old

c:\windows\system32\bincd32.dat

c:\windows\system32\cdeeg.ini

c:\windows\system32\cfkjpfpr.ini

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\ddeeg.ini

c:\windows\system32\desote.exe

c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\drivers\higjnroadmpp.sys

c:\windows\system32\drivers\hjgruierasuwgh.sys

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\Drivers\rrynxjp.sys

c:\windows\system32\drivers\SKYNETpptqouln.sys

c:\windows\system32\drivers\str.sys

c:\windows\system32\Drivers\yata.sys

c:\windows\system32\f10WtR

c:\windows\system32\FInstall.sys

c:\windows\system32\glyrkrih.ini

c:\windows\system32\hjgruimouqgqam.dat

c:\windows\system32\hjgruinqlaotxe.dat

c:\windows\system32\hjgruivquvjelw.dll

c:\windows\system32\hjgruivrkntmir.dll

c:\windows\system32\hjllm.ini

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\Install.txt

c:\windows\system32\kwave.sys

c:\windows\SYSTEM32\llkkj.ini

c:\windows\system32\llkkj.ini2

c:\windows\SYSTEM32\llkkj.tmp

c:\windows\SYSTEM32\lnnmp.bak2

c:\windows\SYSTEM32\lnnmp.ini

c:\windows\system32\lnnmp.ini2

c:\windows\SYSTEM32\lnnmp.tmp

c:\windows\SYSTEM32\mpqss.bak1

c:\windows\SYSTEM32\mpqss.bak2

c:\windows\SYSTEM32\mpqss.ini

c:\windows\system32\mpqss.ini2

c:\windows\SYSTEM32\mpqss.tmp

c:\windows\system32\mselaf.exe

c:\windows\system32\msenmg.exe

c:\windows\system32\msfem.exe

c:\windows\system32\msgbevo.exe

c:\windows\system32\mshttte.exe

c:\windows\system32\msjjt.exe

c:\windows\system32\mskhha.exe

c:\windows\system32\mslmvz.exe

c:\windows\system32\mslsb.exe

c:\windows\system32\msnvxpnw.exe

c:\windows\system32\mspytrz.exe

c:\windows\system32\msudjev.exe

c:\windows\system32\msxvwsnq.exe

c:\windows\system32\onhelp.htm

c:\windows\system32\pqstv.ini

c:\windows\system32\pqstv.ini2

c:\windows\SYSTEM32\pqstv.tmp

c:\windows\SYSTEM32\qqstv.ini2

c:\windows\SYSTEM32\qqstv.tmp

c:\windows\system32\SKYNETdnludwit.dat

c:\windows\system32\SKYNETesjirmtd.dat

c:\windows\system32\SKYNETwjetaivd.dll

c:\windows\system32\SKYNETxwatgdnb.dll

c:\windows\system32\sonhelp.htm

c:\windows\SYSTEM32\stvwa.ini

c:\windows\SYSTEM32\stvwa.ini2

c:\windows\SYSTEM32\stvwa.tmp

c:\windows\system32\sysnet.dat

c:\windows\system32\vMW02a

c:\windows\system32\wiawow32.sys

c:\windows\system32\wiwow64.exe

c:\windows\SYSTEM32\wybeg.ini

c:\windows\system32\wybeg.ini2

c:\windows\SYSTEM32\wybeg.tmp

c:\windows\system32\xbeeg.ini

c:\windows\system32\xbeeg.ini2

c:\windows\SYSTEM32\xbeeg.tmp

c:\windows\TEMP\mta81757.dll

C:\xcrashdump.dat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_hjgruihhctpujn

-------\Legacy_hjgruihhctpujn

-------\Service_SKYNETbowmxvao

-------\Legacy_SKYNETbowmxvao

-------\Legacy_antippro2009_100

-------\Legacy_ltiirlvruo

-------\Legacy_OREANS32

-------\Legacy_sopidkc

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_antippro2009_100

-------\Service_oreans32

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))

.

2009-08-31 21:54 . 2009-08-31 21:54 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-08-31 21:54 . 2007-07-28 20:10 483968 ----a-w- c:\windows\system32\drivers\rt61.sys

2009-08-31 21:54 . 2009-08-31 21:54 -------- d-----w- c:\program files\RALINK

2009-08-31 18:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-31 18:03 . 2009-08-31 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-31 18:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-31 16:58 . 2009-08-31 17:06 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\windows\system32\drivers\NSS

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\program files\Norton Security Scan

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\program files\NortonInstaller

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-31 14:44 . 2009-08-31 14:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-31 06:53 . 2009-08-31 06:53 163840 ----a-w- c:\windows\svchasts.exe

2009-08-09 09:29 . 2009-08-09 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\18351404

2009-08-06 13:40 . 2009-08-06 13:40 -------- d-----w- c:\program files\PrivacyCenter

2009-08-06 05:25 . 2009-08-06 05:41 -------- d-----w- c:\documents and settings\Noah Hilgert\Local Settings\Application Data\Oblivion

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-03 14:38 . 2004-08-12 13:57 55808 ----a-w- c:\windows\system32\eventlog.dll

2009-09-03 14:31 . 2009-05-20 20:53 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\BitTorrent

2009-09-03 11:30 . 2009-07-03 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2009-09-03 08:31 . 2009-07-10 03:00 -------- d-----w- c:\program files\WinClamAVShield

2009-09-01 15:05 . 2009-07-03 23:16 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\Spyware Terminator

2009-09-01 15:05 . 2009-07-03 23:16 -------- d-----w- c:\program files\Spyware Terminator

2009-08-31 23:33 . 2009-07-09 00:43 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\vlc

2009-08-31 21:15 . 2005-02-09 05:17 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-31 15:18 . 2009-07-15 00:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator

2009-08-31 14:33 . 2005-02-20 13:28 7017 --sha-w- c:\windows\system32\mmf.sys

2009-08-31 14:31 . 2009-07-04 21:14 0 ----a-w- c:\windows\system32\drivers\973a2c01.sys

