Jump to content

Hijack this and Mbam won't run


brisheden
 Share

Recommended Posts

Please Help! I am trying to help clean up a friends computer that has been infected with PC-Antispyware 2010 among other things probably.

XP Home SP3

Installed Malwarebytes and successfully updated

Malwarebytes runs for 5 to 14 seconds and shuts down with no error information.

Installed HijackThis successfully.

Hijackthis ran 5 seconds and shut down with no error information.

TrendMicro's Housecall will do the same. Start to run then shut down with no error info.

Your computer is Infected! (Windows has detected spyware infection!) popup from notification area.

Trying to run Hijact this from Trend Micro folder results in message:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Please suggest next step.

Here is my win32diag log.

Running from: C:\Documents and Settings\Dave Thompson\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Dave Thompson\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP119.tmp\ZAP119.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP119.tmp\ZAP119.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D2.tmp\ZAP1D2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D2.tmp\ZAP1D2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B5.tmp\ZAP2B5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B5.tmp\ZAP2B5.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D2.tmp\ZAP2D2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D2.tmp\ZAP2D2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36B.tmp\ZAP36B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36B.tmp\ZAP36B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP38F.tmp\ZAP38F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP38F.tmp\ZAP38F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP431.tmp\ZAP431.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP431.tmp\ZAP431.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB1.tmp\ZAPB1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB1.tmp\ZAPB1.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Preboot Manager\Preboot Manager

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Preboot Manager\Preboot Manager

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\4301AEBD288588A40833184CFEC0AF92\4.0.0\4.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\4301AEBD288588A40833184CFEC0AF92\4.0.0\4.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA33010000ABE7000000000030\8.0.0\8.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA33010000ABE7000000000030\8.0.0\8.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Cannot access: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.4328.426734

Attempting to restore permissions of : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.4328.426734

[1] 2008-04-10 17:14:30 780 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.4328.426734 ()

Cannot access: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.4328.426734

Attempting to restore permissions of : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.4328.426734

[1] 2008-04-10 17:14:30 748 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.4328.426734 ()

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SHELLNEW\SHELLNEW

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SHELLNEW\SHELLNEW

Found mount point : C:\WINDOWS\SHELLNEW(2)\SHELLNEW(2)

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SHELLNEW(2)\SHELLNEW(2)

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixas\files\files

Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixdts\files\files

Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixns\files\files

Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixrs\files\files

Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixsql\files\files

Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixtools\files\files

Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixas\files\files

Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixdts\files\files

Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixns\files\files

Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixrs\files\files

Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixsql\files\files

Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixtools\files\files

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Adobe PDF\Settings\Settings

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Adobe PDF\Settings\Settings

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v2.0.50727.190\v2.0.50727.190

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v2.0.50727.190\v2.0.50727.190

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-4275519505-3747650102-3319402763-500\S-1-5-21-4275519505-3747650102-3319402763-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-4275519505-3747650102-3319402763-500\S-1-5-21-4275519505-3747650102-3319402763-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-4275519505-3747650102-3319402763-500\S-1-5-21-4275519505-3747650102-3319402763-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-4275519505-3747650102-3319402763-500\S-1-5-21-4275519505-3747650102-3319402763-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\7947bfcf1554\7947bfcf1554

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\7947bfcf1554\7947bfcf1554

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-4275519505-3747650102-3319402763-500\S-1-5-21-4275519505-3747650102-3319402763-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-4275519505-3747650102-3319402763-500\S-1-5-21-4275519505-3747650102-3319402763-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\12.0\12.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\12.0\12.0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft Help\Microsoft Help

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft Help\Microsoft Help

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\Test\Test

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Test\Test

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00010\MCE00010

Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00011\MCE00011

Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00012\MCE00012

Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00013\MCE00013

Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00014\MCE00014

Found mount point : C:\WINDOWS\Temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00015\MCE00015

Found mount point : C:\WINDOWS\Temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00016\MCE00016

Found mount point : C:\WINDOWS\Temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00017\MCE00017

Found mount point : C:\WINDOWS\Temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00018\MCE00018

Found mount point : C:\WINDOWS\Temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00019\MCE00019

Found mount point : C:\WINDOWS\Temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00020\MCE00020

Found mount point : C:\WINDOWS\Temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00021\MCE00021

Found mount point : C:\WINDOWS\Temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00022\MCE00022

Found mount point : C:\WINDOWS\Temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00023\MCE00023

Found mount point : C:\WINDOWS\Temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00024\MCE00024

Found mount point : C:\WINDOWS\Temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00025\MCE00025

Found mount point : C:\WINDOWS\Temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00026\MCE00026

Found mount point : C:\WINDOWS\Temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00027\MCE00027

Found mount point : C:\WINDOWS\Temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00028\MCE00028

Found mount point : C:\WINDOWS\Temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00029\MCE00029

Found mount point : C:\WINDOWS\Temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00030\MCE00030

Found mount point : C:\WINDOWS\Temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00031\MCE00031

Found mount point : C:\WINDOWS\Temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00032\MCE00032

Found mount point : C:\WINDOWS\Temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00033\MCE00033

Found mount point : C:\WINDOWS\Temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00034\MCE00034

Found mount point : C:\WINDOWS\Temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00035\MCE00035

Found mount point : C:\WINDOWS\Temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00036\MCE00036

