Jump to content

malwarebytes and others won't run, trojans, viruses keep coming back


Erik35
 Share

Recommended Posts

Malwarebytes and many others won't run. trojens and viruses keep comming back.

renaming mbam doesn't help. The mbam and HJTInstall.exe processes run, but nothing shows on the screen.

additional symtoms:

1) I keep the computer internet cable disconnected or it starts loading viruses and goes bad really fast.

Shuts off task manager, regedit, can't show hidden files in safe mode, no files options under explorer windows,

It killed CA antivirus, won't allow avira, preXX to install.

I got AVG installed and can run it in safe mode with internet cable disconnected.

AVG finds SHeur2.BamR, SHeur2.Bbaw, Win32/Cryptor, debug.exe, spoolsw.exe.

It says they are deleted, but they seem to get installed again. if I connect to the internet they get installed again along with

advanced virus removal. I have seen these over the past couple days:

trojan.win.agent.dcc

net-worm.win32.mytob.t

backdoor.win32.kbot.al

net-worm.win32.Dipnet.d

virus.win32.gpcode.ak

rootkit.win32.agent.pp

email-worm.win32.netsky.g

virus.win32.hala.a

chin09.win

trojan.downloader.js.multi.ca

even with these viruses deleted, rouge iexplore.exe processes keep starting. Sometimes iexplore.exe processes start under the services/svchost/ process tree.

I am able to load programs through another computer and run them from a thumb drive.

I see that others have run combofix, rootrepeal, etc, but I saw the warnings not to unless instructed by an expert.

Here is the win32kDiag.txt log from win32kdiag.exe. Thanks for the help!

Log file is located at: C:\Documents and Settings\Registered User\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP161.tmp\ZAP161.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP260.tmp\ZAP260.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\browserxtras\browserxtras

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\cache\javaws\javaws

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-73586283-484061587-682003330-1003\S-1-5-21-73586283-484061587-682003330-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Kinko's\FPFK\FPFK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage\Q3FBLH6RIF6MYMN6VD31LVQSMD\Q3FBLH6RIF6MYMN6VD31LVQSMD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp\Temp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\igfxtray.exe

[1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\igfxtray.exe ()

[1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe (Intel Corporation)

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WMD\WMD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I tried to run ComboFix, the process would start, but nothing happened. I ended it and renamed ComboFix, it ran but said that AVG was still running, so it needed me to disable AVG. It seems that you cannot get to the main AVG gui in safe mode, so I restarted in normal mode. I was able to get AVG stopped, but then my desktop went blank, no icons, no task bar completely blank. I then restarted into safemode, but no start button or icons there. I can boot in to safemode command line version. Is there a way to get the desktop back or run comboFix from the command line?

Link to post
Share on other sites

I found that the windows\explorer.exe file had the permissions set so that it would not execute. I was able to change that through dos commands. A restart brought back the task bar etc. I then double click on ComboFix (renamed). It looks like it starts because the progress bar appears, but I don't see anything else happen afterwords. I am trying to run it in safe mode networking, but with the internet cable disconnected. Should I see a dos window or something indicating that ComboFix is running?

Link to post
Share on other sites

  • Staff

Hold off on ComboFix for now-- we'll run it differently in a minute.

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

-screen317

Link to post
Share on other sites

Here is the Win32kDiag.txt contents. Thanks!

Log file is located at: C:\Documents and Settings\Registered User\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP161.tmp\ZAP161.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP161.tmp\ZAP161.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP260.tmp\ZAP260.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP260.tmp\ZAP260.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\browserxtras\browserxtras

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\browserxtras\browserxtras

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CAVTemp\CAVTemp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\cache\javaws\javaws

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\cache\javaws\javaws

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-73586283-484061587-682003330-1003\S-1-5-21-73586283-484061587-682003330-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-73586283-484061587-682003330-1003\S-1-5-21-73586283-484061587-682003330-1003

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Kinko's\FPFK\FPFK

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Kinko's\FPFK\FPFK

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage\Q3FBLH6RIF6MYMN6VD31LVQSMD\Q3FBLH6RIF6MYMN6VD31LVQSMD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage\Q3FBLH6RIF6MYMN6VD31LVQSMD\Q3FBLH6RIF6MYMN6VD31LVQSMD

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp\Temp

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Cannot access: C:\WINDOWS\system32\igfxtray.exe

Attempting to restore permissions of : C:\WINDOWS\system32\igfxtray.exe

[1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

[1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe (Intel Corporation)

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\WMD\WMD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WMD\WMD

Found mount point : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WMFA\WMFA

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

Link to post
Share on other sites

  • Staff

Delete all copies of ComboFix and download a fresh copy.

Rename ComboFix.exe to Erik35.bat

Run it and post its log.