2009-08-06 03:31 . 2005-04-24 22:08 20080 ----a-w- c:\documents and settings\Noah Hilgert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\drivers\wanatw4.sys

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\drivers\udmxk.sys

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\drivers\oreans32.sys

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\rtadta.sys

2009-08-04 10:50 . 2005-11-21 23:24 8416 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-08-04 10:50 . 2009-08-04 10:50 23155 ----a-w- c:\windows\system32\rtadtm.dll

2009-07-26 02:06 . 2005-02-09 05:18 -------- d-----w- c:\program files\Sonic

2009-07-26 02:05 . 2005-02-09 05:18 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-07-24 20:27 . 2009-03-21 19:56 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2009-07-24 20:27 . 2009-03-21 19:56 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2009-07-21 15:43 . 2009-07-21 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\11602814

2009-07-20 19:06 . 2008-08-07 17:25 -------- d-----w- c:\documents and settings\Guest\Application Data\Yahoo!

2009-07-20 19:06 . 2005-08-24 22:53 -------- d-----w- c:\program files\Yahoo!

2009-07-20 00:12 . 2009-07-15 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\10557964

2009-07-17 19:12 . 2009-07-17 19:12 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\LucasArts

2009-07-16 18:14 . 2009-07-16 18:14 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\Malwarebytes

2009-07-16 18:14 . 2009-07-16 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-14 20:18 . 2009-07-14 20:18 82231 ----a-w- c:\windows\system32\Socks.exe

2009-07-14 04:11 . 2009-07-14 04:08 -------- d-----w- c:\program files\Common Files\3DO Shared

2009-07-14 04:08 . 2009-07-14 04:08 -------- d-----w- c:\program files\3DO

2009-07-13 03:31 . 2005-07-10 06:19 21840 -c--atw- c:\windows\system32\SIntfNT.dll

2009-07-13 03:31 . 2005-07-10 06:19 17212 -c--atw- c:\windows\system32\SIntf32.dll

2009-07-13 03:31 . 2005-07-10 06:19 12067 -c--atw- c:\windows\system32\SIntf16.dll

2009-07-10 19:59 . 2008-12-10 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-07-08 02:37 . 2008-02-19 08:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-05 02:05 . 2009-07-05 02:05 2560 ----a-w- c:\windows\Runservice.exe

2009-07-04 01:04 . 2006-03-17 00:38 28672 -c--a-w- c:\windows\system32\verclsid.exe

2009-07-03 23:16 . 2009-07-03 23:16 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys

2009-07-03 18:13 . 2009-07-03 18:13 25912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-03 17:43 . 2004-08-12 14:07 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS

2009-06-22 10:39 . 2009-06-22 10:39 93 ----a-w- c:\windows\system32\SKYNET.dat

2005-08-21 10:43 . 2005-08-21 10:43 5632 -csha-w- c:\program files\Thumbs.db

2007-10-08 19:47 . 2007-10-08 19:23 393 -csha-w- c:\windows\SYSTEM32\ayadd.tmp

2007-10-04 10:43 . 2007-10-04 08:36 1525493 -csha-w- c:\windows\SYSTEM32\cfhkj.tmp

2005-06-12 08:59 . 2005-02-20 13:28 1241 -csha-w- c:\windows\SYSTEM32\mmf(2).sys

2007-10-16 03:45 . 2007-10-16 02:46 10830 -csha-w- c:\windows\SYSTEM32\nqtss.tmp

.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2004-08-12 14:07 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys

[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys

[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys

[-] 2009-07-03 17:43 360320 073941D59AE065910064B728DEE981EE c:\windows\SYSTEM32\DLLCACHE\TCPIP.SYS

[-] 2009-07-03 17:43 360320 073941D59AE065910064B728DEE981EE c:\windows\SYSTEM32\DRIVERS\TCPIP.SYS

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-07-03 3055616]

"PeerGuardian"="d:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-8-31 1114112]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk

backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]

backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]

backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk

backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^ImpulseNow.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\ImpulseNow.lnk

backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk

backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

[HKLM\~\startupfolder\c:^documents and settings^noah hilgert^start menu^programs^startup^quickshelf 2000.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\QuickShelf 2000.lnk

backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^TA_Start.lnk]

backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^zqosys32.exe]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\zqosys32.exe

backup=c:\windows\pss\zqosys32.exeStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hosycaly

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWAS7_0001_N91M2703

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgYmWFb

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0F-F5-55-51-ZN}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"MCVSRte"=2 (0x2)

"McShield"=3 (0x3)

"LicCtrlService"=2 (0x2)

"SDhelper"=2 (0x2)

"IDriverT"=3 (0x3)

"WebrootSpySweeperService"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"PnkBstrB"=2 (0x2)

"PnkBstrA"=2 (0x2)

"idsvc"=3 (0x3)

"gusvc"=2 (0x2)

"ADVService"=3 (0x3)

"FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe"=2 (0x2)

"LiveUpdate"=3 (0x3)

"dmadmin"=3 (0x3)

"aspnet_state"=3 (0x3)

"wuauserv"=2 (0x2)

"BITS"=3 (0x3)

"antippro2009_12"=2 (0x2)

"antippro2009_100"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Noah Hilgert\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Civ\\Civilization4.exe"=

"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=

"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=

"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

"d:\\Program Files\\Civ\\Warlords\\Civ4Warlords.exe"=

"d:\\Program Files\\Civ\\Warlords\\Civ4Warlords_PitBoss.exe"=

"d:\\Program Files\\Civ\\Beyond the Sword\\Civ4BeyondSword.exe"=

"d:\\Program Files\\Civ\\Beyond the Sword\\Civ4BeyondSword_Pitboss.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 rtadta;RAMDAC XGPU Controller;c:\windows\SYSTEM32\rtadta.sys [8/4/2009 6:50 AM 8416]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\SYSTEM32\DRIVERS\sp_rsdrv2.sys [7/3/2009 7:16 PM 142592]

R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [8/12/2004 10:06 AM 14336]

R2 sofatnet;sofatnet Service;c:\windows\SYSTEM32\sofatnet.exe [8/12/2004 9:56 AM 93696]

S1 973a2c01;973a2c01;c:\windows\SYSTEM32\DRIVERS\973a2c01.sys [7/4/2009 5:14 PM 0]

S1 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]

S2 khksf;khksf;c:\windows\system32\drivers\eshn.sys --> c:\windows\system32\drivers\eshn.sys [?]