Found mount point : C:\WINDOWS\Temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00037\MCE00037

Found mount point : C:\WINDOWS\Temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00038\MCE00038

Found mount point : C:\WINDOWS\Temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00039\MCE00039

Found mount point : C:\WINDOWS\Temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003a\MCE0003a

Found mount point : C:\WINDOWS\Temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003b\MCE0003b

Found mount point : C:\WINDOWS\Temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003c\MCE0003c

Found mount point : C:\WINDOWS\Temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003d\MCE0003d

Found mount point : C:\WINDOWS\Temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003e\MCE0003e

Found mount point : C:\WINDOWS\Temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003f\MCE0003f

Found mount point : C:\WINDOWS\Temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00040\MCE00040

Found mount point : C:\WINDOWS\Temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00041\MCE00041

Found mount point : C:\WINDOWS\Temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00042\MCE00042

Found mount point : C:\WINDOWS\Temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00043\MCE00043

Found mount point : C:\WINDOWS\Temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00044\MCE00044

Found mount point : C:\WINDOWS\Temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00045\MCE00045

Found mount point : C:\WINDOWS\Temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00046\MCE00046

Found mount point : C:\WINDOWS\Temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00047\MCE00047

Found mount point : C:\WINDOWS\Temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00048\MCE00048

Found mount point : C:\WINDOWS\Temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00049\MCE00049

Found mount point : C:\WINDOWS\Temp\MCE0004a\MCE0004a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004a\MCE0004a

Found mount point : C:\WINDOWS\Temp\MCE0004b\MCE0004b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004b\MCE0004b

Found mount point : C:\WINDOWS\Temp\MCE0004c\MCE0004c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004c\MCE0004c

Found mount point : C:\WINDOWS\Temp\MCE0004d\MCE0004d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004d\MCE0004d

Found mount point : C:\WINDOWS\Temp\MCE0004e\MCE0004e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004e\MCE0004e

Found mount point : C:\WINDOWS\Temp\MCE0004f\MCE0004f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004f\MCE0004f

Found mount point : C:\WINDOWS\Temp\MCE00050\MCE00050

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00050\MCE00050

Found mount point : C:\WINDOWS\Temp\MCE00051\MCE00051

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00051\MCE00051

Found mount point : C:\WINDOWS\Temp\MCE00052\MCE00052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00052\MCE00052

Found mount point : C:\WINDOWS\Temp\MCE00053\MCE00053

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00053\MCE00053

Found mount point : C:\WINDOWS\Temp\MCE00054\MCE00054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00054\MCE00054

Found mount point : C:\WINDOWS\Temp\MCE00055\MCE00055

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00055\MCE00055

Found mount point : C:\WINDOWS\Temp\MCE00056\MCE00056

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00056\MCE00056

Found mount point : C:\WINDOWS\Temp\MCE00057\MCE00057

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00057\MCE00057

Found mount point : C:\WINDOWS\Temp\MCE00058\MCE00058

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00058\MCE00058

Found mount point : C:\WINDOWS\Temp\MCE00059\MCE00059

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00059\MCE00059

Found mount point : C:\WINDOWS\Temp\MCE0005a\MCE0005a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005a\MCE0005a

Found mount point : C:\WINDOWS\Temp\MCE0005b\MCE0005b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005b\MCE0005b

Found mount point : C:\WINDOWS\Temp\MCE0005c\MCE0005c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005c\MCE0005c

Found mount point : C:\WINDOWS\Temp\MCE0005d\MCE0005d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005d\MCE0005d

Found mount point : C:\WINDOWS\Temp\MCE0005e\MCE0005e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005e\MCE0005e

Found mount point : C:\WINDOWS\Temp\MCE0005f\MCE0005f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005f\MCE0005f

Found mount point : C:\WINDOWS\Temp\MCE00060\MCE00060

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00060\MCE00060

Found mount point : C:\WINDOWS\Temp\MCE00061\MCE00061

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00061\MCE00061

Found mount point : C:\WINDOWS\Temp\MCE00062\MCE00062

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00062\MCE00062

Found mount point : C:\WINDOWS\Temp\MCE00063\MCE00063

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00063\MCE00063

Found mount point : C:\WINDOWS\Temp\MCE00064\MCE00064

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00064\MCE00064

Found mount point : C:\WINDOWS\Temp\MCE00065\MCE00065

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00065\MCE00065

Found mount point : C:\WINDOWS\Temp\MCE00066\MCE00066

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00066\MCE00066

Found mount point : C:\WINDOWS\Temp\MCE00067\MCE00067

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00067\MCE00067

Found mount point : C:\WINDOWS\Temp\MCE00068\MCE00068

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00068\MCE00068

Found mount point : C:\WINDOWS\Temp\MCE00069\MCE00069

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00069\MCE00069

Found mount point : C:\WINDOWS\Temp\MCE0006a\MCE0006a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006a\MCE0006a

Found mount point : C:\WINDOWS\Temp\MCE0006b\MCE0006b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006b\MCE0006b

Found mount point : C:\WINDOWS\Temp\MCE0006c\MCE0006c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006c\MCE0006c

Found mount point : C:\WINDOWS\Temp\MCE0006d\MCE0006d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006d\MCE0006d

Found mount point : C:\WINDOWS\Temp\MCE0006e\MCE0006e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006e\MCE0006e