If no joy, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

Link to post
Share on other sites

A new combofix or GMER did not seem to run. I tried a driver scan from RootRepeal.exe. here are the results. It looks like there are other scans that I can do from rootrepeal if it will help please let me know. thanks.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/08 22:25

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name:

Image Path:

Address: 0x00000000 Size: -2141804192 File Visible: - Signed: -

Status: -

Name: 1394BUS.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS

Address: 0xF7617000 Size: 57344 File Visible: - Signed: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF75A8000 Size: 187776 File Visible: - Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xBA8C7000 Size: 138496 File Visible: - Signed: -

Status: -

Name: agp440.sys

Image Path: agp440.sys

Address: 0xF7667000 Size: 42368 File Visible: - Signed: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF749A000 Size: 96512 File Visible: - Signed: -

Status: -

Name: ATMFD.DLL

Image Path: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -

Status: -

Name: avgfwdx.sys

Image Path: C:\WINDOWS\system32\DRIVERS\avgfwdx.sys

Address: 0xF77BF000 Size: 23808 File Visible: - Signed: -

Status: -

Name: avgrkx86.sys

Image Path: avgrkx86.sys

Address: 0xF798F000 Size: 5888 File Visible: - Signed: -

Status: -

Name: avgtdix.sys

Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys

Address: 0xBA941000 Size: 101888 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF79A7000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7897000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF74F7000 Size: 63744 File Visible: - Signed: -

Status: -

Name: Cdr4_xp.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS

Address: 0xF76B7000 Size: 44288 File Visible: - Signed: -

Status: -

Name: Cdralw2k.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS

Address: 0xF77AF000 Size: 24960 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Address: 0xF76C7000 Size: 62976 File Visible: - Signed: -

Status: -

Name: cdudf_xp.SYS

Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS

Address: 0xBABE0000 Size: 260224 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Address: 0xF7657000 Size: 53248 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7647000 Size: 36352 File Visible: - Signed: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF74B2000 Size: 153344 File Visible: - Signed: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF798D000 Size: 5888 File Visible: - Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xBA79C000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79B1000 Size: 8192 File Visible: No Signed: -

Status: -

Name: DVDVRRdr_xp.SYS

Image Path: C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS

Address: 0xBAB82000 Size: 146560 File Visible: - Signed: -

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xBAA50000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7A82000 Size: 4096 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xB9EBE000 Size: 143744 File Visible: - Signed: -

Status: -

Name: fdc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys

Address: 0xF7777000 Size: 27392 File Visible: - Signed: -

Status: -

Name: flpydisk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys

Address: 0xF7757000 Size: 20480 File Visible: - Signed: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xF747A000 Size: 129792 File Visible: - Signed: -

Status: -

Name: framebuf.dll

Image Path: C:\WINDOWS\System32\framebuf.dll

Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF79A3000 Size: 7936 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF74D8000 Size: 125056 File Visible: - Signed: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806FF000 Size: 134400 File Visible: - Signed: -

Status: -

Name: HDAudBus.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Address: 0xBAEC8000 Size: 163840 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF7507000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF77F7000 Size: 28672 File Visible: - Signed: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xBAF90000 Size: 10368 File Visible: - Signed: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys

Address: 0xF7697000 Size: 52480 File Visible: - Signed: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys

Address: 0xF76A7000 Size: 42112 File Visible: - Signed: -

Status: -

Name: intelide.sys

Image Path: intelide.sys

Address: 0xF798B000 Size: 5504 File Visible: - Signed: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys

Address: 0xBA91B000 Size: 152832 File Visible: - Signed: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys

Address: 0xBA9B3000 Size: 75264 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF75F7000 Size: 37248 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys

Address: 0xF778F000 Size: 24576 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7987000 Size: 8192 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys

Address: 0xBAE67000 Size: 143360 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7463000 Size: 92928 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys

Address: 0xF7787000 Size: 23040 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7627000 Size: 42368 File Visible: - Signed: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys

Address: 0xBA82C000 Size: 455296 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF77B7000 Size: 19072 File Visible: - Signed: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys

Address: 0xF7577000 Size: 35072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys

Address: 0xBAFDC000 Size: 15488 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF7409000 Size: 105344 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7423000 Size: 182656 File Visible: - Signed: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys

Address: 0xF7933000 Size: 10112 File Visible: - Signed: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys

Address: 0xBA468000 Size: 14592 File Visible: - Signed: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys

Address: 0xBADE3000 Size: 91520 File Visible: - Signed: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF7557000 Size: 40576 File Visible: - Signed: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys

Address: 0xF7527000 Size: 34688 File Visible: - Signed: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys

Address: 0xBA8F3000 Size: 162816 File Visible: - Signed: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xBAE3A000 Size: 30848 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7B52000 Size: 574976 File Visible: - Signed: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7A5D000 Size: 2944 File Visible: - Signed: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF7607000 Size: 61696 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF770F000 Size: 19712 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7597000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Address: 0xF7707000 Size: 28672 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys

Address: 0xBAD0A000 Size: 69120 File Visible: - Signed: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys

Address: 0xF77FF000 Size: 17792 File Visible: - Signed: -

Status: -

Name: pwd_2k.SYS

Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS

Address: 0xBAE4A000 Size: 116480 File Visible: - Signed: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys

Address: 0xBAC64000 Size: 8832 File Visible: - Signed: -

Status: -

Name: rasirda.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rasirda.sys

Address: 0xF77CF000 Size: 19584 File Visible: - Signed: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys

Address: 0xF76E7000 Size: 51328 File Visible: - Signed: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys

Address: 0xF76F7000 Size: 41472 File Visible: - Signed: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys

Address: 0xF7587000 Size: 48384 File Visible: - Signed: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys

Address: 0xF780F000 Size: 16512 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys

Address: 0xBA89C000 Size: 175744 File Visible: - Signed: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF79AB000 Size: 4224 File Visible: - Signed: -

Status: -

Name: rdpdr.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys

Address: 0xBACDA000 Size: 196224 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys

Address: 0xF76D7000 Size: 57600 File Visible: - Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xBA152000 Size: 49152 File Visible: No Signed: -

Status: -

Name: Rtnicxp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

Address: 0xBAE8A000 Size: 105088 File Visible: - Signed: -

Status: -

Name: sonypvf3.SYS

Image Path: C:\WINDOWS\System32\Drivers\sonypvf3.SYS

Address: 0xBAAD8000 Size: 619328 File Visible: - Signed: -

Status: -

Name: sonypvl3.sys

Image Path: sonypvl3.sys

Address: 0xF7717000 Size: 18048 File Visible: - Signed: -

Status: -

Name: sonypvt3.SYS

Image Path: C:\WINDOWS\System32\Drivers\sonypvt3.SYS

Address: 0xBAA70000 Size: 423392 File Visible: - Signed: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys

Address: 0xBA18A000 Size: 333952 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys

Address: 0xF7997000 Size: 4352 File Visible: - Signed: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys

Address: 0xBA95A000 Size: 361600 File Visible: - Signed: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS

Address: 0xF77DF000 Size: 20480 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys

Address: 0xF7567000 Size: 40704 File Visible: - Signed: -

Status: -

Name: UdfReadr_xp.SYS

Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS

Address: 0xBAA00000 Size: 213120 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\System32\DRIVERS\update.sys

Address: 0xBAC7C000 Size: 384768 File Visible: - Signed: -

Status: -

Name: usbccgp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xBAE02000 Size: 32128 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS

Address: 0xF799F000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Address: 0xF7767000 Size: 30208 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys

Address: 0xF7547000 Size: 59520 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS

Address: 0xBAEA4000 Size: 147456 File Visible: - Signed: -

Status: -

Name: usbprint.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys

Address: 0xF77C7000 Size: 25856 File Visible: - Signed: -

Status: -

Name: USBSTOR.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS

Address: 0xF77E7000 Size: 26368 File Visible: - Signed: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys

Address: 0xF775F000 Size: 20608 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF7797000 Size: 20992 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS

Address: 0xBAC40000 Size: 81920 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF7637000 Size: 52352 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF7727000 Size: 20480 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xF7807000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xBAF80000 Size: 61440 File Visible: No Signed: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS

Address: 0xF7989000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: ws2ifsl.sys

Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys

Address: 0xBAFA8000 Size: 12032 File Visible: - Signed: -

Status: -

Name: WudfPf.sys

Image Path: WudfPf.sys

Address: 0xF7450000 Size: 77568 File Visible: - Signed: -

Status: -

Link to post
Share on other sites

Here is the summary report from RootRepeal all except the files scan. When it runs files scan it finds a size mismatch for windows\ntbtlog.txt and after a bit rootrepeal closes.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/08 22:39

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xBA79C000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79B1000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB9FC2000 Size: 49152 File Visible: No Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xF7807000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xBAF80000 Size: 61440 File Visible: No Signed: -

Status: -

Stealth Objects

-------------------

Object: Hidden Module [Name: UAClbjhispqla.dll]

Process: svchost.exe (PID: 1204) Address: 0x00a60000 Size: 65536

Object: Hidden Module [Name: UACmttpdwyllr.dll]

Process: svchost.exe (PID: 1204) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChtqsoorobr.dll]

Process: Explorer.EXE (PID: 204) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmttpdwyllr.dll]

Process: Iexplore.exe (PID: 3076) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmttpdwyllr.dll]

Process: Iexplore.exe (PID: 3156) Address: 0x10000000 Size: 217088

Hidden Services

-------------------

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACmlwoppjrwu.sys

==EOF==

Link to post
Share on other sites

  • Staff

Right-click these entries:

Stealth Objects

-------------------

Object: Hidden Module [Name: UAClbjhispqla.dll]

Process: svchost.exe (PID: 1204) Address: 0x00a60000 Size: 65536

Object: Hidden Module [Name: UACmttpdwyllr.dll]

Process: svchost.exe (PID: 1204) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChtqsoorobr.dll]

Process: Explorer.EXE (PID: 204) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACmttpdwyllr.dll]

Process: Iexplore.exe (PID: 3076) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmttpdwyllr.dll]

Process: Iexplore.exe (PID: 3156) Address: 0x10000000 Size: 217088

Hidden Services

-------------------

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACmlwoppjrwu.sys

Click Wipe File. Restart your computer and see if ComboFix will run now.

-screen317

Link to post
Share on other sites

I wiped the Stealth objects but got an error saying invalid path and one said "trying to read from address 0x00000000. However after a restart and new scan the Stealth objects didn't show again.

I wiped the Hidden Service - UACmlwoppjrwu.sys and it said wipe successful, however it always show up when I scan again.

I was able to run gmer and it found a lot of stuff, however I could not locate a copy button in-order to save it. I am in safemode and the screensize is small. Not sure where the button is or if it matters now.

I deleted the hidden service with gmer and it seemed to stay gone.

Combofix would run for a bit and then die. however sometimes it would run but would end up with and error window that says "Some files could not be created. Please close all applicaitons, reboot Windows and restart this installation" restarting didn't help.