S2 ltiirlvruo;ltiirlvruo;\??\c:\windows\system32\drivers\higjnroadmpp.sys --> c:\windows\system32\drivers\higjnroadmpp.sys [?]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\SYSTEM32\spupdsvc.exe [10/27/2005 5:21 PM 26144]

S2 tpmhhn;tpmhhn;c:\windows\SYSTEM32\DRIVERS\udmxk.sys [8/4/2009 6:50 AM 8416]

S3 netsdk;netsdk;c:\windows\SYSTEM32\netsdk.sys [8/12/2004 9:59 AM 2304]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\SYSTEM32\DRIVERS\xusb20.sys [10/13/2006 6:48 PM 50048]

S4 FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;d:\program files\Ubisoft\Far Cry 2\bin\FAH.exe -svcstart --> d:\program files\Ubisoft\Far Cry 2\bin\FAH.exe -svcstart [?]

S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [7/4/2009 10:05 PM 2560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER

*NewlyCreated* - PGFILTER

.

Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2005-03-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8108601397.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-09-02 c:\windows\Tasks\Norton Security Scan for Administrator.job

- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-31 16:01]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)

Notify-AtiExtEvent - (no file)

Notify-mljhhec - mljhhec.dll

Notify-rqrsroo - rqrsroo.dll

MSConfigStartUp-PRISMSVR - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://webmail.wmich.edu/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}

uInternet Connection Wizard,ShellNext = iexplore

IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm

IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

FF - ProfilePath - c:\documents and settings\Noah Hilgert\Application Data\Mozilla\Firefox\Profiles\yu5yy1wb.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxps://webmail.wmich.edu/

FF - plugin: c:\documents and settings\Noah Hilgert\Application Data\Mozilla\Firefox\Profiles\yu5yy1wb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Noah Hilgert\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLC\npvlc.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-03 10:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wiwow64.exe 156672 bytes executable

c:\windows\system32\wiawow32.sys 40960 bytes executable

c:\windows\system32\FInstall.sys 8 bytes

scan completed successfully

hidden files: 3

**************************************************************************

"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe]

"ServiceDll"="c:\windows\system32\EvdoServer.dll\00

Link to post
Share on other sites

  • Root Admin

Please run the following and post back the requested logs.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Fcopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\SYSTEM32\DRIVERS\TCPIP.SYS
Driver::
973a2c01
sofatnet
khksf
ltiirlvruo
tpmhhn
netsdk
File::
c:\windows\SYSTEM32\DRIVERS\973a2c01.sys
c:\windows\SYSTEM32\sofatnet.exe
c:\windows\system32\drivers\eshn.sys
c:\windows\system32\drivers\higjnroadmpp.sys
c:\windows\SYSTEM32\DRIVERS\udmxk.sys
c:\windows\SYSTEM32\netsdk.sys
c:\windows\system32\wiwow64.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\FInstall.sys
DDS::
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Here's my Malwarebytes log, but I did run it before seeing the response (I've pasted log after the current one):

Malwarebytes' Anti-Malware 1.40

Database version: 2738

Windows 5.1.2600 Service Pack 2

9/3/2009 11:04:15 PM

mbam-log-2009-09-03 (23-04-15).txt

Scan type: Quick Scan

Objects scanned: 107697

Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\svchasts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

Here's the log from earlier that I ran before using the ComboFix script:

Malwarebytes' Anti-Malware 1.40

Database version: 2735

Windows 5.1.2600 Service Pack 2

9/3/2009 11:41:10 AM

mbam-log-2009-09-03 (11-41-10).txt

Scan type: Quick Scan

Objects scanned: 107988

Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 14

Memory Processes Infected:

C:\WINDOWS\SYSTEM32\wiwow64.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\WINDOWS\SYSTEM32\sofatnet.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\WINDOWS\SYSTEM32\wiawow32.sys (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\EvdoServer.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netsdk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\All Users\Application Data\10557964 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11602814 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\18351404 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\EvdoServer.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\netsdk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\temp\tmp0_842757816036.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\10557964\10557964 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11602814\11602814 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\18351404\18351404.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\msncav32.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\wiawow32.sys (Backdoor.Bot) -> Delete on reboot.

Here's my Malwarebytes log, but I did run it before seeing the response (I've pasted log after the current one):

Malwarebytes' Anti-Malware 1.40

Database version: 2738

Windows 5.1.2600 Service Pack 2

9/3/2009 11:04:15 PM

mbam-log-2009-09-03 (23-04-15).txt

Scan type: Quick Scan

Objects scanned: 107697

Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\svchasts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

Here's the log from earlier that I ran before using the ComboFix script:

Malwarebytes' Anti-Malware 1.40

Database version: 2735

Windows 5.1.2600 Service Pack 2

9/3/2009 11:41:10 AM

mbam-log-2009-09-03 (11-41-10).txt

Scan type: Quick Scan

Objects scanned: 107988

Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 14

Memory Processes Infected:

C:\WINDOWS\SYSTEM32\wiwow64.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\WINDOWS\SYSTEM32\sofatnet.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\WINDOWS\SYSTEM32\wiawow32.sys (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\EvdoServer.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netsdk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\All Users\Application Data\10557964 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11602814 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\18351404 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\EvdoServer.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\netsdk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\temp\tmp0_842757816036.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\10557964\10557964 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11602814\11602814 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\18351404\18351404.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\msncav32.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\wiawow32.sys (Backdoor.Bot) -> Delete on reboot.

