Jump to content

Recommended Posts

I cant run malwarebytes at all. i can open it up and start a scan, but it closes up after 3 seconds. then when i try to open it again, nothin happens. i even tried renaming the startup files of mbam and the install files when i reinstalled but it still didnt work. my pc now cant access the internet it always shows page load errors. i am on my other computer atm so if there are any files i need to download i can. also when i click my computer theres this icon that is called safety center, its also on my desktop. and if i dont boot my pc up in safe

mode, "safety center" pops up. how do i remove this virus? help is greatly appreciated. thanks

Link to post
Share on other sites

Thank you so much for the response, I really appreciate it, and in the post I say my internet wasn't working, that was NOT related to the virus if that makes a difference, I was just panicing, it's working now.

Running from: C:\Documents and Settings\frank\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15.tmp\ZAP15.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17B.tmp\ZAP17B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25D.tmp\ZAP25D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP283.tmp\ZAP283.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A8.tmp\ZAP2A8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC8.tmp\ZAPC8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCD.tmp\ZAPCD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CDIIWall3res\CDIIWall3res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\de\de

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\zh-chs\zh-chs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ie8updates\ie8updates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\microsoft.net\framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\microsoft.net\framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pix_office_wall\pix_office_wall

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\Registration

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

Hi, bojadada :)

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Once finished. Attempt to run Malwarebytes.

Link to post
Share on other sites

Hi, bojadada :)

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Once finished. Attempt to run Malwarebytes.

Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

Malwarebytes still closed after 3 seconds into the scan. Also, whenver it closes, it never is able to run again, I have to re install it.

Link to post
Share on other sites

Hi, bojadada :)

Please follow these steps:

Step 1

Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line:

Copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\

Exit

Step 2

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 3

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to move:

C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Files to delete:

C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Folders to delete:

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Step 4

mbamicontw5.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Step 5

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Link to post
Share on other sites

Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()

Finished!

Link to post
Share on other sites

Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()

Finished!

Ok, the first step I did wrong, so heres the new log, avenger still does the script error thing btw.

Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()

Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()

Finished!

Link to post
Share on other sites

Make sure you do the Step 1. The file must be copied to the root directory.

I change the way the Avenger' script is shown on the topic. Open notepad. Select Format. Remove the checkmark from Wordwrap if present. Start copying the script from the word Begin, including the word, then all the way down.

Try the fix once again. Keep me posted.

Link to post
Share on other sites

Make sure you do the Step 1. The file must be copied to the root directory.

I change the way the Avenger' script is shown on the topic. Open notepad. Select Format. Remove the checkmark from Wordwrap if present.

Try the fix once again. Keep me posted.

Ok heres the avenger.txt thing

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 22:57:10 2009

22:57:10: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 22:57:20 2009

22:57:20: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 22:57:24 2009

22:57:24: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 22:57:57 2009

22:57:57: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 22:58:38 2009

22:58:38: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 23:02:16 2009

23:02:16: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 23:07:15 2009

23:07:15: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Sun Sep 20 23:07:17 2009

23:07:17: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Mon Sep 21 00:00:38 2009

00:00:38: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "aafmdgml" found!

Start Type: 3 (Manual)

Rootkit scan completed.

Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_A2.gif"

Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_A2.gif" failed!

Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_I1.gif"

Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_I1.gif" failed!

Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_I2.gif"

Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_I2.gif" failed!

Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_S1.gif"

Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_S1.gif" failed!

Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_S2.gif"

Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_S2.gif" failed!

Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: folder "C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2" not found!

Deletion of folder "C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: folder "C:\WINDOWS\WinSxS\InstallTemp\InstallTemp" not found!

Deletion of folder "C:\WINDOWS\WinSxS\InstallTemp\InstallTemp" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

  • Double click rr_DesktopIcon.png to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the rr_Scan.png button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, click the rr_SaveReport.png button and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites

GAH whenever i try to start rootrepeal it says could not read the boot sector try adjusting disk access level in the options dialog, then i click ok, then it says the same thing like 5 more times, then starts. Then when i start the scan, it only does it for a few seconds, then closes. Then when i try to start it again, it says windows cannot find access to the specific device thing. What do i do?

