Jump to content

Can only start in Safe Mode NEED HELP PLEASE


shakymom

Recommended Posts

Seriously infected! MWB and HJT will not start and my virus software is affected. Was able to stop UAC.exe then Windows Police Pro took over. Disabled internet connection and virus software automatically blocked a buffer overflow C:\windows\system32\services.exe then virus software blocked and removed FakeAlert-DZ trojan windows\system32\bezuyiza.exe and safe thing with zdekare.exe Then got message that services.exe terminated unexpectedly and system was being shutdown and restarted by NT Authority/System status code 1073741819. Now system will only start in Safe Mode. If I try to access system restore message says it has been turned off by group policy? Please help. Thanks!

Link to post
Share on other sites

Okay good that's explains a lot.

1. Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Found instructions by Advanced Setup on how to kill Total Security. :D

Downloaded Process Explorer and killed 12498237.exe process :D

Total Security Disappeared from Systray and popups stopped. :D

After several attempts ComboFix ran and completed. Logs attached.

HJT still will not run "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." :(

Reinstalled Malwarebytes and ran quickscan. Logs attached.

Ever so appreciative of your help! Love this forum (=

ComboFix.txt

mbam_log_2009_09_30__20_49_42_.txt

Link to post
Share on other sites

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

=============================================

  • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
  • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  • Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

==============================================

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

CFScript.txt

Link to post
Share on other sites

Ran ComboFix as instructed with CFScript.

To run ComboFix couldn't disable McAfee virus. Noticed it was not scanning. Scheduled to run daily but has not scanned since 9/18 and could not start a scan. Got error message so I uninstalled McAfee. It was free through ISP but liked AVG better.

ComboFix 09-10-01.05 - Drew 10/02/2009 14:02.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.198 [GMT -5:00]

Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt

.

((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))

.

2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro

2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat

2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache

2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE

2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache

2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates

2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8

2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3

2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll

2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java

2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-02 19:08 . 2009-10-02 19:08 16384 c:\windows\temp\Perflib_Perfdata_650.dat

+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-01 01:35 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]

"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]

Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]

Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=

R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]

R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]

S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]

S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

USBDriver

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

.

- - - - ORPHANS REMOVED - - - -

BHO-{d51f78a4-b4df-406f-9d1e-24c82809d43c} - tugokubu.dll

SafeBoot-mcmscsvc

SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-02 14:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2596)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\windows\system32\usrshuta.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-10-02 14:11 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-02 19:11

ComboFix2.txt 2009-10-01 01:33

Pre-Run: 63,608,459,264 bytes free

Post-Run: 63,586,062,336 bytes free

163 --- E O F --- 2009-09-17 22:01

Still cannot get HJT to run. I have tried uninstalling and downloading a fresh copy. Still get error message "Windows cannot access the specified device, path, or file....."

Also ran win32kdiag

Running from: C:\Documents and Settings\Drew\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Drew\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13F.tmp\ZAP13F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13F.tmp\ZAP13F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP329.tmp\ZAP329.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP329.tmp\ZAP329.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP406.tmp\ZAP406.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP406.tmp\ZAP406.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D.tmp\ZAP43D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D.tmp\ZAP43D.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CAVTemp\CAVTemp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

Off to run Kaspersky.....

Link to post
Share on other sites

Download regsrch.zip to your Desktop.

1. Unzip the contents of RegSrch.zip to a convenient location.

2. Double-click on RegSrch.vbs.

3. If you have an anti-virus installed it might prompt you about a running script.

4. Please ignore this warning and allow the script to run.

5. In the "Enter search string (case insensitive) and click OK..." box, paste this string:

USBDriver

6. Click "OK" to search the registry for that string.

7. Wait for a few minutes while it completes the search.

8. Click "OK" to open the results in WordPad.

9. Copy and paste the entire results into your next post.

Link to post
Share on other sites

Here is the Kaspersky log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, October 2, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, October 02, 2009 13:17:25

Records in database: 2889641

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Objects scanned: 59405

Threats found: 12

Infected objects found: 30

Suspicious objects found: 0

Scan duration: 01:51:54

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\ddqud.exe.vir Infected: Trojan.Win32.Sasfis.iop 1

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\12793124\12793124.exe.vir Infected: Packed.Win32.Krap.x 1