Found mount point : C:\WINDOWS\Temp\MCE0006f\MCE0006f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006f\MCE0006f

Found mount point : C:\WINDOWS\Temp\MCE00070\MCE00070

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00070\MCE00070

Found mount point : C:\WINDOWS\Temp\MCE00071\MCE00071

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00071\MCE00071

Found mount point : C:\WINDOWS\Temp\MCE00072\MCE00072

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00072\MCE00072

Found mount point : C:\WINDOWS\Temp\MCE00073\MCE00073

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00073\MCE00073

Found mount point : C:\WINDOWS\Temp\MCE00074\MCE00074

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00074\MCE00074

Found mount point : C:\WINDOWS\Temp\MCE00075\MCE00075

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00075\MCE00075

Found mount point : C:\WINDOWS\Temp\MCE00076\MCE00076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00076\MCE00076

Found mount point : C:\WINDOWS\Temp\MCE00077\MCE00077

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00077\MCE00077

Found mount point : C:\WINDOWS\Temp\MCE00078\MCE00078

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00078\MCE00078

Found mount point : C:\WINDOWS\Temp\MCE00079\MCE00079

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00079\MCE00079

Found mount point : C:\WINDOWS\Temp\MCE0007a\MCE0007a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0007a\MCE0007a

Found mount point : C:\WINDOWS\Temp\MCE0007b\MCE0007b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0007b\MCE0007b

Found mount point : C:\WINDOWS\Temp\MCE0007c\MCE0007c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0007c\MCE0007c

Found mount point : C:\WINDOWS\Temp\MCE0007d\MCE0007d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0007d\MCE0007d

Found mount point : C:\WINDOWS\Temp\MCE0007e\MCE0007e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0007e\MCE0007e

Found mount point : C:\WINDOWS\Temp\MCE0007f\MCE0007f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0007f\MCE0007f

Found mount point : C:\WINDOWS\Temp\MCE00080\MCE00080

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00080\MCE00080

Found mount point : C:\WINDOWS\Temp\MCE00081\MCE00081

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00081\MCE00081

Found mount point : C:\WINDOWS\Temp\MCE00082\MCE00082

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00082\MCE00082

Found mount point : C:\WINDOWS\Temp\MCE00083\MCE00083

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00083\MCE00083

Found mount point : C:\WINDOWS\Temp\MCE00084\MCE00084

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00084\MCE00084

Found mount point : C:\WINDOWS\Temp\MCE00085\MCE00085

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00085\MCE00085

Found mount point : C:\WINDOWS\Temp\MCE00086\MCE00086

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00086\MCE00086

Found mount point : C:\WINDOWS\Temp\MCE00087\MCE00087

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00087\MCE00087

Found mount point : C:\WINDOWS\Temp\MCE00088\MCE00088

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00088\MCE00088

Found mount point : C:\WINDOWS\Temp\MCE00089\MCE00089

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00089\MCE00089

Found mount point : C:\WINDOWS\Temp\MCE0008a\MCE0008a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0008a\MCE0008a

Found mount point : C:\WINDOWS\Temp\MCE0008b\MCE0008b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0008b\MCE0008b

Found mount point : C:\WINDOWS\Temp\MCE0008c\MCE0008c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0008c\MCE0008c

Found mount point : C:\WINDOWS\Temp\MCE0008d\MCE0008d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0008d\MCE0008d

Found mount point : C:\WINDOWS\Temp\MCE0008e\MCE0008e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0008e\MCE0008e

Found mount point : C:\WINDOWS\Temp\MCE0008f\MCE0008f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0008f\MCE0008f

Found mount point : C:\WINDOWS\Temp\MCE00090\MCE00090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00090\MCE00090

Found mount point : C:\WINDOWS\Temp\MCE00091\MCE00091

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00091\MCE00091

Found mount point : C:\WINDOWS\Temp\MCE00092\MCE00092

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00092\MCE00092

Found mount point : C:\WINDOWS\Temp\MCE00093\MCE00093

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00093\MCE00093

Found mount point : C:\WINDOWS\Temp\MCE00094\MCE00094

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00094\MCE00094

Found mount point : C:\WINDOWS\Temp\MCE00095\MCE00095

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00095\MCE00095

Found mount point : C:\WINDOWS\Temp\MCE00096\MCE00096

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00096\MCE00096

Found mount point : C:\WINDOWS\Temp\MCE00097\MCE00097

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00097\MCE00097

Found mount point : C:\WINDOWS\Temp\MCE00098\MCE00098

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00098\MCE00098

Found mount point : C:\WINDOWS\Temp\MCE00099\MCE00099

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00099\MCE00099

Found mount point : C:\WINDOWS\Temp\MCE0009a\MCE0009a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0009a\MCE0009a

Found mount point : C:\WINDOWS\Temp\MCE0009b\MCE0009b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0009b\MCE0009b

Found mount point : C:\WINDOWS\Temp\MCE0009c\MCE0009c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0009c\MCE0009c

Found mount point : C:\WINDOWS\Temp\MCE0009d\MCE0009d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0009d\MCE0009d

Found mount point : C:\WINDOWS\Temp\MCE0009e\MCE0009e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0009e\MCE0009e

Found mount point : C:\WINDOWS\Temp\MCE0009f\MCE0009f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0009f\MCE0009f

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

Thanks for any help you can offer.