Link to post
Share on other sites

Hi, bojadada :)

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-09-21 16:02:36

Windows 5.1.2600 Service Pack 3

Running: dmhzymf1.exe; Driver: C:\DOCUME~1\frank\LOCALS~1\Temp\pxtdapod.sys

---- System - GMER 1.0.15 ----

SSDT spaa.sys ZwEnumerateKey [0xF7385CA2]

SSDT spaa.sys ZwEnumerateValueKey [0xF7386030]

Code 8A49E4F0 ZwFlushInstructionCache

Code 8A49EF4E ZwSaveKey

Code 8A49EF16 ZwSaveKeyEx

Code 8A5EE306 IofCallDriver

Code 8A4FBC96 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A67A1F8

Device \FileSystem\Fastfat \Fat 8A3EE1F8

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gasfkyfrqqbwql.sys (*** hidden *** ) [sYSTEM] gasfkyvbuyxeoo <-- ROOTKIT !!!

Service C:\WINDOWS\system32\GameMon.des (*** hidden *** ) [MANUAL] npggsvc <-- ROOTKIT !!!

Service system32\drivers\TDSSserv.sys (*** hidden *** ) [sYSTEM] TDSSserv <-- ROOTKIT !!!

Service system32\drivers\UACjmtdxjlmktkuflmij.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

If i need to do the other steps, tell me, I don't want to end up doing anything wrong.

Link to post
Share on other sites

by the scan your system prompt you mean this right? GMER has found a system modification which might have been caused by ROOTKIT activity. Dou you want to fullyscan your system? And if i press no do i do all those steps afterward or just the log?

Yes. Do not allow it to scan. Click on No, then select the rootkit tab, save and post the report.

Link to post
Share on other sites

Hi, bojadada :)

I am going to try to kill the rootkits.

If you haven't downloaded Combofix, please do (See Post #8). Make sure is saved on the desktop.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat. The MSDOS window will be displayed for seconds and the computer will restart. Upon restart, click on Combo-Fix and follow its instructions on Post #8.

Link to post
Share on other sites

ComboFix 09-09-20.04 - frank 09/21/2009 21:47.2.1 - NTFSx86 NETWORK

Running from: c:\documents and settings\frank\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\frank\Start Menu\Programs\Download programs.url

c:\documents and settings\frank\Start Menu\Programs\Games.url

c:\documents and settings\frank\Start Menu\Programs\Translator.url

c:\documents and settings\frank\Start Menu\Programs\Videos.url

C:\LOG1.tmp

C:\LOG1C.tmp

C:\LOG2.tmp

C:\LOG3.tmp

C:\LOG4.tmp

C:\LOG5.tmp

C:\LOG55.tmp

C:\LOGE.tmp

c:\program files\SafetyCenter

c:\program files\SafetyCenter\main.ico

c:\program files\SafetyCenter\new.exe

c:\program files\SafetyCenter\protector.exe

c:\program files\SafetyCenter\sound.wav

c:\program files\SafetyCenter\start.exe

c:\program files\SafetyCenter\uninstall.exe

c:\program files\Search Settings

c:\program files\Search Settings\kb125\res\ErrorPageTemplate.css

c:\program files\Search Settings\kb125\res\help.gif

c:\program files\Search Settings\kb125\res\pixel.gif

c:\program files\Search Settings\kb125\res\tab_icon.png

c:\program files\Search Settings\kb125\res\tabdata.js

c:\program files\Search Settings\kb125\res\tablib.js

c:\program files\Search Settings\kb125\res\tabwelcome_en.html

c:\program files\Search Settings\kb125\res\Thumbs.db

c:\program files\Search Settings\kb125\res\toolbar_background.gif

c:\program files\Search Settings\kb125\res\vista_directions.png

c:\program files\Search Settings\kb125\res\xp_directions.png

c:\program files\Search Settings\kb125\res\yahoo_search.gif

c:\program files\Search Settings\SearchSettings.exe

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\INSTALL.LOG

c:\program files\WinPCap\NetMonInstaller.exe

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\program files\WinPCap\Uninstall.exe

c:\windows\Install.txt

c:\windows\Installer\a8a66.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\msa.exe

c:\windows\system32\certcl.dll

c:\windows\system32\drivers\gasfkyfrqqbwql.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\drivers\UACd.sys

c:\windows\system32\gasfkyalqppeyx.dat

c:\windows\system32\gasfkyaxxtprum.dat

c:\windows\system32\gasfkycbviitre.dat

c:\windows\system32\gasfkyjxrnmcxn.dll

c:\windows\system32\gasfkylothujof.dll

c:\windows\system32\gasfkylpspypes.dll

c:\windows\system32\gasfkymivkbpfq.dat

c:\windows\system32\gasfkynshwiosv.dll

c:\windows\system32\gasfkywhkwkbxd.dll

c:\windows\system32\Install.txt

c:\windows\system32\minix32.exe

c:\windows\system32\net.net

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\UACbhxuhlbqlsaynbiiv.db

c:\windows\system32\UACqpqjbndeulhliyyue.dat

c:\windows\system32\uactmp.db

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

c:\windows\thesetting.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gasfkyvbuyxeoo

-------\Legacy_gasfkyvbuyxeoo

-------\Legacy_6TO4

-------\Legacy_BFGSE244

-------\Legacy_NETCARD

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))

.