C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\lizkavd.exe.vir Infected: Trojan.Win32.FraudPack.udx 1

C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\seres.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fri 1

C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\svcst.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fri 1

C:\Qoobox\Quarantine\C\hxlqib.exe.vir Infected: Backdoor.Win32.Bredavi.jk 1

C:\Qoobox\Quarantine\C\pkusq.exe.vir Infected: Trojan.Win32.Scar.ygu 1

C:\Qoobox\Quarantine\C\Program Files\Protection System\uninstall.exe.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\desot.exe.vir Infected: Trojan.Win32.FraudPack.ulp 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\difajowu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\54d82e49.sys.vir Infected: Backdoor.Win32.NewRest.gh 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_54d82e49_.sys.zip Infected: Backdoor.Win32.NewRest.gh 2

C:\Qoobox\Quarantine\C\WINDOWS\system32\fimijole.exe.vir Infected: Packed.Win32.Krap.x 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\gafilumu.exe.vir Infected: Packed.Win32.Krap.x 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\hefihiru.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\jobavito.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\kavumefe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\kenahozi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wsnf 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\lewadiye.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\raferafo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\tadebava.exe.vir Infected: Packed.Win32.Krap.x 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbprpuwjnde.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbqbiouojwu.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACltmwmpjcrt.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\venaluwe.exe.vir Infected: Packed.Win32.Krap.x 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\yizodonu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Qoobox\Quarantine\C\yhjj.exe.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\WINDOWS\system32\zugowuva.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1

Selected area has been scanned.

Next performing RegSrch.vbs

Link to post
Share on other sites

Go to Start ---> Run----> Type regedit and press enter

Navigate to the following key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

Right-click on the key

Choose Export.

Save it as export.txt to your desktop

Make sure save type as is .reg

In your next reply, please post the contents of the export. If its to large, just attach it. Thanks

Link to post
Share on other sites

Here it is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver]

"Type"=dword:00000020

"Start"=dword:00000002

"ErrorControl"=dword:00000000

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

"DisplayName"="USBDriver"

"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\parameters]

"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,67,00,\

70,00,77,00,78,00,69,00,6c,00,76,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\Enum]

"0"="Root\\legacy_usbdriver\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

Thanks

Link to post
Share on other sites

Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
"C:\WINDOWS\system32\tgpwxilv.dll"
) do zip Files_for_submission %%g
del %0

Save this as grab.bat

Choose to "Save type as - All Files"

Save it on your desktop.

It should look like this: bat_icon.gif

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.

Please upload that file here --> http://www.bleepingcomputer.com/submit-mal....php?channel=70

Link to post
Share on other sites

Note: You may need to unhide hidden files and folders.

Configure Windows XP to show hide hidden files:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

Click Yes to confirm. Click OK.

If the file isn't on your desktop, please search for it.

C:\WINDOWS\system32\tgpwxilv.dll

Link to post
Share on other sites

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

I"m going to ask a couple of other experts because something else looks suspicious.

CFScript.txt

Link to post
Share on other sites

Here is ComboFix log

Windows Security now recognizes that my Automatic Updates is turned on :D

ComboFix 09-10-01.05 - Drew 10/03/2009 15:49.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.225 [GMT -5:00]

Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))

.

2009-10-02 22:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-02 22:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-10-02 22:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-10-02 22:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\Avira

2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\documents and settings\Drew\Application Data\AVG8

2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro

2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat

2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache

2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE

2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache

2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates

2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8

2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3

2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll

2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java

2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2009-10-02 22:26 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys

+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2009-10-02 22:23 . 2009-10-02 22:23 228352 c:\windows\Installer\a50784.msi

+ 2009-10-03 17:00 . 2009-10-03 17:00 195584 c:\windows\Installer\3612da.msi

+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]

"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]

Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]

Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2009 5:26 PM 108289]

R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]

R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]

S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]

S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

USBDriver

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-03 15:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4036)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-10-03 15:55

ComboFix-quarantined-files.txt 2009-10-03 20:55

ComboFix2.txt 2009-10-02 19:11

ComboFix3.txt 2009-10-01 01:33

Pre-Run: 63,346,073,600 bytes free

Post-Run: 63,399,084,032 bytes free

177 --- E O F --- 2009-10-03 17:00

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.