Here's the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12:19 PM, on 9/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

D:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\RALINK\Common\RaUI.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.wmich.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130447558875

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--

End of file - 4902 bytes

Everything seems to be working fine, and thanks for your help.

Link to post
Share on other sites

  • Root Admin

Where is the Combofix Log?

Please post back the Combofix log and run the following and post back it's log as well.

Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Link to post
Share on other sites

Combo Fix log:

ComboFix 09-09-03.02 - ... 09/03/2009 22:37.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2302.1779 [GMT -4:00]

Running from: c:\documents and settings\...\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\irc.txt

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\Install.txt

c:\windows\system32\kwave.sys

.

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))

.

2009-09-03 15:19 . 2008-05-09 21:09 91520 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2009-09-03 15:18 . 2009-09-03 15:18 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-09-03 15:18 . 2009-09-03 15:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-09-03 15:17 . 2009-09-03 15:18 -------- d-----w- c:\program files\Symantec

2009-09-03 15:06 . 2009-09-03 15:06 -------- d-----w- c:\program files\Trend Micro

2009-08-31 21:54 . 2009-08-31 21:54 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-08-31 21:54 . 2007-07-28 20:10 483968 ----a-w- c:\windows\system32\drivers\rt61.sys

2009-08-31 21:54 . 2009-08-31 21:54 -------- d-----w- c:\program files\RALINK

2009-08-31 18:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-31 18:03 . 2009-09-03 15:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-31 18:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-31 16:58 . 2009-09-03 15:20 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\windows\system32\drivers\NSS

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\program files\Norton Security Scan

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\program files\NortonInstaller

2009-08-31 16:01 . 2009-08-31 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-31 14:44 . 2009-08-31 14:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-31 06:53 . 2009-08-31 06:53 163840 ----a-w- c:\windows\svchasts.exe

2009-08-06 13:40 . 2009-08-06 13:40 -------- d-----w- c:\program files\PrivacyCenter

2009-08-06 05:25 . 2009-08-06 05:41 -------- d-----w- c:\documents and settings\Noah Hilgert\Local Settings\Application Data\Oblivion

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-04 02:38 . 2009-05-20 20:53 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\BitTorrent

2009-09-04 02:33 . 2009-07-09 00:43 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\vlc

2009-09-03 15:23 . 2008-12-10 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-03 15:18 . 2009-09-03 15:18 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-09-03 15:18 . 2009-09-03 15:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-09-03 14:38 . 2004-08-12 13:57 55808 ------w- c:\windows\system32\eventlog.dll

2009-08-31 21:15 . 2005-02-09 05:17 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-31 14:33 . 2005-02-20 13:28 7017 --sha-w- c:\windows\system32\mmf.sys

2009-08-31 14:31 . 2009-07-04 21:14 0 ----a-w- c:\windows\system32\drivers\973a2c01.sys

2009-08-06 03:31 . 2005-04-24 22:08 20080 ----a-w- c:\documents and settings\Noah Hilgert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\drivers\wanatw4.sys

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\drivers\udmxk.sys

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\drivers\oreans32.sys

2009-08-04 10:50 . 2009-08-04 10:50 8416 ----a-w- c:\windows\system32\rtadta.sys

2009-08-04 10:50 . 2005-11-21 23:24 8416 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-07-26 02:06 . 2005-02-09 05:18 -------- d-----w- c:\program files\Sonic

2009-07-26 02:05 . 2005-02-09 05:18 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-07-24 20:27 . 2009-03-21 19:56 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2009-07-24 20:27 . 2009-03-21 19:56 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2009-07-20 19:06 . 2008-08-07 17:25 -------- d-----w- c:\documents and settings\Guest\Application Data\Yahoo!

2009-07-20 19:06 . 2005-08-24 22:53 -------- d-----w- c:\program files\Yahoo!

2009-07-17 19:12 . 2009-07-17 19:12 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\LucasArts

2009-07-16 18:14 . 2009-07-16 18:14 -------- d-----w- c:\documents and settings\Noah Hilgert\Application Data\Malwarebytes

2009-07-16 18:14 . 2009-07-16 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-14 04:11 . 2009-07-14 04:08 -------- d-----w- c:\program files\Common Files\3DO Shared

2009-07-14 04:08 . 2009-07-14 04:08 -------- d-----w- c:\program files\3DO

2009-07-13 03:31 . 2005-07-10 06:19 21840 -c--atw- c:\windows\system32\SIntfNT.dll

2009-07-13 03:31 . 2005-07-10 06:19 17212 -c--atw- c:\windows\system32\SIntf32.dll

2009-07-13 03:31 . 2005-07-10 06:19 12067 -c--atw- c:\windows\system32\SIntf16.dll

2009-07-08 02:37 . 2008-02-19 08:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-05 02:05 . 2009-07-05 02:05 2560 ----a-w- c:\windows\Runservice.exe

2009-07-04 01:04 . 2006-03-17 00:38 28672 -c--a-w- c:\windows\system32\verclsid.exe

2009-07-03 18:13 . 2009-07-03 18:13 25912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-03 17:43 . 2004-08-12 14:07 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS

2009-06-22 10:39 . 2009-06-22 10:39 93 ----a-w- c:\windows\system32\SKYNET.dat

2005-08-21 10:43 . 2005-08-21 10:43 5632 -csha-w- c:\program files\Thumbs.db

2007-10-08 19:47 . 2007-10-08 19:23 393 -csha-w- c:\windows\SYSTEM32\ayadd.tmp

2007-10-04 10:43 . 2007-10-04 08:36 1525493 -csha-w- c:\windows\SYSTEM32\cfhkj.tmp

2005-06-12 08:59 . 2005-02-20 13:28 1241 -csha-w- c:\windows\SYSTEM32\mmf(2).sys

2007-10-16 03:45 . 2007-10-16 02:46 10830 -csha-w- c:\windows\SYSTEM32\nqtss.tmp

.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2004-08-12 14:07 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys

[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys

[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys

[-] 2009-07-03 17:43 360320 073941D59AE065910064B728DEE981EE c:\windows\SYSTEM32\DLLCACHE\TCPIP.SYS

[-] 2009-07-03 17:43 360320 073941D59AE065910064B728DEE981EE c:\windows\SYSTEM32\DRIVERS\TCPIP.SYS

.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_14.58.09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

- 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

- 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

- 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2008-05-09 22:00 . 2008-05-09 22:00 83432 c:\windows\SYSTEM32\pds.dll

+ 2008-05-09 22:00 . 2008-05-09 22:00 91624 c:\windows\SYSTEM32\nts.dll

+ 2008-05-09 22:00 . 2008-05-09 22:00 46576 c:\windows\SYSTEM32\msgsys.dll

+ 2008-05-09 22:00 . 2008-05-09 22:00 83376 c:\windows\SYSTEM32\loc32vc0.dll

+ 2008-05-09 21:07 . 2008-05-09 21:07 48000 c:\windows\SYSTEM32\FwsVpn.dll

+ 2008-05-09 21:08 . 2008-05-09 21:08 40832 c:\windows\SYSTEM32\DRIVERS\WPSDRVnt.sys

+ 2008-05-12 04:38 . 2008-05-12 04:38 38632 c:\windows\SYSTEM32\DRIVERS\WGX.SYS

+ 2008-03-12 19:19 . 2008-03-12 19:19 49536 c:\windows\SYSTEM32\DRIVERS\Teefer2.sys

+ 2007-10-31 00:55 . 2007-10-31 00:55 27696 c:\windows\SYSTEM32\DRIVERS\symredrv.sys

+ 2007-10-31 00:55 . 2007-10-31 00:55 37936 c:\windows\SYSTEM32\DRIVERS\symndisv.sys

+ 2007-10-31 00:55 . 2007-10-31 00:55 35120 c:\windows\SYSTEM32\DRIVERS\symndis.sys

+ 2007-10-31 00:55 . 2007-10-31 00:55 39856 c:\windows\SYSTEM32\DRIVERS\symids.sys

+ 2007-10-31 00:55 . 2007-10-31 00:55 12848 c:\windows\SYSTEM32\DRIVERS\symdns.sys

+ 2008-03-21 23:14 . 2008-03-21 23:14 43696 c:\windows\SYSTEM32\DRIVERS\srtspx.sys

+ 2007-05-29 17:55 . 2008-07-30 21:42 23888 c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys

+ 2008-05-09 22:00 . 2008-05-09 22:00 34280 c:\windows\SYSTEM32\cba.dll

+ 2009-09-03 15:19 . 2009-09-03 15:19 21446 c:\windows\Installer\{2E2966EA-2169-4E42-8A8A-CC1749D80088}\ARPPRODUCTICON.exe

- 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

- 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 07:54 . 2008-07-29 07:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2008-05-09 21:08 . 2008-05-09 21:08 357760 c:\windows\SYSTEM32\sysfer.dll

+ 2008-05-09 21:08 . 2008-05-09 21:08 107904 c:\windows\SYSTEM32\SymVPN.dll

+ 2007-10-31 00:55 . 2007-10-31 00:55 242056 c:\windows\SYSTEM32\SymRedir.dll

+ 2007-10-31 00:55 . 2007-10-31 00:55 625032 c:\windows\SYSTEM32\SymNeti.dll

+ 2007-06-19 21:08 . 2009-04-21 02:12 149768 c:\windows\SYSTEM32\DRIVERS\WpsHelper.sys

+ 2007-10-31 00:55 . 2007-10-31 00:55 191536 c:\windows\SYSTEM32\DRIVERS\symtdi.sys

+ 2007-10-31 00:55 . 2007-10-31 00:55 145968 c:\windows\SYSTEM32\DRIVERS\symfw.sys

+ 2008-03-21 23:14 . 2008-03-21 23:14 317616 c:\windows\SYSTEM32\DRIVERS\srtspl.sys

+ 2008-03-21 23:14 . 2008-03-21 23:14 279088 c:\windows\SYSTEM32\DRIVERS\srtsp.sys

+ 2008-07-29 12:05 . 2008-07-29 12:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2009-09-03 15:19 . 2009-09-03 15:19 13879296 c:\windows\Installer\ce1fc.msi

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PeerGuardian"="d:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-8-31 1114112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk

backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]

backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]

backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk

backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^ImpulseNow.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\ImpulseNow.lnk

backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk

backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

[HKLM\~\startupfolder\c:^documents and settings^noah hilgert^start menu^programs^startup^quickshelf 2000.lnk]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\QuickShelf 2000.lnk

backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^TA_Start.lnk]

backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Noah Hilgert^Start Menu^Programs^Startup^zqosys32.exe]

path=c:\documents and settings\Noah Hilgert\Start Menu\Programs\Startup\zqosys32.exe

backup=c:\windows\pss\zqosys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"MCVSRte"=2 (0x2)

"McShield"=3 (0x3)

"LicCtrlService"=2 (0x2)

"SDhelper"=2 (0x2)

"IDriverT"=3 (0x3)

"WebrootSpySweeperService"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"PnkBstrB"=2 (0x2)

"PnkBstrA"=2 (0x2)

"idsvc"=3 (0x3)

"gusvc"=2 (0x2)

"ADVService"=3 (0x3)

"FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe"=2 (0x2)

"LiveUpdate"=3 (0x3)

"dmadmin"=3 (0x3)

"aspnet_state"=3 (0x3)

"wuauserv"=2 (0x2)

"BITS"=3 (0x3)

"antippro2009_12"=2 (0x2)

"antippro2009_100"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Noah Hilgert\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Civ\\Civilization4.exe"=

"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=

"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=

"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

"d:\\Program Files\\Civ\\Warlords\\Civ4Warlords.exe"=

"d:\\Program Files\\Civ\\Warlords\\Civ4Warlords_PitBoss.exe"=

"d:\\Program Files\\Civ\\Beyond the Sword\\Civ4BeyondSword.exe"=

"d:\\Program Files\\Civ\\Beyond the Sword\\Civ4BeyondSword_Pitboss.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 rtadta;RAMDAC XGPU Controller;c:\windows\SYSTEM32\rtadta.sys [8/4/2009 6:50 AM 8416]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/3/2009 11:24 AM 102448]

S1 973a2c01;973a2c01;c:\windows\SYSTEM32\DRIVERS\973a2c01.sys [7/4/2009 5:14 PM 0]

S1 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]

S2 khksf;khksf;c:\windows\system32\drivers\eshn.sys --> c:\windows\system32\drivers\eshn.sys [?]