2009-09-21 20:42 . 2009-09-21 20:42 288768 ----a-w- C:\dmhzymf1.exe

2009-09-21 11:59 . 2009-09-21 11:59 34816 ----a-w- c:\windows\system32\drivers\rootrepeal_2.sys

2009-09-21 04:06 . 2008-04-14 00:11 56320 ----a-w- C:\eventlog.dll

2009-09-20 20:31 . 2009-09-20 20:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-20 15:44 . 2009-09-21 05:14 -------- d-----w- c:\program files\imabunny

2009-09-20 11:44 . 2009-09-20 11:44 2198 ----a-w- C:\Z3gR5.bat

2009-09-20 02:55 . 2009-09-22 01:59 0 ----a-r- c:\windows\win32k.sys

2009-09-20 02:54 . 2009-09-20 02:54 -------- d-----w- C:\spoolerlogs

2009-09-15 13:55 . 2009-09-15 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-13 13:55 . 2009-09-13 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-09-13 13:55 . 2009-09-13 13:55 -------- d-----w- c:\program files\McAfee Security Scan

2009-09-10 02:08 . 2004-03-29 21:23 90112 ----a-w- c:\windows\unvise32.exe

2009-09-09 22:57 . 2007-02-20 21:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe

2009-09-09 22:56 . 2007-02-20 21:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll

2009-09-09 22:25 . 2009-09-09 22:25 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-09-09 02:23 . 2009-09-09 02:45 -------- d-----w- c:\documents and settings\frank\Local Settings\Application Data\Cyberlink

2009-09-09 02:22 . 2009-09-09 02:22 -------- d-----w- c:\documents and settings\frank\Application Data\CyberLink

2009-09-09 02:20 . 2009-09-09 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2009-09-09 02:20 . 2009-09-09 02:20 -------- d-----w- c:\program files\Common Files\CyberLink

2009-09-09 02:19 . 2009-09-09 02:20 -------- d-----w- c:\program files\CyberLink

2009-09-09 02:18 . 2009-09-09 02:16 29480 ----a-w- c:\windows\system32\msxml3a.dll

2009-09-09 00:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-08 19:45 . 2009-09-08 19:45 -------- d-----w- c:\program files\Bonjour

2009-09-06 13:08 . 2009-09-06 13:08 -------- d-----w- c:\program files\WinSCP

2009-08-29 02:00 . 2009-08-29 02:00 27640 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-26 23:03 . 2009-08-26 23:03 -------- d-----w- c:\documents and settings\frank\Local Settings\Application Data\vdownloader

2009-08-26 23:02 . 2009-08-26 23:02 -------- d-----w- c:\program files\VDOWNLOADER

2009-08-26 02:03 . 2009-08-26 02:11 -------- d-----w- c:\program files\Project64 1.6

2009-08-26 01:31 . 2009-08-26 01:31 -------- d-----w- c:\documents and settings\frank\Application Data\Webcammax

2009-08-26 01:31 . 2009-08-07 06:42 1053056 ----a-w- c:\windows\system32\drivers\CAMTHWDM.sys

2009-08-26 01:02 . 2009-08-26 01:02 -------- d-----w- c:\program files\Windows Media Components

2009-08-25 23:18 . 2009-08-26 01:43 -------- d-----w- c:\documents and settings\frank\Local Settings\Application Data\Procaster

2009-08-25 23:18 . 2009-08-25 23:18 -------- d-----w- c:\program files\Livestream Procaster

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-22 01:56 . 2007-11-10 21:06 -------- d-----w- c:\documents and settings\frank\Application Data\DMCache

2009-09-21 11:57 . 2009-01-04 05:54 -------- d-----w- c:\documents and settings\frank\Application Data\IDM

2009-09-20 16:13 . 2008-04-11 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-09-20 00:48 . 2009-06-11 18:53 -------- d-----w- c:\documents and settings\frank\Application Data\uTorrent

2009-09-19 18:40 . 2008-10-30 03:05 -------- d-----w- c:\documents and settings\frank\Application Data\LimeWire

2009-09-19 04:23 . 2007-12-30 05:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-14 11:55 . 2008-07-09 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-14 11:52 . 2009-08-03 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\14377504