Here is the new rootrepeal report contents:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/10 17:05

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: aujasnkj.sys

Image Path: C:\DOCUME~1\REGIST~1\LOCALS~1\Temp\aujasnkj.sys

Address: 0xB9F34000 Size: 84352 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xBA7AF000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79B1000 Size: 8192 File Visible: No Signed: -

Status: -

Name: erikroto.sys

Image Path: C:\WINDOWS\system32\drivers\erikroto.sys

Address: 0xBA2E7000 Size: 49152 File Visible: No Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xF77F7000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xBAF80000 Size: 61440 File Visible: No Signed: -

Status: -

==EOF==

The GMER report has more. I can try to boot up in non-safe mode to see if the copy button is there if needed.

Thanks!

Link to post
Share on other sites

  • Staff

Hi,

Do try GMER in Normal Mode.

If no joy, please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

-screen317

Link to post
Share on other sites

GMER worked in normal mode. Here is the output!

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-09-10 21:41:37

Windows 5.1.2600 Service Pack 3

---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !

? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[2480] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll

.text C:\WINDOWS\explorer.exe[2480] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll

.text C:\WINDOWS\explorer.exe[2480] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\explorer.exe[2480] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll

IAT C:\WINDOWS\explorer.exe[2480] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [180] 0x35670000

Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [588] 0x35670000

Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1480] 0x35670000

Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1520] 0x35670000

Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1688] 0x35670000

Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1932] 0x35670000

Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2480] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\soseyuma.dll c:\windows\system32\gezokije.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

Reg HKLM\SOFTWARE\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}

Reg HKLM\SOFTWARE\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}@Q3FBLH6RIF6MYMN6VD31LVQSMD1 0x01 0x00 0x00 0x00 ...

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Log file is located at: C:\Documents and Settings\Registered User\Desktop\Win32kDiag.txt

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP161.tmp\ZAP161.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP260.tmp\ZAP260.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\browserxtras\browserxtras

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\cache\javaws\javaws

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-73586283-484061587-682003330-1003\S-1-5-21-73586283-484061587-682003330-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Kinko's\FPFK\FPFK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage\Q3FBLH6RIF6MYMN6VD31LVQSMD\Q3FBLH6RIF6MYMN6VD31LVQSMD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp\Temp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\igfxtray.exe

Attempting to restore permissions of : C:\WINDOWS\system32\igfxtray.exe

[1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

[1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe (Intel Corporation)

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WMD\WMD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Staff

Hi,

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running MBAM and ComboFix.

-screen317

Link to post
Share on other sites

I'll paste the 3 logs (avenger, mbam, combofix) in seperate posts: 1st avenger:

Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sat Sep 12 10:06:48 2009

10:06:48: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 3

9/12/2009 10:26:59 AM

mbam-log-2009-09-12 (10-26-27).txt

Scan type: Quick Scan

Objects scanned: 110317

Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 14

Registry Values Infected: 15

Registry Data Items Infected: 13

Folders Infected: 6

Files Infected: 33

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{79007602-0cdb-4405-9dbf-1257bb3226ee} (Spyware.OnlineGames) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pamivogad (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\datajafut (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> No action taken.

HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpyware Service (Trojan.Dropper) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Program Files\MyWay (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar\History (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar\Settings (Adware.MyWay) -> No action taken.

C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken.

C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.

Files Infected:

c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> No action taken.

C:\Program Files\Shared\_lib.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\system32\UACmttpdwyllr.dll (Rogue.Agent) -> No action taken.

C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> No action taken.

C:\WINDOWS\Temp\UACcc77.tmp (Rogue.Agent) -> No action taken.

C:\WINDOWS\Temp\UACe2a3.tmp (Rogue.Agent) -> No action taken.

C:\Documents and Settings\Registered User\Local Settings\Temporary Internet Files\Content.IE5\RQ37QQ7Y\zwjkbb[1].txt (Trojan.Dropper) -> No action taken.

C:\Program Files\MyWay\myBar\History\search (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar\Settings\prevcfg.htm (Adware.MyWay) -> No action taken.

C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> No action taken.

C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken.

C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> No action taken.

C:\Documents and Settings\Registered User\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken.

C:\Documents and Settings\Registered User\Favorites\Cheap Software.url (Rogue.Link) -> No action taken.

C:\WINDOWS\msa.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\msb.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\msc.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\msd.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> No action taken.

C:\Program Files\Common\helper.sig (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Administrator\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken.

C:\Documents and Settings\Administrator\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\UAChtqsoorobr.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\UACkgluquxlbt.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\UAClbjhispqla.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\UAConldkrkxip.dat (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 3

9/12/2009 10:26:59 AM

mbam-log-2009-09-12 (10-26-27).txt

Scan type: Quick Scan

Objects scanned: 110317

Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 14

Registry Values Infected: 15

Registry Data Items Infected: 13

Folders Infected: 6

Files Infected: 33

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{79007602-0cdb-4405-9dbf-1257bb3226ee} (Spyware.OnlineGames) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pamivogad (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\datajafut (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> No action taken.

HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpyware Service (Trojan.Dropper) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Program Files\MyWay (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar\History (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar\Settings (Adware.MyWay) -> No action taken.

C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken.

C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.

Files Infected:

c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> No action taken.

