Jump to content

Windows Police Pro Virus


fLaze
 Share

Recommended Posts

For the past week, my pc was infected with the Windows Police Pro virus. I followed various online guides to manually remove some of the infected files. However, when I tried to run a scan with malwarebytes (after a fresh install) the scan closes after 3 secs. When I try to reopen the program I get the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Here are my logs:

Running from: C:\Documents and Settings\JJ\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\JJ\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10C.tmp\ZAP10C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10C.tmp\ZAP10C.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP121.tmp\ZAP121.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP121.tmp\ZAP121.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP208.tmp\ZAP208.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP208.tmp\ZAP208.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\fontvect\fontvect

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\fontvect\fontvect

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\38a8eda614ff45eb7360274e207cd81f\sp2gdr\sp2gdr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\38a8eda614ff45eb7360274e207cd81f\sp2gdr\sp2gdr

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\sp3qfe\sp3qfe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\sp3qfe\sp3qfe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5576ebf17c8d936aec4fdc0b3f9f566d\sp2qfe\sp2qfe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5576ebf17c8d936aec4fdc0b3f9f566d\sp2qfe\sp2qfe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2441737916-2716685914-562067877-1005\S-1-5-21-2441737916-2716685914-562067877-1005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2441737916-2716685914-562067877-1005\S-1-5-21-2441737916-2716685914-562067877-1005

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2441737916-2716685914-562067877-1006\S-1-5-21-2441737916-2716685914-562067877-1006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2441737916-2716685914-562067877-1006\S-1-5-21-2441737916-2716685914-562067877-1006

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2441737916-2716685914-562067877-500\S-1-5-21-2441737916-2716685914-562067877-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2441737916-2716685914-562067877-500\S-1-5-21-2441737916-2716685914-562067877-500

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2441737916-2716685914-562067877-500\S-1-5-21-2441737916-2716685914-562067877-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2441737916-2716685914-562067877-500\S-1-5-21-2441737916-2716685914-562067877-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2441737916-2716685914-562067877-500\S-1-5-21-2441737916-2716685914-562067877-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2441737916-2716685914-562067877-500\S-1-5-21-2441737916-2716685914-562067877-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Data\Data

Found mount point : C:\WINDOWS\system32\Defaults\Defaults

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Defaults\Defaults

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-10 07:00:00 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-10 07:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 07:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

Link to post
Share on other sites

Ignore the invalid script error. I didn't copy and paste the entire code the first time.

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)

Sat Sep 19 13:01:55 2009

13:01:55: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0,

Link to post
Share on other sites

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-09-19 13:19:29

Windows 5.1.2600 Service Pack 2

Running: qu6tvmum.exe; Driver: C:\DOCUME~1\JJ\LOCALS~1\Temp\pxtdypob.sys

---- System - GMER 1.0.15 ----

SSDT sphk.sys ZwEnumerateKey [0xF72C8CA2]

SSDT sphk.sys ZwEnumerateValueKey [0xF72C9030]

SSDT \SystemRoot\System32\Drivers\Beep.SYS ZwQuerySystemInformation [0xF65371A0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 875D21F8

AttachedDevice \Driver\Tcpip \Device\Ip cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hmm, I can't seem to run combofix for some reason. I renamed it to explorer.exe before saving it to my desktop. After I clicked "yes" on the disclaimer prompt, the command window came up with the message:

System file is infected !! Attempting to restore

"C:\WINDOWS\system32\lpk.dll

System file is infected !! Attempting to restore

"C:\WINDOWS\system32\imm32.dll"

Then it closed by itself and I got the message "Combofix is uninstalled". I think it was trying to create a restore point according to the guide I was following. But, a while back I disabled windows restore and I can't turn it back on.

Link to post
Share on other sites

Hello and Welcome,

Ok- do not worry about Combofix just yet. Just follow the rest of my instructions first.

Please make sure you can View Hidden Files and Folders first

1. Click Start

2. Open My Computer

3. Select the Tools menu and click Folder Options

4. Select the View Tab

5. Under the Hidden files and folders heading select Show hidden files and folders

6. Uncheck the Hide protected operating system files (recommended) option

7. Click Yes to confirm

8. Click OK

Create a new folder in your root directory C:\ and name it legitfiles

You should be able to see C:\legitfiles in Windows Explorer after it's created.

Make sure you can see it.