Brian ;)

Link to post
Share on other sites

Please help!

My computer is infected and I cant get MBAM to run. It will install and begin to scan. After 5 or so seconds it will close and re-permision the install directory so you cant run it again.

Simular will happen when I try to run hijack this.

I get the same response when i try House Call.

Computer is XP sp 3

I am hoping to not have to reformat this system.

If someone could help me I would be so frickin eternally grateful I might become a Hymalayan monk.

Thanks,

Brian

Link to post
Share on other sites

  • Root Admin

hmmm well I closed your post here: http://www.malwarebytes.org/forums/index.p...st&p=135252

Okay, please run the following.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Trying to get combofix to run now. So far I'm not having much luck. I can start it but within 15 seconds after clicking yes to the license agreement it tells me the it "has detected the presence of rootkit activity and needs to reboot the machine."

When it reboots I get a blue command prompt screen that says " ' GREP' is not recognized as an internal or external command, operable program or batch file. The Process cannot access the file because it is being used by another process."

"Please wait.

ComboFix is preparing to run." but then it closes and nothing else seems to happen.

I'll update when I make it further.

Thanks for your help!

Link to post
Share on other sites

  • Root Admin

Please run this again.

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Try renaming MBAM.EXE to Explorer.exe and launching it.

Link to post
Share on other sites

I finally got combo-fix to run. Awsome!

Here is the contents of the .txt file.

Thanks,

Brian

ComboFix 09-10-11.03 - Dave Thompson 10/13/2009 11:01.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.487 [GMT -5:00]

Running from: c:\documents and settings\Dave Thompson\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\blyuwrjl.exe

c:\documents and settings\All Users\Application Data\59702932

c:\documents and settings\All Users\Application Data\59702932\59702932.bat

c:\documents and settings\All Users\Application Data\59702932\59702932.exe

c:\documents and settings\All Users\Application Data\dyqu._sy

c:\documents and settings\All Users\Application Data\isitetot.bin

c:\documents and settings\All Users\Application Data\jonafyr.ban

c:\documents and settings\All Users\Application Data\liqu.exe

c:\documents and settings\All Users\Application Data\udysohitib.vbs

c:\documents and settings\All Users\Application Data\ycujozaba.vbs

c:\documents and settings\All Users\Documents\fyhy.sys

c:\documents and settings\All Users\Documents\kaserar.vbs

c:\documents and settings\All Users\Documents\porezojace.vbs

c:\documents and settings\All Users\Documents\puliniqe.bin

c:\documents and settings\All Users\Documents\wofu.com

c:\documents and settings\All Users\Documents\xymuganaz.bat

c:\documents and settings\All Users\Documents\yjulydeq._dl

c:\documents and settings\All Users\Documents\yryguwo.bin

c:\documents and settings\All Users\Documents\zoryzyf.sys

c:\documents and settings\Dave Thompson\Application Data\babyfiq.pif

c:\documents and settings\Dave Thompson\Application Data\ficy.bat

c:\documents and settings\Dave Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk

c:\documents and settings\Dave Thompson\Application Data\puruxepyg.vbs

c:\documents and settings\Dave Thompson\Application Data\zyqewoza.sys

c:\documents and settings\Dave Thompson\Cookies\agawigoq.bin

c:\documents and settings\Dave Thompson\Cookies\ceko.inf

c:\documents and settings\Dave Thompson\Cookies\coxonoci.reg

c:\documents and settings\Dave Thompson\Cookies\esygah.vbs

c:\documents and settings\Dave Thompson\Cookies\ijazugubo._dl

c:\documents and settings\Dave Thompson\Cookies\lyhigevoqu.dat

c:\documents and settings\Dave Thompson\Cookies\mefefoby.com

c:\documents and settings\Dave Thompson\Cookies\qerog.bat

c:\documents and settings\Dave Thompson\Cookies\uberyfisa.bin

c:\documents and settings\Dave Thompson\Cookies\wiqecym._dl

c:\documents and settings\Dave Thompson\Cookies\ybow.inf

c:\documents and settings\Dave Thompson\Cookies\zyzejebi.sys

c:\documents and settings\Dave Thompson\Desktop\PC_Antispyware2010.lnk

c:\documents and settings\Dave Thompson\Local Settings\Application Data\ahujar._dl

c:\documents and settings\Dave Thompson\Local Settings\Application Data\dita._sy

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\awex.exe

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\dyfogo.dll

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\nivifeqaq.exe

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\ofuly.bin

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\quniwito.ban

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\siloxo.scr

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\ukufowopa.bat

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\ukuqygafe.sys

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\uxuj.sys

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\vyba.ban

c:\documents and settings\Dave Thompson\Local Settings\Temporary Internet Files\wozenokeju.inf

c:\documents and settings\Dave Thompson\Start Menu\Programs\PC_Antispyware2010

c:\documents and settings\Dave Thompson\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk

c:\documents and settings\Dave Thompson\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk

c:\documents and settings\Dave Thompson\Start Menu\Programs\Security Tool.lnk

C:\fyblb.exe

C:\osps.exe

c:\program files\Common Files\egas.reg

c:\program files\Common Files\gego.exe

c:\program files\PC_Antispyware2010

c:\program files\PC_Antispyware2010\AVEngn.dll

c:\program files\PC_Antispyware2010\data\daily.cvd

c:\program files\PC_Antispyware2010\htmlayout.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll

c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg

c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

c:\program files\PC_Antispyware2010\pthreadVC2.dll

c:\program files\PC_Antispyware2010\Uninstall.exe

c:\program files\PC_Antispyware2010\wscui.cpl

c:\windows\ajuzujy.pif

c:\windows\apotovixum.bat

c:\windows\diku.bat

c:\windows\ecygyzag.exe

c:\windows\Installer\17e2ce.msp

c:\windows\Installer\ba40f8.msp

c:\windows\junupo.ban

c:\windows\osor.scr

c:\windows\sakim.exe

c:\windows\system32\_scui.cpl

c:\windows\system32\~.exe

c:\windows\system32\18467.exe

c:\windows\system32\41.exe

c:\windows\system32\agujibe.scr

c:\windows\system32\akunyla.reg

c:\windows\system32\AVR09.exe

c:\windows\system32\braviax.exe

c:\windows\system32\domasuro.exe

c:\windows\system32\dymeta.exe

c:\windows\system32\fokipize.dll

c:\windows\system32\izehepevo.exe

c:\windows\system32\japadesu.dll

c:\windows\system32\micy.ban

c:\windows\system32\rarivove.exe

c:\windows\system32\rivesogo.dll

c:\windows\system32\uroluc.scr

c:\windows\system32\uwytecowiq.vbs

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\system32\wisdstr.exe

c:\windows\ufon._sy

c:\windows\ukyleqewyn.reg

c:\windows\xusisuta.scr

c:\windows\ycideligy.dl

c:\windows\yfunuvuso.sys

C:\xvhu.exe

Infected copy of c:\windows\system32\lpk.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\lpk.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NWCWORKSTATION

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_NWCWorkstation

-------\Service_sysrest.sys

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))

.

2009-10-13 16:05 . 2008-04-14 00:11 22016 ----a-w- c:\windows\system32\lpk.dll

2009-10-13 14:52 . 2009-10-13 15:55 -------- d-----w- C:\Combo-Fix15020C

2009-10-12 16:34 . 2009-10-13 13:46 -------- d-----w- C:\ComboFix

2009-10-12 16:26 . 2009-10-12 16:34 -------- d-----w- C:\Combo-Fix4318C

2009-10-12 16:02 . 2009-10-12 16:05 -------- d-----w- C:\Combo-Fix31922C

2009-10-12 15:55 . 2009-10-12 15:59 -------- d-----w- C:\Combo-Fix

2009-09-29 15:59 . 2009-09-29 15:59 -------- d-----w- c:\program files\Trend Micro

2009-09-29 15:44 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-29 15:35 . 2009-10-12 16:09 -------- d-----w- c:\documents and settings\Dave Thompson\Local Settings\Application Data\Temp

2009-09-29 14:44 . 2009-10-13 15:44 -------- d-----w- C:\Malwarebytes' Anti-Malware

2009-09-29 13:30 . 2009-09-29 13:30 16614 ----a-w- c:\windows\vigiv.com

2009-09-29 13:30 . 2009-09-29 13:30 13926 ----a-w- c:\windows\byjapybaxa.dat

2009-09-29 13:08 . 2009-10-13 16:01 -------- d--h--w- c:\windows\PIF

2009-09-28 21:21 . 2009-09-28 21:21 -------- d-----w- c:\documents and settings\Dave Thompson\Application Data\Sunbelt Software

2009-09-28 21:21 . 2009-09-28 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt Software

2009-09-28 20:50 . 2009-09-28 20:50 -------- d-----w- c:\documents and settings\Dave Thompson\Application Data\Malwarebytes

2009-09-28 20:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-28 20:50 . 2009-09-28 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-28 20:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-13 13:34 . 2009-07-13 13:33 52736 --sha-w- c:\windows\system32\viradeni.dll

2009-10-13 13:33 . 2009-07-13 13:33 39424 --sha-w- c:\windows\system32\ninukoso.dll

2009-10-12 16:26 . 2009-07-12 16:25 52736 --sha-w- c:\windows\system32\mizifaru.dll

2009-10-12 16:25 . 2009-07-12 16:25 39424 --sha-w- c:\windows\system32\difajowu.dll

2009-10-12 15:25 . 2007-11-05 20:23 -------- d-----w- c:\documents and settings\Dave Thompson\Application Data\Wave Systems Corp

2009-09-30 13:14 . 2009-06-30 13:14 1082916 --sha-w- c:\windows\system32\yisaniyu.exe

2009-09-30 13:14 . 2009-06-30 13:14 39424 --sha-w- c:\windows\system32\devawije.dll

2009-09-29 13:00 . 2009-09-29 13:00 17693 ----a-w- c:\documents and settings\All Users\Application Data\hofifotuvi.dat

2009-09-29 12:54 . 2009-06-29 12:54 1082404 --sha-w- c:\windows\system32\momejigo.exe

2009-09-29 12:54 . 2009-06-29 12:54 39424 --sha-w- c:\windows\system32\nanasuzo.dll

2009-09-28 20:43 . 2009-06-28 19:58 52736 --sha-w- c:\windows\system32\kakijigu.dll

2009-09-28 19:59 . 2009-09-04 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\11444534

2009-09-28 19:59 . 2009-06-28 19:58 1081892 --sha-w- c:\windows\system32\zapohugu.exe