C:\Program Files\Shared\_lib.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\system32\UACmttpdwyllr.dll (Rogue.Agent) -> No action taken.

C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> No action taken.

C:\WINDOWS\Temp\UACcc77.tmp (Rogue.Agent) -> No action taken.

C:\WINDOWS\Temp\UACe2a3.tmp (Rogue.Agent) -> No action taken.

C:\Documents and Settings\Registered User\Local Settings\Temporary Internet Files\Content.IE5\RQ37QQ7Y\zwjkbb[1].txt (Trojan.Dropper) -> No action taken.

C:\Program Files\MyWay\myBar\History\search (Adware.MyWay) -> No action taken.

C:\Program Files\MyWay\myBar\Settings\prevcfg.htm (Adware.MyWay) -> No action taken.

C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> No action taken.

C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken.

C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> No action taken.

C:\Documents and Settings\Registered User\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken.

C:\Documents and Settings\Registered User\Favorites\Cheap Software.url (Rogue.Link) -> No action taken.

C:\WINDOWS\msa.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\msb.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\msc.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\msd.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> No action taken.

C:\Program Files\Common\helper.sig (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Administrator\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken.

C:\Documents and Settings\Administrator\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\UAChtqsoorobr.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\UACkgluquxlbt.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\UAClbjhispqla.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\UAConldkrkxip.dat (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

ComboFix 09-09-10.01 - Registered User 09/12/2009 10:37.1.2 - NTFSx86

Running from: c:\documents and settings\Registered User\Desktop\Erik35.exe

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\11035154

c:\documents and settings\All Users\Application Data\11035154\11035154

c:\documents and settings\All Users\Application Data\11035154\11035154.exe

c:\documents and settings\All Users\Application Data\11035154\pc11035154ins

c:\documents and settings\Registered User\Cookies\bogipo.dat

c:\documents and settings\Registered User\Local Settings\Application Data\igyxufym.bat

c:\documents and settings\Registered User\Local Settings\Application Data\pyte.vbs

c:\documents and settings\Registered User\My Documents\RegistryBackup.reg

c:\program files\Common Files\dasadaro.reg

c:\program files\Common Files\pitopowoc.inf

c:\program files\Common

c:\program files\Common\_helper.sig

c:\program files\Shared\_lib.sig

c:\program files\Shared\lib.dll

c:\program files\Shared\lib.sig

c:\program files\Windows Police Pro

c:\program files\Windows Police Pro\ANTI_files.exe

c:\recycler\S-1-5-21-1715567821-706699826-839522115-1003

c:\recycler\S-1-5-21-4572696148-6095178705-452875987-2199

c:\recycler\S-1-5-21-4572696148-6095178705-452875987-2199\Desktop.ini

c:\recycler\S-1-5-21-4572696148-6095178705-452875987-2199\msimfo32.exe

c:\recycler\S-1-5-21-4759092663-0757557939-346118174-3300

c:\windows\egyqobov.bat

c:\windows\ilivitoti.vbs

c:\windows\Installer\1a9b527.msi

c:\windows\Installer\1a9b52d.msi

c:\windows\Installer\7e3c6.msi

c:\windows\ocehysiwos.bat

c:\windows\system32\garayudi.exe

c:\windows\system32\Ijl11.dll

c:\windows\system32\minix32.exe

c:\windows\system32\pojezija.dll

c:\windows\system32\radisezo.exe

c:\windows\system32\tilepilo.exe

c:\windows\system32\wicituf.bat

c:\windows\system32\wscsvc32.exe

c:\windows\system32\xafajanysa.vbs

c:\windows\xukuruji.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))

.

2009-09-12 17:12 . 2009-09-12 17:12 -------- d-----w- c:\documents and settings\Registered User\Application Data\Malwarebytes

2009-09-04 18:48 . 2009-09-04 19:00 -------- d-----w- c:\program files\WarBy2

2009-09-04 18:08 . 2009-09-04 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-09-04 17:24 . 2009-09-04 18:46 -------- d-----w- c:\program files\WarBy1

2009-09-04 17:20 . 2009-09-04 17:21 3942048 ----a-w- C:\xxxcc.exe

2009-09-04 17:15 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-04 17:14 . 2009-09-04 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-04 17:14 . 2009-09-04 17:15 -------- d-----w- c:\program files\WarBy

2009-09-04 17:14 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 15:38 . 2009-09-08 19:25 -------- d-----w- C:\$AVG8.VAULT$

2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations

2009-09-04 15:29 . 2009-09-04 15:29 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2009-09-04 15:29 . 2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-04 15:29 . 2009-09-04 15:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-04 15:29 . 2009-09-04 15:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-04 15:29 . 2009-09-04 15:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\windows\system32\drivers\Avg

2009-09-04 15:28 . 2009-09-04 15:28 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2009-09-04 15:28 . 2009-09-04 15:28 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2009-09-04 15:28 . 2009-09-04 15:28 -------- d-----w- c:\program files\AVG

2009-09-04 15:28 . 2009-09-08 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-04 15:24 . 2009-09-04 15:24 48768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-04 14:16 . 2009-09-04 14:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-09-04 06:19 . 2009-09-04 06:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8

2009-09-04 05:30 . 2009-09-09 04:59 -------- d--h--w- c:\windows\PIF

2009-09-04 04:47 . 2009-09-04 04:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Scooter Software