S2 ltiirlvruo;ltiirlvruo;\??\c:\windows\system32\drivers\higjnroadmpp.sys --> c:\windows\system32\drivers\higjnroadmpp.sys [?]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\SYSTEM32\spupdsvc.exe [10/27/2005 5:21 PM 26144]

S2 tpmhhn;tpmhhn;c:\windows\SYSTEM32\DRIVERS\udmxk.sys [8/4/2009 6:50 AM 8416]

S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [5/29/2007 1:55 PM 23888]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\SYSTEM32\DRIVERS\xusb20.sys [10/13/2006 6:48 PM 50048]

S4 FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe;d:\program files\Ubisoft\Far Cry 2\bin\FAH.exe -svcstart --> d:\program files\Ubisoft\Far Cry 2\bin\FAH.exe -svcstart [?]

S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [7/4/2009 10:05 PM 2560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER

.

Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2005-03-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8108601397.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-09-02 c:\windows\Tasks\Norton Security Scan for Administrator.job

- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-31 16:01]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus

.

------- Supplementary Scan -------

.

uStart Page = hxxp://webmail.wmich.edu/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}

uInternet Connection Wizard,ShellNext = iexplore

IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm

IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

FF - ProfilePath - c:\documents and settings\Noah Hilgert\Application Data\Mozilla\Firefox\Profiles\yu5yy1wb.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxps://webmail.wmich.edu/

FF - plugin: c:\documents and settings\Noah Hilgert\Application Data\Mozilla\Firefox\Profiles\yu5yy1wb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Noah Hilgert\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLC\npvlc.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-03 22:47

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\FAH@D:+Program Files+Ubisoft+Far Cry 2+bin+FAH.exe]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3828210982-1163802806-3144815527-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3828210982-1163802806-3144815527-1006\Software\securom\license information*]

"datasecu"=hex:76,ae,0c,6e,01,0c,6f,fd,0b,e5,63,cc,cf,36,5c,cc,01,4d,e0,7b,4b,

1d,cb,bc,74,18,3a,7c,0c,86,e4,a3,5a,8a,7f,16,07,fb,b6,b6,34,ee,8d,4e,e3,1a,\

"rkeysecu"=hex:65,02,5c,2f,c4,c8,a2,d6,a2,f3,14,e1,9b,fc,5b,27

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]

"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94,

fd

"2"=hex:f1,df,16,de,80,08,0e,2a,78,a4,28,cb,d2,56,ff,58,ba,e9,e0,76,1f,5b,ab,

75

"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,2b,92,4b,0d,22,14,9d,

cb,e3,f8,73,90,7d,a4,36,0d,f2,c9,99,66,1f,10,89,7d,ec,36,ce,6f,e7,65,ad,a4

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,36,d7,56,53,fe,9f,3d,f9

"2"=hex:7e,f0,d3,bf,a1,bf,44,67

"3"=hex:40,fc,94,40,bd,e3,12,43,6a,f0,46,b8,7e,bc,4b,74,a9,96,75,32,0d,19,e6,

78,fe,77,86,d4,0e,c9,66,7e,eb,98,3d,97,57,e0,ba,63,08,19,c8,6e,e3,8f,00,5b,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,8f,11,0c,96,c4,fa,d8,91,c4,88,47,3c,b6,d7,23,fc,c9,b2,b2,e7,02,fa,d0,25,\

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,9f,f9,03,77,68,81,1b,0c,00,99,b2,a5,1c,c7,0c,37

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:81,20,8f,ab,28,6a,52,9c

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:f7,a5,ea,38,ec,a8,ba,76,60,5c,f8,bc,53,a9,e2,f1,72,cb,eb,82,1e,6e,e8,

eb,a6,e3,68,75,76,88,d5,86,ff,25,eb,96,75,4a,f9,95,7b,b5,6d,16,eb,5b,6a,ab,\

"13"=hex:f5,50,b1,fd,1b,87,45,e2,07,e6,78,3e,06,fe,aa,82,4e,df,a1,b8,7f,29,3a,

71

"14"=hex:56,9f,0c,87,43,ea,8d,f7,6c,01,ea,a3,05,cf,93,b7

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:ac,48,f4,89,37,16,70,3b,e6,a4,cf,f1,6f,c2,94,37

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:99,58,26,dc,a6,c8,c2,ff,fb,da,cf,5d,bf,e3,9a,14,00,ea,7f,72,bd,03,7c,

d1,d8,15,27,0c,9b,93,85,c6,dc,8e,e0,52,fb,3a,45,e1,a2,87,c2,25,a3,ce,3e,c6,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\F347AA9A592B216D597E028785020CD4]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,0d,ef,4b,fc,af,c2,2e,ad

"2"=hex:04,29,6a,69,56,d3,ea,41,db,c1,1a,08,f4,34,4d,ff

"3"=hex:ad,7f,9d,80,a8,06,55,d0,a9,cf,82,e7,d1,0c,11,41,05,f3,95,81,74,14,af,

fe,82,50,18,1c,42,ce,f9,b9,7d,ee,24,2c,81,27,0e,26,5b,1a,80,c0,ea,8c,d4,64,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,46,88,2f,82,3b,10,0c,a3,06,e2,b9,2d,01,08,b4,c2,45,19,67,50,8b,89,d1,c8,\