2009-09-28 19:58 . 2009-06-28 19:58 1081380 --sha-w- c:\windows\system32\togemobo.exe

2009-09-28 19:58 . 2009-06-28 19:58 52736 --sha-w- c:\windows\system32\zojetiru.exe

2009-09-28 19:58 . 2009-06-28 19:58 38912 --sha-w- c:\windows\system32\loyayono.dll

2009-09-04 17:02 . 2009-06-04 17:02 49664 --sha-w- c:\windows\system32\nusayuta.dll

2009-09-04 17:02 . 2009-06-04 17:02 831524 --sha-w- c:\windows\system32\rilihoki.exe

2009-09-04 17:02 . 2009-06-04 17:02 89088 --sha-w- c:\windows\system32\sekanawo.dll

2009-09-04 17:02 . 2009-06-04 17:02 24490 --sha-w- c:\windows\system32\yavafike.exe

2009-09-04 17:02 . 2009-06-04 17:02 37888 --sha-w- c:\windows\system32\kokemabo.dll

2009-09-03 18:25 . 2009-09-03 18:25 18801 ----a-w- c:\windows\hubyluny.pif

2009-09-03 18:25 . 2009-09-03 18:25 18248 ----a-w- c:\documents and settings\Dave Thompson\Application Data\hebaryk.com

2009-09-03 18:25 . 2009-09-03 18:25 17863 ----a-w- c:\windows\system32\livexoz.scr

2009-09-03 18:25 . 2009-09-03 18:25 15884 ----a-w- c:\windows\system32\yhozygubo.exe

2009-09-03 18:25 . 2009-09-03 18:25 14596 ----a-w- c:\program files\Common Files\nepohiqu.com

2009-09-03 18:25 . 2009-09-03 18:25 13736 ----a-w- c:\windows\xyho.sys

2009-09-03 18:25 . 2009-09-03 18:25 11391 ----a-w- c:\windows\amuh.bin

2009-09-03 18:25 . 2009-09-03 18:25 11105 ----a-w- c:\program files\Common Files\afamef._dl

2009-09-03 18:25 . 2009-09-03 18:25 10463 ----a-w- c:\windows\system32\ujica.sys

2009-09-03 18:21 . 2009-09-03 18:21 19537 ----a-w- c:\documents and settings\All Users\Application Data\itum.dll

2009-09-03 18:21 . 2009-09-03 18:21 19057 ----a-w- c:\windows\olew.pif

2009-09-03 18:21 . 2009-09-03 18:21 17678 ----a-w- c:\windows\system32\osygojoge.dat

2009-09-03 18:21 . 2009-09-03 18:21 16732 ----a-w- c:\windows\system32\ojybicex.dat

2009-09-03 18:21 . 2009-09-03 18:21 15560 ----a-w- c:\windows\jocyj.sys

2009-09-03 18:21 . 2009-09-03 18:21 14471 ----a-w- c:\windows\system32\xyzykikici.dll

2009-09-03 18:21 . 2009-09-03 18:21 10675 ----a-w- c:\documents and settings\Dave Thompson\Application Data\imat.com

2009-09-03 18:21 . 2009-09-03 18:21 10016 ----a-w- c:\windows\ojytote.sys

2009-09-03 18:21 . 2009-09-03 18:21 17976 ----a-w- c:\windows\lokaham.pif

2009-09-03 18:21 . 2009-09-03 18:21 16371 ----a-w- c:\windows\iqyhu.bin

2009-09-03 18:21 . 2009-09-03 18:21 15933 ----a-w- c:\program files\Common Files\ynoc.exe

2009-09-03 18:21 . 2009-09-03 18:21 14731 ----a-w- c:\windows\magy.bin

2009-09-03 18:10 . 2009-06-03 18:10 88576 --sha-w- c:\windows\system32\witeyaza.dll

2009-09-03 18:10 . 2009-06-03 18:10 37376 --sha-w- c:\windows\system32\notewufe.dll

2009-09-03 18:04 . 2008-08-24 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-03 17:13 . 2009-09-03 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

2009-09-03 17:01 . 2009-09-03 17:01 -------- d-----w- c:\program files\Sunbelt Software

2009-09-03 15:02 . 2007-11-05 20:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Wave Systems Corp

2009-09-02 21:35 . 2008-10-08 01:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-09-02 21:31 . 2007-10-31 11:40 -------- d-----w- c:\program files\Google

2009-09-02 19:55 . 2009-09-02 19:55 18432 ----a-w- c:\windows\system32\atohekycul.dat

2009-09-02 19:55 . 2009-09-02 19:55 16150 ----a-w- c:\windows\visexe.dat

2009-09-02 19:55 . 2009-09-02 19:55 10919 ----a-w- c:\program files\Common Files\haniv.db

2009-09-02 16:56 . 2009-09-02 16:56 10985 ----a-w- c:\documents and settings\Dave Thompson\Local Settings\Application Data\ivap.dat

2009-09-02 16:44 . 2009-06-02 16:44 89088 --sha-w- c:\windows\system32\wigudozi(2).dll

2009-08-31 20:32 . 2007-11-13 23:17 -------- d-----w- c:\program files\WINForms Desktop

2009-08-17 16:44 . 2007-10-31 11:31 71288 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 18:07 . 2009-08-15 18:07 -------- d-----w- c:\program files\MSBuild