2009-09-04 00:22 . 2009-09-04 00:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-03 23:14 . 2009-09-03 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion

2009-09-03 22:59 . 2009-09-03 22:59 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-09-03 22:59 . 2009-09-03 22:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-03 22:20 . 2009-09-03 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-15 21:35 . 2009-08-15 21:35 -------- d-sh--w- c:\documents and settings\Registered User\IECompatCache

2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\Registered User\PrivacIE

2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-15 21:31 . 2009-08-15 21:31 -------- d-sh--w- c:\documents and settings\Registered User\IETldCache

2009-08-15 21:29 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-08-15 21:29 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-15 21:28 . 2009-08-15 21:28 -------- d-----w- c:\windows\ie8updates

2009-08-15 21:27 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-08-15 21:25 . 2009-08-15 21:27 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-12 17:46 . 2004-10-25 22:47 -------- d-----w- c:\program files\PestPatrol

2009-09-12 17:41 . 2009-08-01 00:41 -------- d-----w- c:\program files\Shared

2009-09-03 13:41 . 2006-11-14 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-02 16:07 . 2006-07-08 15:31 -------- d-----w- c:\program files\lnav

2009-08-21 22:15 . 2009-05-17 15:13 -------- d-----w- c:\program files\ZipForm6

2009-08-11 22:56 . 2009-08-09 20:04 26352 ----a-w- c:\windows\system32\drivers\Vet-Filt.1

2009-08-11 22:56 . 2009-08-09 20:04 21104 ----a-w- c:\windows\system32\drivers\Vet-Rec.1

2009-08-10 02:33 . 2009-08-10 02:33 18646 ----a-w- c:\documents and settings\All Users\Application Data\ubitijec.scr

2009-08-10 02:33 . 2009-08-10 02:33 18151 ----a-w- c:\documents and settings\Registered User\Application Data\arun.exe

2009-08-10 02:33 . 2009-08-10 02:33 15287 ----a-w- c:\program files\Common Files\semymux.ban

2009-08-10 02:33 . 2009-08-10 02:33 14441 ----a-w- c:\windows\system32\timocygepy.dll

2009-08-10 02:33 . 2009-08-10 02:33 13249 ----a-w- c:\program files\Common Files\akysyz.scr

2009-08-10 02:33 . 2009-08-10 02:33 13136 ----a-w- c:\documents and settings\All Users\Application Data\pike.exe

2009-08-10 02:33 . 2009-08-10 02:33 12583 ----a-w- c:\program files\Common Files\uluhonyji.lib

2009-08-10 02:33 . 2009-08-10 02:33 12294 ----a-w- c:\program files\Common Files\yjukyqu.dl

2009-08-10 02:33 . 2009-08-10 02:33 11300 ----a-w- c:\windows\system32\huzoxut.dat

2009-08-10 02:33 . 2009-08-10 02:33 11134 ----a-w- c:\windows\system32\lokybehemy.dll

2009-08-09 19:51 . 2009-08-09 19:51 -------- d-----w- c:\program files\Common Files\Scanner

2009-08-06 17:17 . 2004-05-03 04:25 48768 ----a-w- c:\documents and settings\Registered User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\MSBuild

2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2004-04-01 17:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2004-04-01 17:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-02-07 01:05 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 08:25 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2003-03-31 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2003-03-31 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2003-03-31 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2003-03-31 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 21:20 . 2009-06-03 21:20 49152 --sha-w- c:\windows\system32\sipaneya.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 148480]

"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-04-02 53248]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648]

"CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2004-04-02 69632]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]

Alarm Manager.LNK - c:\palm\AlarmApp.exe [2002-8-9 274432]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NVSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\CamView\\CamView.exe"=

"c:\\Program Files\\CamView\\component1.exe"=

"c:\\jls45\\lib\\jre\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\StubInstaller.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Chessmaster 9000\\UBI1.EXE"=

R1 sonypvd3;Sony DVD Handycam;c:\windows\system32\DRIVERS\sonypvd3.sys [2004-12-07 64964]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x]

R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [x]

R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-04 29208]

R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944]

R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\DRIVERS\BrParImg.sys [2001-08-17 3168]

R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\Drivers\BrParwdm.sys [2001-08-17 39552]

R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]

R3 FXDRV;FXDRV;c:\program files\Foxconn\SuperUtilities\Fxdrv.sys [2004-01-06 12288]

S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-09-04 12552]

S0 sonypvl3;sonypvl3; [x]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-04 335240]

S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-04 108552]

S1 sonypvf3;sonypvf3; [x]

S1 sonypvt3;sonypvt3; [x]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-04 29208]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyServer = fox:9990

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ameritrade.com

Trusted Zone: tdameritrade.com

Trusted Zone: webattend.com

Trusted Zone: webtrain.com

DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} - hxxp://www.webattend.com/components/wt0523.cab

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

HKU-Default-Run-NvMediaCenter - c:\windows\System32\NVMCTRAY.DLL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-12 10:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}*]

"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,

3a

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3296)

c:\windows\system32\WININET.dll

c:\program files\TortoiseSVN\bin\tortoisesvn.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\TortoiseSVN\bin\intl3_svn.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-12 10:48 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-12 17:48

Pre-Run: 26,563,710,976 bytes free

Post-Run: 26,751,905,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

284 --- E O F --- 2009-09-03 13:27

Link to post
Share on other sites

The computer is much better now. I updated mbam with the latest build and ran it. It found and removed 11 more threats.