Navigate to the following file, and right-click it:

C:\WINDOWS\system32\dllcache\eventlog.dll

Select "Copy" from the context menu and then paste the file into the C:\legitfiles folder by right-clicking the folder in Windows Explorer and selecting "Paste"

Make sure you can view C:\legitfiles\eventlog.dll before you proceed with the rst of my instructions.

Run Avenger again as follows:

  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Files to move:
C:\legitfiles\eventlog.dll | C:\WINDOWS\System32\eventlog.dll

Press the Execute key.

Avenger will now process the script you've pasted and when it's finished it will produce a log file. Please back the Avenger log file (it can also be found at C:\avenger.txt)

Open a command prompt (start -> run -> type cmd, and hit Enter)

Copy and paste the following command at the command line:

cd\ && dir /a /s lpk.dll imm32.dll > findfiles.txt && notepad findfiles.txt

A log will open in Notepad call findfiles.txt

Copy/Paste the contents of that findfiles.txt in your next reply

Please post back C:\Avenger.txt and C:\findfiles.txt

See if you are able to run MBAM v. 1.41 and post the scan log if you're successful

Also, let me know if C:\Combofix.txt is present. If it is, post it.

If you receive an error when trying to open it, please let me know

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\legitfiles\eventlog.dll|C:\WINDOWS\System32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Volume in drive C has no label.

Volume Serial Number is 38A3-7B40

Directory of C:\i386

08/10/2004 07:00 AM 22,016 lpk.dll

Directory of C:\i386

08/10/2004 07:00 AM 110,080 imm32.dll

2 File(s) 132,096 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:11 PM 22,016 lpk.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:11 PM 110,080 imm32.dll

2 File(s) 132,096 bytes

Directory of C:\WINDOWS\system32

08/10/2004 07:00 AM 22,016 lpk.dll

Directory of C:\WINDOWS\system32

08/10/2004 07:00 AM 110,080 imm32.dll

2 File(s) 132,096 bytes

Total Files Listed:

6 File(s) 396,288 bytes

0 Dir(s) 1,989,693,440 bytes free

Link to post
Share on other sites

I was able to do a full scan after reinstalling. Got over 90 infections :)

Malwarebytes' Anti-Malware 1.41

Database version: 2828

Windows 5.1.2600 Service Pack 2

9/20/2009 1:31:28 AM

mbam-log-2009-09-20 (01-31-28).txt

Scan type: Quick Scan

Objects scanned: 143460

Time elapsed: 21 minute(s), 16 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 5

Registry Keys Infected: 11

Registry Values Infected: 9

Registry Data Items Infected: 9

Folders Infected: 4

Files Infected: 55

Memory Processes Infected:

C:\Documents and Settings\JJ\Local Settings\Temp\svchost.exe (Trojan.Downloader) -> Unloaded process successfully.

C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.

C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro) -> Delete on reboot.

C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.

C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.

C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{5a4c9202-7e5d-4995-8ab7-f7d9f3baa2aa} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5a4c9202-7e5d-4995-8ab7-f7d9f3baa2aa} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows rescue disk (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\fyblb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\xvhu.exe (Trojan.Inject) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2441737916-2716685914-562067877-1005\Dc5.sdfdfda (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2441737916-2716685914-562067877-1005\Dc6.knjjnjn (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2441737916-2716685914-562067877-1005\Dc4\windows Police Pro.asdfsdad (Antivirus2009) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pologodi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wisdstr.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> Delete on reboot.

C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\1809484932.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\3393758174.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\D7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\D8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\D9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\notepad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temporary Internet Files\Content.IE5\CR2YOJVK\zjjaof[1].htm (Trojan.Inject) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temporary Internet Files\Content.IE5\O53XBZ9S\ekyymmqe[1].htm (Spyware.Banker) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Local Settings\Temporary Internet Files\Content.IE5\O53XBZ9S\zwjkbb[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wispex.html (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\JJ\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Link to post
Share on other sites

OK Good job we're making progress.

The file sizes of those two DLL files Combofix said were infected, are correct so I think it was able to replace them properly.

Were you able to locate C:\Combofix.txt?

Now, reboot and update MBAM and do a quick scan again. Remove all threats found again and post another log.

Link to post
Share on other sites

No I couldn't find Combofix.txt

Malwarebytes' Anti-Malware 1.41

Database version: 2830

Windows 5.1.2600 Service Pack 2

9/20/2009 11:29:53 AM

mbam-log-2009-09-20 (11-29-53).txt

Scan type: Quick Scan

Objects scanned: 142965

Time elapsed: 22 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

OK looks good.