2009-09-10 01:06 . 2008-02-04 01:11 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-09 23:14 . 2007-10-21 14:26 27640 ----a-w- c:\documents and settings\frank\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-09 11:45 . 2008-06-10 19:09 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-09 02:20 . 2002-05-13 05:29 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-09 02:16 . 2006-09-29 00:53 505128 ----a-w- c:\windows\system32\msvcp71.dll

2009-09-08 00:28 . 2008-08-21 03:35 -------- d-----w- c:\documents and settings\frank\Application Data\ATI MMC

2009-09-06 01:34 . 2008-12-30 03:25 -------- d-----w- c:\program files\TightVNC

2009-08-23 23:37 . 2009-08-15 18:53 -------- d-----w- c:\program files\AskBarDis

2009-08-20 01:21 . 2008-08-24 16:38 -------- d-----w- c:\documents and settings\frank\Application Data\Publish Providers

2009-08-18 23:18 . 2008-08-11 22:29 -------- d-----w- c:\program files\Paint.NET

2009-08-18 20:56 . 2009-01-04 05:54 -------- d-----w- c:\program files\Internet Download Manager

2009-08-15 19:03 . 2009-07-16 17:53 -------- d-----w- c:\program files\LimeWire

2009-08-15 18:58 . 2008-12-29 17:44 -------- d-----w- c:\documents and settings\frank\Application Data\FrostWire

2009-08-12 06:58 . 2009-08-12 06:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

2009-08-09 22:21 . 2009-02-23 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame

2009-08-09 22:15 . 2009-08-09 22:15 -------- d-----w- c:\program files\NHN USA

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 05:13 . 2009-08-05 05:13 -------- d-----w- c:\program files\vReveal

2009-08-05 05:11 . 2009-08-04 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\MotionDSP

2009-08-04 08:19 . 2007-11-01 02:49 3928 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-30 06:39 . 2009-07-28 19:57 -------- d-----w- c:\documents and settings\frank\Application Data\DVD Flick

2009-07-28 20:51 . 2008-02-10 06:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-07-28 20:49 . 2009-06-04 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2009-07-28 20:46 . 2007-12-15 20:11 -------- d-----w- c:\program files\Yahoo!

2009-07-28 20:46 . 2009-07-26 02:40 -------- d-----w- c:\program files\Winamp

2009-07-28 20:35 . 2009-06-23 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Tencent

2009-07-28 20:12 . 2008-02-24 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro

2009-07-28 20:10 . 2009-07-15 05:00 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-07-28 19:55 . 2009-07-28 19:55 -------- d-----w- c:\program files\DVD Flick

2009-07-26 02:02 . 2009-07-09 20:50 -------- d-----w- c:\program files\MagicISO

2009-07-26 01:30 . 2009-07-26 01:06 -------- d-----w- c:\program files\Mp3 File Editor

2009-07-26 01:30 . 2009-07-26 00:54 -------- d-----w- c:\program files\Coding Workshop Ringtone Converter

2009-07-26 00:49 . 2009-07-26 00:43 -------- d-----w- c:\documents and settings\frank\Application Data\Ringtone

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 17:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 05:52 . 2009-07-11 05:52 164 ----a-w- c:\windows\install.dat

2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2008-11-10 02:42 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-27 03:21 . 2009-06-27 03:21 34 ----a-w- c:\documents and settings\frank\jagex_runescape_preferences.dat

2009-02-14 02:08 . 2009-02-14 02:08 36868 ----a-w- c:\program files\uninst-Particular.exe

2008-09-22 23:13 . 2008-09-22 23:13 3676 ----a-w- c:\program files\libb.txt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-09-09 03:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-11 68856]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-28 288048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Livestream Procaster"="c:\program files\Livestream Procaster\Procaster.exe" [2009-08-10 6169888]

"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-04-28 87336]

"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]

"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-05-08 75048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]

backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IEEE 802.11g Wireless LAN Utility.lnk]

backup=c:\windows\pss\IEEE 802.11g Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]

backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZDWLan Utility.lnk

backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^frank^Start Menu^Programs^Startup^find.lnk]

path=c:\documents and settings\frank\Start Menu\Programs\Startup\find.lnk

backup=c:\windows\pss\find.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^frank^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^frank^Start Menu^Programs^Startup^Xfire.lnk]

backup=c:\windows\pss\Xfire.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bbbq

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ecsu

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Router

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xInsIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Viewpoint Manager Service"=2 (0x2)

"PnkBstrA"=2 (0x2)

"NVSvc"=2 (0x2)

"gusvc"=2 (0x2)

"AresChatServer"=3 (0x3)

"usnjsvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\ijji\\ENGLISH\\u_gunz.exe"=