2009-08-15 18:07 . 2009-08-15 18:07 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-06-03 18:10 . 2009-06-03 18:10 49664 --sha-w- c:\windows\system32\lojonuda.dll

2009-07-13 13:34 . 2009-07-13 13:34 52736 --sha-w- c:\windows\system32\tajopava.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23262418-c920-44f7-b16d-fb1a4ec77d78}]

2009-07-13 13:34 52736 --sha-w- c:\windows\system32\tajopava.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Google Update"="c:\documents and settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]

"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]

"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-05 77824]

"NapsterShell"="c:\program files\Napster\napster.exe" [2008-09-09 323216]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Billminder.lnk - c:\program files\QUICKENW\BILLMIND.EXE [2008-3-31 36864]

Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-31 50688]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-8-28 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-7-17 692224]

Quicken Startup.lnk - c:\program files\QUICKENW\QWDLLS.EXE [2008-3-31 36864]

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Dave Thompson\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\WINDOWS\\system32\\dwwin.exe"=

"c:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [10/31/2007 5:55 AM 3456]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 8:50 PM 30312]

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 8:43 PM 31896]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [7/23/2008 8:51 PM 2944]

S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [7/23/2008 8:52 PM 3168]

S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [7/23/2008 8:51 PM 39552]

S3 BrSerWdm;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [7/23/2008 8:51 PM 61440]

S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/25/2008 12:31 AM 29263712]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4275519505-3747650102-3319402763-1008Core.job

- c:\documents and settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 15:34]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4275519505-3747650102-3319402763-1008UA.job

- c:\documents and settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 15:34]

2009-10-13 c:\windows\Tasks\User_Feed_Synchronization-{A989AFAF-ED0A-4339-BAAB-321D7D1D3EC9}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\biolsp.dll

TCP: {36556B31-ED10-4D52-A9F2-FEAE84094AB9} = 66.76.2.130

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-sysrest32.exe - c:\windows\system32\sysrest32.exe

HKLM-Run-11444534 - c:\documents and settings\All Users\Application Data\11444534\11444534.exe

HKLM-Run-holezeyom - c:\windows\system32\japadesu.dll

HKLM-Run-59702932 - c:\documents and settings\All Users\Application Data\59702932\59702932.exe

HKLM-Run-waduhikara - fokipize.dll

SharedTaskScheduler-{aacd349c-9133-4d3b-b336-dab54421eaba} - c:\windows\system32\wigudozi.dll

SharedTaskScheduler-{88867305-41d2-4d12-aa76-6030dedf7b3a} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{36509b5b-230e-4074-988e-b8614be84af9} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{754acabc-7099-4185-8fef-3e00e3a01fda} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{b562fa65-bcde-4f06-bf6d-77d2d9316c9f} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{40a592c8-a66a-4521-8e08-f911a20442e7} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{30d474a2-159f-4690-a860-4b1d95fc3f93} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{6bb09d6e-6dfb-4cba-84f8-3bf9aaf6a26f} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{7a559482-6fe1-4631-9ea6-3facb8e501a4} - c:\windows\system32\japadesu.dll

SharedTaskScheduler-{6cf63a21-ac0c-42ae-b1ea-4f00457d5431} - c:\windows\system32\japadesu.dll

SSODL-wolizuzej-{aacd349c-9133-4d3b-b336-dab54421eaba} - c:\windows\system32\wigudozi.dll

SSODL-vovidetiz-{88867305-41d2-4d12-aa76-6030dedf7b3a} - c:\windows\system32\japadesu.dll

SSODL-ziparipad-{36509b5b-230e-4074-988e-b8614be84af9} - c:\windows\system32\japadesu.dll

SSODL-tanikohir-{754acabc-7099-4185-8fef-3e00e3a01fda} - c:\windows\system32\japadesu.dll

SSODL-nufapuvel-{b562fa65-bcde-4f06-bf6d-77d2d9316c9f} - c:\windows\system32\japadesu.dll

SSODL-liforolot-{40a592c8-a66a-4521-8e08-f911a20442e7} - c:\windows\system32\japadesu.dll

SSODL-dewotewop-{30d474a2-159f-4690-a860-4b1d95fc3f93} - c:\windows\system32\japadesu.dll

SSODL-newujihez-{6bb09d6e-6dfb-4cba-84f8-3bf9aaf6a26f} - c:\windows\system32\japadesu.dll

SSODL-zuyopeniz-{7a559482-6fe1-4631-9ea6-3facb8e501a4} - c:\windows\system32\japadesu.dll

SSODL-zifobubot-{6cf63a21-ac0c-42ae-b1ea-4f00457d5431} - c:\windows\system32\japadesu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-13 11:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,2a,7b,bb,5a,e6,cb,4d,8d,43,96,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,2a,7b,bb,5a,e6,cb,4d,8d,43,96,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1036)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3396)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\BCMWLTRY.EXE

c:\windows\system32\ati2evxx.exe

c:\windows\system32\BRSVC01A.EXE

c:\windows\system32\BRSS01A.EXE

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\windows\system32\BrmfBAgS.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\msdtc.exe

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.exe

c:\program files\Apoint\ApMsgFwd.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe

c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe

c:\windows\system32\searchprotocolhost.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Completion time: 2009-10-13 11:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-13 16:57

Pre-Run: 102,196,404,224 bytes free

Post-Run: 102,273,601,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

432 --- E O F --- 2009-09-02 02:41

Link to post
Share on other sites

Here is the contents of the Hijack This report.