I'd still like you to run Combofix to see if anything else is lingering and if any of your system files are replaced by trojan versions.

Delete your current copy of Combofix.

Please redownload Combofix to your desktop and rename it as you download.

Disable ALL security programs.

Launch Combofix and post back the log at C:\Combofix.txt

Re-enable security programs once log is produced.

If the log doesn't open automatically, search for it here:

C:\Combofix.txt

Link to post
Share on other sites

ComboFix 09-09-18.02 - JJ 09/20/2009 12:14.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.438 [GMT -4:00]

Running from: c:\documents and settings\JJ\Desktop\ComboFix.exe

AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Tianhua\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\Tianhua\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

C:\p2hhr.bat

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

c:\windows\Installer\302ca4.msi

c:\windows\kb913800.exe

c:\windows\regedit.com

c:\windows\run.log

c:\windows\system32\bszip.dll

c:\windows\system32\Data

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\launcher.exe

c:\windows\Tasks\hkujamll.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_uacFlt

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_uacFlt

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))

.

2009-09-20 05:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-20 05:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-20 05:07 . 2009-09-20 05:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-20 04:41 . 2009-09-20 04:50 -------- d-----w- C:\legitfiles

2009-09-19 18:07 . 2009-09-19 18:07 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-09-19 17:18 . 2009-09-19 17:18 -------- d-----w- C:\ARK

2009-09-17 23:50 . 2009-09-17 23:50 -------- d-----w- c:\program files\Formatta 7.0

2009-09-17 23:48 . 2009-09-17 23:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2009-09-12 02:30 . 2009-09-12 02:36 -------- d-----w- c:\program files\Windows Live Safety Center

2009-09-07 14:26 . 2009-09-19 17:08 -------- d-----w- c:\documents and settings\JJ\Local Settings\Application Data\Temp

2009-09-07 14:26 . 2009-09-07 14:28 -------- d-----w- c:\documents and settings\JJ\Local Settings\Application Data\Google

2009-09-07 13:48 . 2009-09-07 14:12 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-07 13:48 . 2009-09-07 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-07 03:43 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-09-07 03:42 . 2009-09-07 03:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-09-01 02:41 . 2009-09-01 02:41 -------- d-----w- c:\documents and settings\JJ\Local Settings\Application Data\PCHealth

2009-08-31 05:05 . 2009-08-31 05:05 -------- d-----w- c:\program files\MSXML 6.0

2009-08-22 22:29 . 2009-08-22 22:29 -------- d-----w- c:\windows\ServicePackFiles

2009-08-22 21:36 . 2009-08-22 21:36 -------- d-----w- c:\documents and settings\JJ\Application Data\Motive

2009-08-22 21:36 . 2009-08-22 21:36 -------- d-----w- c:\documents and settings\JJ\Local Settings\Application Data\AVG Security Toolbar

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-20 04:33 . 2006-01-11 03:45 -------- d-----w- c:\program files\Dl_cats

2009-09-19 20:01 . 2006-08-08 03:29 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys

2009-09-19 20:01 . 2005-12-29 15:38 56 --sh--r- c:\windows\system32\7C6B49F63F.sys

2009-09-17 23:42 . 2007-04-16 03:32 -------- d-----w- c:\program files\McAfee

2009-09-15 01:36 . 2006-01-12 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-07 04:55 . 2008-11-06 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-07 03:42 . 2007-04-27 23:26 -------- d-----w- c:\program files\Lavasoft

2009-09-07 03:41 . 2006-03-14 21:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-07 01:51 . 2008-11-06 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-07 01:51 . 2008-11-06 20:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-07 01:51 . 2007-04-27 23:09 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-24 05:56 . 2009-08-24 05:56 0 ----a-w- c:\documents and settings\Tianhua\ntuser.tmp

2009-08-22 21:29 . 2005-12-10 15:57 129872 -c--a-w- c:\documents and settings\JJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-22 04:10 . 2008-01-26 21:55 -------- d-----w- c:\documents and settings\Tianhua\Application Data\U3