I get this window on startup:

16 bit MS-DOS Subsystem

C:\WINDOWS\system32\wbem\wmiprvse.exe -secured

C:\WINDOWS\TEMP\. A temporary file needed for initialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available. Choose 'Close' to terminate the application.

Seems like something is still trying to start the wmiprvse. Is there a way to fix this?

Do you like AVG or avira for a AV program?

Do you have a registry cleaner that you like? I think mine is probably full of uneeded stuff after six years...

I really want to thank you for saving my computer!!!

Link to post
Share on other sites

It wants to install critical updates when I shut down. I have a hunch that this is how some of the viruses got installed before because it asked to install updates on shutdown every day for a while. I tried running windows update through IE, but the same 16 bit MS-DOS error popup from my last post keeps re-appearing while windows update is running. For now I just shut down without installing updates.

Thanks Erik

Link to post
Share on other sites

  • Staff

Hi,

Seems like something is still trying to start the wmiprvse. Is there a way to fix this?
There is still malware here. Let's clean it first before addressing other issues.

Please go to VirusTotal, and upload the following file for analysis:

C:\xxxcc.exe

Post the results in your reply.

Do you recognize these folders?

c:\program files\WarBy2

c:\program files\WarBy1

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=23884
Collect::
c:\documents and settings\All Users\Application Data\ubitijec.scr
c:\documents and settings\Registered User\Application Data\arun.exe
c:\program files\Common Files\semymux.ban
c:\windows\system32\timocygepy.dll
c:\program files\Common Files\akysyz.scr
c:\documents and settings\All Users\Application Data\pike.exe
c:\program files\Common Files\uluhonyji.lib
c:\program files\Common Files\yjukyqu.dl
c:\windows\system32\huzoxut.dat
c:\windows\system32\lokybehemy.dll
KILLALL::
Driver::
sonypvf3
sonypvt3
sonypvl3

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Do you like AVG or avira for a AV program?
I use Avira but either is fine.
Do you have a registry cleaner that you like? I think mine is probably full of uneeded stuff after six years...
It is not recommended to run Registry cleaners as they may remove needed components that aren't actually orphaned. You wont see a performance boost after using one, and it is not necessary.

-screen317

Link to post
Share on other sites

ComboFix 09-09-13.06 - Registered User 09/14/2009 9:29.2.2 - NTFSx86

Running from: c:\documents and settings\Registered User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Registered User\Desktop\CFScript.txt.txt

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\All Users\Application Data\pike.exe

file zipped: c:\documents and settings\All Users\Application Data\ubitijec.scr

file zipped: c:\documents and settings\Registered User\Application Data\arun.exe

file zipped: c:\program files\Common Files\akysyz.scr

file zipped: c:\program files\Common Files\semymux.ban

file zipped: c:\program files\Common Files\uluhonyji.lib

file zipped: c:\program files\Common Files\yjukyqu.dl

file zipped: c:\windows\system32\huzoxut.dat

file zipped: c:\windows\system32\lokybehemy.dll

file zipped: c:\windows\system32\timocygepy.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\pike.exe

c:\documents and settings\All Users\Application Data\ubitijec.scr

c:\documents and settings\Registered User\Application Data\arun.exe

c:\program files\Common Files\akysyz.scr

c:\program files\Common Files\semymux.ban

c:\program files\Common Files\uluhonyji.lib

c:\program files\Common Files\yjukyqu.dl

c:\program files\Shared

c:\windows\system32\huzoxut.dat

c:\windows\system32\lokybehemy.dll

c:\windows\system32\timocygepy.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SONYPVF3

-------\Legacy_SONYPVL3

-------\Legacy_SONYPVT3

-------\Service_sonypvf3

-------\Service_sonypvl3

-------\Service_sonypvt3

((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))

.

2009-09-12 18:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-12 18:07 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-12 18:07 . 2009-09-12 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 18:07 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-12 17:12 . 2009-09-12 17:12 -------- d-----w- c:\documents and settings\Registered User\Application Data\Malwarebytes

2009-09-04 18:48 . 2009-09-12 17:53 -------- d-----w- c:\program files\WarBy2

2009-09-04 18:08 . 2009-09-04 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-09-04 17:24 . 2009-09-12 17:54 -------- d-----w- c:\program files\WarBy1

2009-09-04 17:20 . 2009-09-04 17:21 3942048 ----a-w- C:\xxxcc.exe

2009-09-04 17:14 . 2009-09-04 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations

2009-09-04 15:29 . 2009-09-04 15:29 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2009-09-04 15:29 . 2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-04 15:29 . 2009-09-04 15:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-04 15:29 . 2009-09-04 15:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-04 15:29 . 2009-09-04 15:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\windows\system32\drivers\Avg

2009-09-04 15:28 . 2009-09-04 15:28 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2009-09-04 15:28 . 2009-09-04 15:28 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2009-09-04 15:28 . 2009-09-04 15:28 -------- d-----w- c:\program files\AVG

2009-09-04 15:28 . 2009-09-08 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-04 15:24 . 2009-09-04 15:24 48768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-04 14:16 . 2009-09-04 14:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-09-04 06:19 . 2009-09-04 06:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8