Brian

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:03:29 PM, on 10/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\WINDOWS\system32\BrmfBAgS.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Documents and Settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Dave Thompson\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2071031

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {23262418-c920-44f7-b16d-fb1a4ec77d78} - tajopava.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

O4 - HKLM\..\Run: [secureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{36556B31-ED10-4D52-A9F2-FEAE84094AB9}: NameServer = 66.76.2.130

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O20 - AppInit_DLLs: rivesogo.dll

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12609 bytes

Link to post
Share on other sites

  • Root Admin

Please run the following now.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Here is the MBAM log.

Malwarebytes' Anti-Malware 1.41

Database version: 2955

Windows 5.1.2600 Service Pack 3

10/13/2009 4:51:14 PM

mbam-log-2009-10-13 (16-51-14).txt

Scan type: Quick Scan

Objects scanned: 111542

Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 18

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\tajopava.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\11444534 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\tajopava.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\kakijigu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\notewufe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rilihoki.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\viradeni.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wigudozi(2).dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nusayuta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sekanawo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ninukoso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yavafike.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zapohugu.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zojetiru.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\witeyaza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lojonuda.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\togemobo.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11444534\11444534 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11444534\pc11444534ins (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dave Thompson\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hijack This log.

Brian

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:55:27 PM, on 10/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\WINDOWS\system32\BrmfBAgS.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Documents and Settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Documents and Settings\Dave Thompson\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2071031

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {23262418-c920-44f7-b16d-fb1a4ec77d78} - tajopava.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

O4 - HKLM\..\Run: [secureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{36556B31-ED10-4D52-A9F2-FEAE84094AB9}: NameServer = 66.76.2.130

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O20 - AppInit_DLLs: rivesogo.dll

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12859 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.


  • O2 - BHO: (no name) - {23262418-c920-44f7-b16d-fb1a4ec77d78} - tajopava.dll (file missing)
  • O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
  • O20 - AppInit_DLLs: rivesogo.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 02

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 03

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup223_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

RESTART THE COMPUTER NOW

STEP 04

Please delete your current copy of Combofix and download a NEW fresh copy and run it and post back that log.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Link to post
Share on other sites

javara log

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Oct 14 08:00:37 2009

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_07

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

------------------------------------

Finished reporting.

Brian

Link to post
Share on other sites

At this point it doesn't seem like Combo-fix will scan. I deleted the one I had and downloaded it from one of the original links you provided for me. I renamed it combo-fix like before. After double clicking to run it, it starts and says its scanning, however it has been sitting at that spot for over an hour now.

:)

Brian

Link to post
Share on other sites

  • Root Admin

Okay, see if you can run this then for now.

Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Link to post
Share on other sites

Eset Log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=5e136a2b9883984c98f36cefd2db6bd3

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-10-15 01:42:34

# local_time=2009-10-15 08:42:34 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# scanned=76536

# found=18

# cleaned=0

# scan_time=1705

C:\Qoobox\Quarantine\C\blyuwrjl.exe.vir a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\fyblb.exe.vir a variant of Win32/Kryptik.AJT trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\osps.exe.vir Win32/Oficla.R trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\xvhu.exe.vir Win32/Oficla.I trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\59702932\59702932.exe.vir a variant of Win32/Kryptik.AEA trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe.vir Win32/Adware.AntiSpyware2010 application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\Uninstall.exe.vir Win32/TrojanDownloader.FakeAlert.AGO trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\PC_Antispyware2010\wscui.cpl.vir Win32/Adware.XPSecurityCenter application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir a variant of Win32/Kryptik.AIQ trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Win32/Agent.PYI trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\japadesu.dll.vir a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\rarivove.exe.vir a variant of Win32/Kryptik.AEA trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Win32/TrojanDownloader.FakeAlert.AGO trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AGZ trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\kokemabo.dll a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\loyayono.dll a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

thanks,

Brian

Link to post
Share on other sites

  • Root Admin

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
kokemabo
loyayono

Files to delete:
C:\WINDOWS\system32\kokemabo.dll
C:\WINDOWS\system32\loyayono.dll

  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

Link to post
Share on other sites

Avenger log

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\kokemabo" not found!

Deletion of driver "kokemabo" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\loyayono" not found!

Deletion of driver "loyayono" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File "C:\WINDOWS\system32\kokemabo.dll" deleted successfully.

File "C:\WINDOWS\system32\loyayono.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Thanks

Brian

Link to post
Share on other sites

mbam report

Malwarebytes' Anti-Malware 1.41

Database version: 2971

Windows 5.1.2600 Service Pack 3

10/16/2009 8:13:40 AM

mbam-log-2009-10-16 (08-13-40).txt

Scan type: Quick Scan

Objects scanned: 112006

Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

thanks

brian

Link to post
Share on other sites

Hijack log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:41:33 AM, on 10/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\WINDOWS\system32\BrmfBAgS.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Napster\napster.exe

C:\Documents and Settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Dave Thompson\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2071031

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

O4 - HKLM\..\Run: [secureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dave Thompson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{36556B31-ED10-4D52-A9F2-FEAE84094AB9}: NameServer = 208.180.42.68

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12371 bytes

Thanks Again

Brian

Link to post
Share on other sites

  • Root Admin

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.