2009-08-22 04:04 . 2008-11-08 04:55 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-21 03:58 . 2008-12-24 00:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-05 09:11 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 18:55 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2005-08-16 10:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 18:36 . 2005-08-16 10:18 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2005-08-16 10:18 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2005-08-16 10:18 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2005-08-16 10:18 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2005-08-16 10:18 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2005-08-16 10:18 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2005-08-16 10:18 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2005-08-16 10:18 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-25 18:36 . 2005-08-16 10:18 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2005-08-16 10:18 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2005-08-16 10:18 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2005-08-16 10:18 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 08:17 . 2005-08-16 10:18 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:17 . 2005-08-16 10:18 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:17 . 2005-08-16 10:18 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:17 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:17 . 2005-08-16 10:18 729600 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:17 . 2005-08-16 10:18 301568 ----a-w- c:\windows\system32\kerberos.dll

2007-02-15 11:51 . 2007-02-15 11:51 169248 -c--a-w- c:\program files\MC

2006-01-05 04:38 . 2006-02-12 19:34 3808240 -c--a-w- c:\program files\gtk+-2.8.9-setup-1.exe

2006-05-06 16:42 . 2006-07-20 03:22 7260160 -c--a-w- c:\program files\mozilla firefox\plugins\libvlc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 94208]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-04-27 49968]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Google Update"="c:\documents and settings\JJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-07 133104]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 327680]

"dlcjmon.exe"="c:\program files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 430080]

"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 286720]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"DLCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728]

"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]

"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\CPF.exe" [2007-10-21 1115728]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-07 2007832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-01-30 1553920]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"application"="c:\program files\AKProg\AKProg.exe" [2009-01-11 522752]

c:\documents and settings\Tianhua\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-2-6 3581680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-5 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Perstray.lnk - c:\program files\PerSono\perstray.exe [2006-3-15 32768]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-8-3 394856]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\windows\system32\onhelp.htm

FriendlyName= tets

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-07 01:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk

backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup

"AVG Control Center"=c:\program files\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

"dla"=c:\windows\system32\dla\tfswctrl.exe

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"UpdReg"=c:\windows\UpdReg.EXE

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Steam\\SteamApps\\infectox\\counter-strike\\hl.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Steam\\SteamApps\\infectox\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Steam\\SteamApps\\infectox\\dedicated server\\hlds.exe"=

"c:\\Program Files\\Invisible Browsing\\InvisibleBrowsing.exe"=

"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"51236:TCP"= 51236:TCP:BitComet 51236 TCP

"51236:UDP"= 51236:UDP:BitComet 51236 UDP

"6112:TCP"= 6112:TCP:Blizzard

"4000:TCP"= 4000:TCP:Blizzard2

"6113:TCP"= 6113:TCP:Blizzard3

"6114:TCP"= 6114:TCP:Blizzard4

"6115:TCP"= 6115:TCP:Blizzard5

"6116:TCP"= 6116:TCP:Blizzard6

"6117:TCP"= 6117:TCP:Blizzard7

"6118:TCP"= 6118:TCP:Blizzard8

"6119:TCP"= 6119:TCP:Blizzard9

"16900:UDP"= 16900:UDP:CrashOnlineRecv

"16910:UDP"= 16910:UDP:CrashOnlineSend

"25:TCP"= 25:TCP:sc

"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/6/2009 11:43 PM 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/6/2008 4:24 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/6/2008 4:24 PM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/6/2008 4:23 PM 297752]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/23/2008 5:23 PM 92296]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/9/2009 11:04 AM 24652]

S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/6/2008 4:23 PM 908056]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]

S3 cpuz130;cpuz130;\??\c:\docume~1\Tianhua\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Tianhua\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/15/2008 1:53 PM 33752]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]

S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [12/5/2007 3:47 PM 20640]

S3 tapgamerail;GameRail Adapter;c:\windows\system32\drivers\tapgamerail.sys [6/23/2007 5:00 PM 26368]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2441737916-2716685914-562067877-1005Core.job

- c:\documents and settings\JJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 14:26]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2441737916-2716685914-562067877-1005UA.job

- c:\documents and settings\JJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 14:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = 127.0.0.1

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Tianhua\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\JJ\Application Data\Mozilla\Firefox\Profiles\ksluehzk.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\documents and settings\JJ\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npoctoshape.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-20 12:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

c:\docume~1\JJ\LOCALS~1\Temp\GUR2.tmp 0 bytes

c:\docume~1\JJ\LOCALS~1\Temp\lucene-ede5717dd3ebcaad15c9a07963bbb1f1-write.lock 0 bytes

scan completed successfully

hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]

"ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2441737916-2716685914-562067877-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{765102BD-2A0B-43B4-1712-400C9E6AB5D3}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oalaadiffcmiemljnfmomjjcebjngi"=hex:64,61,6c,6f,61,6a,66,69,00,90

"oahjhlckcijamdbljagljdmkhojmac"=hex:69,61,66,6f,6d,66,61,6c,65,6b,63,68,6a,6c,

61,66,63,6d,00,00

"nanjoanhcfemdlefcdljfjieopno"=hex:6a,61,6b,6f,6a,6a,69,61,70,67,68,6f,62,70,

68,63,70,69,6e,6b,00,fd

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2fb03f69-b62a-4c63-bff6-423047d82f72}]

@Denied: (Full) (Everyone)

"Model"=dword:00000018

"Therad"=dword:00000018

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{37ed398b-d851-4f85-a38c-161088f26757}]

@Denied: (Full) (Everyone)

"Model"=dword:0000006e

"Therad"=dword:0000001e

"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,

38,95,44,a8,a5,91,e0,f3,36,42,6b,0e,19,9b,7e,c0,c3,5d,71,69,0b,ea,46,83,b4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):87,20,2c,b7,e7,a6,bd,92,66,b6,40,4b,27,ff,01,62,2f,e5,d9,9f,93,

7a,70,90,7e,05,21,9c,d9,50,0e,84,56,2a,29,64,f1,aa,12,46,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):04,98,4f,55,32,d3,04,4f,a2,7c,24,9e,b5,3f,ca,68,a3,3b,4e,1b,02,

e8,32,95,0e,37,1b,a5,a3,98,fb,2b,08,f9,53,49,4f,e0,c7,b0,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\

Link to post
Share on other sites

Remove Viewpoint Manager from Add/Remove programs. It is adware related foistware that is bundled with AOL and some other programs or preinstalled. Same goes for Bonjour which comes bundled with itunes and has no clear purpose.

c:\\Program Files\\Bonjour\\mDNSResponder.exe"= <==="

These P2P programs put your computer a high risk of installing threats along with downloads. They are unstalled on your system with full firewall access rights:

c:\\Program Files\\eMule\\emule.exe

c:\\Program Files\\LimeWire\\LimeWire.exe

c:\\Program Files\\uTorrent\\uTorrent.exe

c:\program files\BitComet\BitComet.exe

I would advise you to remove them.

You have remnants of McAfee AV in your log:

2009-09-17 23:42 . 2007-04-16 03:32 -------- d-----w- c:\program files\McAfee <===

2009-09-15 01:36 . 2006-01-12 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee <===

You should use the McAfee removal Tool:

http://service.mcafee.com/FAQDocument.aspx?id=TS100507

Your AVG8 is outdated - do you want to keep it? If not, uninstall it and download, install and run this highly rated antivirus called Antivir by Avira:

http://www.free-av.com/en/trialpay_downloa..._antivirus.html

Update it,and then run a complete system scan.

You have/had a keylogger installed on your system.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"application"="c:\program files\AKProg\AKProg.exe" [2009-01-11 522752] <===

I have entered it into your CFScript for removal. If you installed it and want to keep it, then do NOT run Combofix with the CFScript below and I will adjust it so the keylogger is excluded from removal.

Let me know please, only if you want to keep it.

We have items to clean up that we will manually specify for deletion by using a Combofix script.

Note: The script was created specifically for this user ONLY. Running this same script on a system that it is not intended for, could put your computer at serious risk.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

KillAll::

Driver::

Viewpoint Manager Service

Bonjour Service

File::

c:\windows\system32\onhelp.htm

c:\docume~1\JJ\LOCALS~1\Temp\GUR2.tmp

c:\docume~1\JJ\LOCALS~1\Temp\lucene-ede5717dd3ebcaad15c9a07963bbb1f1-write.lock

Folder::

c:\program files\AKProg\

Registry::

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"=-

"FriendlyName"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"application"=-

RegNull::

[HKEY_USERS\S-1-5-21-2441737916-2716685914-562067877-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{765102BD-2A0B-43B4-1712-400C9E6AB5D3}*]

RegLockDel::

[HKEY_USERS\S-1-5-21-2441737916-2716685914-562067877-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{765102BD-2A0B-43B4-1712-400C9E6AB5D3}]

RegLock::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2fb03f69-b62a-4c63-bff6-423047d82f72}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{37ed398b-d851-4f85-a38c-161088f26757}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.