"c:\\ijji\\ENGLISH\\Gunz\\GunzLauncher.exe"=

"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=

"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/09/08 21:20];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-05-08 02:05 87536]

R2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\DRIVERS\BT848.sys [2008-08-21 371349]

R3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-09 20608]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2741114]

R3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\Drivers\pixmcvc.sys [2002-09-28 32000]

R3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\Drivers\pixmcva.sys [2002-10-03 28057]

R3 PsSdk30;PsSdk30;c:\windows\system32\Drivers\PsSdk30.drv [x]

R3 PsSdk41;PsSdk41;c:\windows\system32\Drivers\pssdk41.sys [2009-02-01 36928]

R3 rootrepeal_2;rootrepeal_2;c:\windows\system32\drivers\rootrepeal_2.sys [2009-09-21 34816]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]

R3 TNET1130;802.11 WLAN;c:\windows\system32\DRIVERS\tnet1130.sys [2004-03-11 385536]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2007-03-20 28672]

.

Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-21 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-11 21:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

Trusted Zone: download.com

FF - ProfilePath - c:\documents and settings\frank\Application Data\Mozilla\Firefox\Profiles\5ba8cl8l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Ask

FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=101676&l=null

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=

FF - component: c:\documents and settings\frank\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

BHO-{839B7FCC-AF60-4F24-8810-68AC63C00D87} - c:\windows\TEMP\~775.dll

BHO-{E761C7F0-372D-4745-9EBA-EDE8706464E1} - c:\windows\system32\certcl.dll

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)

HKLM-Run-net - c:\windows\system32\net.net

HKLM-RunOnce-SafetyCenter - c:\program files\SafetyCenter\start.exe

HKLM-RunOnce-<NO NAME> - (no file)

HKU-Default-Run-inixs - c:\windows\system32\minix32.exe

AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe

AddRemove-ijji.com - c:\ijji\ENGLISH\ijjiUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-21 22:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-838170752-682003330-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-842925246-838170752-682003330-1002\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:bd,22,4d,bd,de,21,14,00,04,a2,c5,eb,39,42,b6,c4,c9,c8,7d,14,c0,d6,56,

d6,fc,9a,99,a8,76,fb,ee,ec,9d,1c,3c,24,ad,16,fc,93,6a,57,4e,db,bb,c8,38,ca,\

"??"=hex:cb,9b,6f,95,ed,7a,47,f1,74,59,8d,b9,89,10,c6,32

[HKEY_USERS\S-1-5-21-842925246-838170752-682003330-1002\Software\SecuROM\License information*]

"datasecu"=hex:7b,d3,e8,15,e1,c2,83,ed,1a,9d,92,5d,84,d9,8e,c7,f5,88,fc,a1,d3,

d0,b0,dc,6e,14,9b,1b,2b,73,b8,c2,ce,38,9b,cb,9b,72,94,43,16,39,f0,c1,b3,ad,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):ac,00,bf,82,d3,6b,fc,67,f4,10,6e,b8,8c,89,1e,a7,34,74,c8,72,4e,

2b,99,02,7c,6b,f6,35,87,b9,cb,cb,80,4d,b7,b2,0d,2f,87,ac,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):15,b9,51,9f,c7,79,22,f8,c9,49,ba,b4,0f,d0,8f,1c,af,b9,df,fc,c9,

88,5a,d5,48,b0,37,89,85,96,31,e6,05,c1,25,42,b1,d7,6e,fc,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{aa6279fb-5e09-4952-bc56-80b38e207d0e}]

@Denied: (Full) (Everyone)

"Model"=dword:000000c7

"Therad"=dword:0000001e

"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,

38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d2b6a2da-c665-4ae0-8b22-85d608beefb0}]

@Denied: (Full) (Everyone)

"Model"=dword:00000046

"Therad"=dword:00000016

"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,98,07,ff,fc,5d,

df,1c,2f,3b,8a,0a,32,11,89,01,b5,6d,9f,a7,15,73,5b,47,26,c9,1f,29,12,41,42,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

.

**************************************************************************

.

Completion time: 2009-09-22 22:19 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-22 03:19

ComboFix2.txt 2008-02-20 05:53

Pre-Run: 2,937,659,392 bytes free

Post-Run: 2,933,198,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /NOGUIBOOT

424 --- E O F --- 2009-09-09 08:04

Link to post
Share on other sites

Hi, bojadada :)

Success!

mbamicontw5.gif If your current copy fails to run, please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!

  • Accept the License Agreement.
  • Once the ActiveX installs click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy and paste the entire report in your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.