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,49,3e,e5,49,ef,df,ad,a2

"8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,6a,ce,bd,6f,f7,f4,51,

2e,0f,39,e9,a0,8b,94,83,00,a5,1a,6f,96,79,63,2c,cd,66,0c,47,25,fe,2b,42,47,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:81,20,8f,ab,28,6a,52,9c

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:3d,4c,f6,49,9f,27,72,48,60,d4,86,0d,b2,ae,24,e4,f0,97,0c,0f,c6,cd,22,

93,40,33,35,f3,77,f9,37,fd,16,bc,f0,81,f6,40,53,25,8e,2c,be,48,4f,92,b7,77,\

"13"=hex:cb,41,1d,db,bf,51,80,44,b9,15,9e,c6,e8,fc,2a,79,9d,b4,8d,27,0b,1e,60,

ae

"14"=hex:bd,67,9b,ef,47,fb,15,8c,ba,a8,71,3f,47,d1,f1,06

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:4d,41,c1,c1,78,a9,ed,bf,73,80,ed,ca,df,61,89,82

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:3b,da,1c,dd,a8,2e,14,8e,d6,60,cf,50,ea,9b,a2,ca,5c,96,f1,17,0d,d0,fc,

de,df,6b,13,04,1a,cb,3c,38,df,19,b8,7e,dc,9c,d6,0c,8d,04,59,3e,37,4a,07,e3,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3

"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,

5e,d2,5e,7f,21,14,b5,b2,29

"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,ce,d6,da,a0,ab,80,e1,24

"2"=hex:70,52,20,b5,8f,72,73,3d

"3"=hex:18,ab,28,da,d1,d9,7c,c1,3b,ce,ae,a7,9e,99,89,f5,15,80,91,10,27,e0,c0,

32,fa,40,8e,5e,a4,2b,f5,a5,dc,a4,27,ca,26,67,e5,52,13,e2,1a,6c,b0,38,fa,2d,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,6a,83,7f,d6,71,af,86,e0,98,8d,dd,2e,7a,95,cd,1a,9e,2d,5f,ec,63,7f,c9,e5,\

"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,29,7c,70,46,35,dc,d7,79

"8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,04,93,48,c8,90,e3,70,

e7,31,82,3f,28,9f,11,d4,80,41,41,ca,c1,a3,77,63,a2,3b,6f,05,06,ed,f6,d5,4d,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:81,20,8f,ab,28,6a,52,9c

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:08,0e,71,dc,67,38,fa,39,70,ef,3c,36,21,97,5a,19,9f,bd,40,62,8a,f9,50,

cb,62,b1,9c,5c,e3,86,75,ce,74,53,35,1a,92,50,36,e3,7d,3e,17,e4,28,1d,be,ea,\

"13"=hex:86,f2,a4,7f,16,33,7d,65,0b,e4,9d,8e,92,48,b8,28,4e,af,41,18,b7,2b,bc,

da

"14"=hex:4e,63,05,ff,92,a2,5b,c8

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:f2,34,a8,09,73,f5,71,9d,c7,7b,7d,4d,f9,ef,2f,f7

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:6e,5f,84,50,de,0c,94,c2,04,42,b3,48,4a,de,07,8d,00,2f,b7,f1,16,c1,05,

24,ff,1e,f3,80,35,43,c6,be,1e,72,7f,a7,cc,f3,96,f0,a0,3f,aa,f7,6e,ba,3a,a0,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\58BBB2CAA762B86BF8228F8849EB5144]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,53,74,ea,24,5b,d9,02,83

"2"=hex:84,00,a2,e9,a5,84,bc,35

"3"=hex:20,09,93,fb,52,0f,45,d8,22,e6,eb,50,39,e0,50,65,94,47,f3,57,5a,80,6a,

da,ff,06,4f,51,86,43,26,e6,5a,66,7f,0d,c6,46,b0,29,71,50,ba,e3,a1,5e,5b,98,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,0b,6a,8c,ca,2a,b0,fe,b3,4b,64,48,ea,1f,44,5e,dc,e9,a1,c1,1e,2b,ba,8b,4e,\

"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,53,74,ea,24,5b,d9,02,83

"8"=hex:4e,76,82,b0,55,a5,5f,45,19,e9,e2,ff,41,37,32,8d,10,bb,8d,7b,19,2b,b0,

6d,62,1d,76,37,79,09,c6,b6,7c,76,06,41,32,1b,03,3e

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:81,20,8f,ab,28,6a,52,9c

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:62,99,8e,9b,2d,d3,69,32,ad,79,6d,d2,9e,9a,9f,3d,09,d4,ae,43,ff,a7,56,

e3,6e,d3,d0,13,61,82,02,d1,40,82,91,fe,af,c4,e0,3b,75,62,90,eb,79,89,b5,58,\

"13"=hex:3c,52,49,fd,59,1a,0a,05,4b,a2,2a,f9,a9,0e,2b,c8,03,1b,f2,16,d7,c8,b1,

8c

"14"=hex:84,23,eb,9e,98,3e,c4,f1

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:b9,5c,46,a6,81,cd,09,f7,05,f9,68,04,4c,cd,a2,c1

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:ab,47,b6,f2,04,98,7d,f6,6e,c4,6c,ea,7c,4a,f9,eb,fc,3e,3e,ef,a3,ac,8a,

75,a8,a3,ab,59,c5,35,0e,d7,ef,c7,59,4e,74,2d,4b,82,be,be,56,64,e7,6d,b4,2b,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\A28FC91DA48F2E633FEBC5F75796F7EE]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,50,94,16,01,b2,17,1a,42

"2"=hex:36,a1,83,10,ca,9e,e0,63

"3"=hex:36,04,0c,5d,e5,22,29,a1,09,88,6c,1a,52,49,2c,ee,83,37,19,db,92,d8,bc,

c1,34,38,c5,8d,4e,54,1e,36,f0,75,a1,3a,7c,e6,f8,48,95,a7,cb,a2,e5,23,ac,39,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,7a,a8,00,2b,5a,66,a9,58,4e,b4,3d,8d,91,76,bb,96,13,03,45,50,83,49,1c,85,\