2009-09-04 05:30 . 2009-09-09 04:59 -------- d--h--w- c:\windows\PIF

2009-09-04 04:47 . 2009-09-04 04:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Scooter Software

2009-09-04 00:22 . 2009-09-04 00:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-03 23:14 . 2009-09-03 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion

2009-09-03 22:59 . 2009-09-03 22:59 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-09-03 22:59 . 2009-09-03 22:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-03 22:20 . 2009-09-03 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-15 21:35 . 2009-08-15 21:35 -------- d-sh--w- c:\documents and settings\Registered User\IECompatCache

2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\Registered User\PrivacIE

2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-15 21:31 . 2009-08-15 21:31 -------- d-sh--w- c:\documents and settings\Registered User\IETldCache

2009-08-15 21:29 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-08-15 21:29 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-15 21:28 . 2009-09-14 15:58 -------- d-----w- c:\windows\ie8updates

2009-08-15 21:27 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-08-15 21:25 . 2009-08-15 21:27 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-14 16:35 . 2004-10-25 22:47 -------- d-----w- c:\program files\PestPatrol

2009-09-03 13:41 . 2006-11-14 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-02 16:07 . 2006-07-08 15:31 -------- d-----w- c:\program files\lnav

2009-08-21 22:15 . 2009-05-17 15:13 -------- d-----w- c:\program files\ZipForm6

2009-08-11 22:56 . 2009-08-09 20:04 26352 ----a-w- c:\windows\system32\drivers\Vet-Filt.1

2009-08-11 22:56 . 2009-08-09 20:04 21104 ----a-w- c:\windows\system32\drivers\Vet-Rec.1

2009-08-09 19:51 . 2009-08-09 19:51 -------- d-----w- c:\program files\Common Files\Scanner

2009-08-06 17:17 . 2004-05-03 04:25 48768 ----a-w- c:\documents and settings\Registered User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\MSBuild

2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2004-04-01 17:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2004-04-01 17:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-02-07 01:05 915456 ------w- c:\windows\system32\wininet.dll

2009-06-25 08:25 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2003-03-31 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2003-03-31 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2003-03-31 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2003-03-31 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-09-12_17.46.44 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-14 16:35 . 2009-09-14 16:35 16384 c:\windows\temp\Perflib_Perfdata_238.dat

+ 2009-09-14 16:27 . 2009-09-14 16:27 5160 c:\windows\SoftwareDistribution\EventCache\{EB0C323E-DA56-412C-8DD1-84F10456EA2E}.bin

- 2003-01-13 21:57 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll

+ 2003-01-13 21:57 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll

- 2008-05-09 10:53 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll

+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll

+ 2009-09-14 15:58 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll

+ 2009-09-14 15:58 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe

+ 2009-09-14 15:58 . 2009-03-08 11:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll

- 2004-04-01 17:12 . 2008-06-18 12:03 2458112 c:\windows\system32\wmvcore.dll

+ 2004-04-01 17:12 . 2009-05-20 11:56 2458112 c:\windows\system32\WMVCore.dll

- 2004-04-01 17:12 . 2008-06-18 12:03 2458112 c:\windows\system32\dllcache\wmvcore.dll

+ 2004-04-01 17:12 . 2009-05-20 11:56 2458112 c:\windows\system32\dllcache\WMVCore.dll

+ 2009-09-14 15:59 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 148480]

"PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-04-02 53248]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648]

"CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2004-04-02 69632]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]

Alarm Manager.LNK - c:\palm\AlarmApp.exe [2002-8-9 274432]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NVSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\CamView\\CamView.exe"=

"c:\\Program Files\\CamView\\component1.exe"=

"c:\\jls45\\lib\\jre\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\StubInstaller.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Chessmaster 9000\\UBI1.EXE"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [9/4/2009 8:29 AM 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/4/2009 8:29 AM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/4/2009 8:29 AM 108552]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [9/4/2009 8:28 AM 29208]

S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [5/10/2009 10:17 PM 64964]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]

S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe --> c:\progra~1\AVG\AVG8\avgfws8.exe [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [9/4/2009 8:28 AM 29208]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [5/22/2005 1:19 PM 2944]

S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [5/22/2005 1:19 PM 3168]

S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [5/22/2005 1:19 PM 39552]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [5/22/2005 1:19 PM 60416]

S3 FXDRV;FXDRV;c:\program files\Foxconn\SuperUtilities\Fxdrv.sys [4/2/2005 11:30 AM 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyServer = fox:9990

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ameritrade.com

Trusted Zone: tdameritrade.com

Trusted Zone: webattend.com

Trusted Zone: webtrain.com

DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} - hxxp://www.webattend.com/components/wt0523.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-14 09:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}*]

"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,

3a

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2592)

c:\windows\system32\WININET.dll

c:\program files\TortoiseSVN\bin\tortoisesvn.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\TortoiseSVN\bin\intl3_svn.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\MsPMSPSv.exe

.

**************************************************************************

.

Completion time: 2009-09-14 9:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-14 16:38

ComboFix2.txt 2009-09-12 17:48

Pre-Run: 26,573,758,464 bytes free

Post-Run: 26,560,290,816 bytes free

261 --- E O F --- 2009-09-14 16:00

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.