"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,fc,f4,86,ed,7d,07,89,29,2f,7f,fa,55,aa,50,20,7e,7c,e5,f7,a8,05,d7,35,13,\

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,

f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:81,20,8f,ab,28,6a,52,9c

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:74,ac,d0,96,92,b5,28,f1,95,59,d9,40,38,f5,d7,88,c8,da,53,fb,a8,94,71,

49,44,db,d0,13,e1,bb,79,e5,7a,d7,3d,31,27,17,6e,19,94,3c,37,48,e7,49,44,2d,\

"13"=hex:31,90,31,27,d7,2d,1f,26,26,9f,01,65,b1,40,f8,59,4d,ca,46,9f,df,63,f0,

56

"14"=hex:3b,71,c6,44,4a,52,dd,47

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:78,10,e4,c0,10,02,38,b8,e0,6e,1a,25,b4,73,d4,46

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:da,f8,24,53,d5,46,0a,00,3a,45,6c,bb,f2,0c,0e,51,4e,fe,fb,66,ab,0c,4c,

5c,4a,18,d8,5d,07,a7,bc,4b,3c,38,4c,ba,5e,d3,d2,61,53,8a,0e,c0,50,96,d1,ac,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\D580A8CFDA60E9362F91B6F863D46379]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,50,94,16,01,b2,17,1a,42

"2"=hex:9c,8f,90,02,72,6d,23,df

"3"=hex:ab,8e,f9,55,45,b1,34,a8,75,b2,69,2d,b7,17,08,7c,9d,61,5f,85,f7,2e,2d,

fb,94,ca,4d,e1,66,19,64,ce,66,22,ed,19,c0,16,d2,ce,da,2d,ed,bc,e0,19,69,36,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,f7,80,25,85,73,e5,5c,d6,d5,cb,95,d1,24,0b,0f,07,0a,14,78,8c,0b,ef,ea,57,\

"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,04,de,29,1c,d1,59,b3,b5,1c,3a,e8,07,ed,d8,08,6e,a7,52,c4,be,fd,58,1e,61,\

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,

f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:4b,72,8f,bc,6c,3f,e4,15

"10"=hex:81,20,8f,ab,28,6a,52,9c

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:dc,1f,28,95,8b,ae,e0,58,49,65,0a,f0,39,86,cb,95,49,53,64,d4,53,eb,37,

1e,8c,98,a0,28,d2,7a,17,55,80,57,da,65,78,06,4d,5e,4a,a8,d9,90,a3,b2,5f,39,\

"13"=hex:11,35,17,4f,e6,01,b2,48,27,1a,e4,04,ee,66,42,d5,ac,3d,f1,a9,2d,bf,3d,

1c

"14"=hex:6b,51,bd,2b,8f,5b,c4,81

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:97,a0,bd,b9,ba,79,8c,7f,49,f8,cd,c6,64,0b,d5,16

"22"=hex:81,20,8f,ab,28,6a,52,9c

"15"=hex:aa,29,01,74,3b,7d,06,1a,91,d7,04,52,9e,33,73,f0,4a,1a,c7,a6,20,dc,bd,

d8,0d,39,17,a4,ab,08,91,e3,ef,a7,c1,25,6c,d3,74,1c,a2,19,50,9f,2a,d2,21,ad,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2120)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

.

**************************************************************************

.

Completion time: 2009-09-04 22:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-04 02:53

ComboFix2.txt 2009-09-03 15:04

Pre-Run: 12,551,675,904 bytes free

Post-Run: 12,560,453,632 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

574 --- E O F --- 2009-07-04 07:01

Eset Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=557570e8e1dd304980b6cedb43dd02a4

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-09-06 03:58:33

# local_time=2009-09-06 11:58:33 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# scanned=210749

# found=59

# cleaned=59

# scan_time=3722

C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\RunGdp.exe Win32/Virut.NBP virus (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\DellSupportUtil.exe Win32/Virut.NBP virus (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\DellSommelierFix.exe Win32/Virut.NBP virus (cleaned - quarantined) 00000000000000000000000000000000 C

C:\NVIDIA\Win2KXP\93.71\nvudisp.exe Win32/Virut.NBP virus (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\eventlog.dll a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir a variant of Win32/Adware.WindowsAntivirusPro.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\tmp\dbsinit.exe.vir Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\tmp\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aphdjqeb.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bbadd.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cdeeg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cfkjpfpr.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ddeeg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\desote.exe.vir Win32/Adware.WindowsAntivirusPro application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\glyrkrih.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hjllm.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\llkkj.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\llkkj.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\llkkj.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lnnmp.bak2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lnnmp.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lnnmp.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lnnmp.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mpqss.bak1.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mpqss.bak2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mpqss.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mpqss.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mpqss.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mselaf.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msenmg.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msfem.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msgbevo.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mshttte.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msjjt.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mskhha.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mslmvz.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mslsb.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msnvxpnw.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mspytrz.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msudjev.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msxvwsnq.exe.vir Win32/TrojanClicker.VB.NIM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pqstv.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pqstv.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pqstv.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qqstv.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qqstv.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\stvwa.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\stvwa.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wiwow64.exe.vir Win32/Adware.Coolezweb application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wybeg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wybeg.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wybeg.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xbeeg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xbeeg.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xbeeg.tmp.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\drivers\higjnroadmpp.sys.vir Win32/Rootkit.Agent.NMM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\SYSTEM32\ayadd.tmp Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\SYSTEM32\cfhkj.tmp Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\SYSTEM32\nqtss.tmp Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Thanks!

Link to post
Share on other sites

  • Root Admin

That's not the Combofix log from where I asked you to create and run the CFScript.txt file.

Please delete your current copy of Combofix or what it's named. Then download a NEW fresh copy and disable your Anti-Virus and run it with the script that I provided in the post here: http://www.malwarebytes.org/forums/index.p...st&p=120234

Then post back that log please.

Thank you.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.