Jump to content

Infected! Help!


Recommended Posts

HI!

My PC is seriously infected - I have downloaded malwarebytes and tried the renaming trick to get it to run successfully but it stalls after a couple of seconds and wont re-run. I have been through the Self Help Articles and run RootRepeal to try and identify the likely CLB Driver but cant see anything obvious - the report listing of the .sys files is attached below.....

(I am running windows in Safe Mode and logged in as administrator.)

Any help greatly appreciated!

================================================

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/06 12:47

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF7438000 Size: 187776 File Visible: - Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF73B4000 Size: 95360 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF79AD000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7897000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF7567000 Size: 63744 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF7517000 Size: 49536 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\drivers\CLASSPNP.SYS

Address: 0xF74A7000 Size: 53248 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF74C7000 Size: 36352 File Visible: - Signed: -

Status: -

Name: DLACDBHM.SYS

Image Path: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS

Address: 0xF798F000 Size: 5568 File Visible: - Signed: -

Status: -

Name: DLARTL_N.SYS

Image Path: C:\WINDOWS\System32\Drivers\DLARTL_N.SYS

Address: 0xF777F000 Size: 22624 File Visible: - Signed: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF73E2000 Size: 153344 File Visible: - Signed: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF798B000 Size: 5888 File Visible: - Signed: -

Status: -

Name: DRVMCDB.SYS

Image Path: DRVMCDB.SYS

Address: 0xF7338000 Size: 87104 File Visible: - Signed: -

Status: -

Name: dump_nvata.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys

Address: 0xF7078000 Size: 106496 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79B3000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF7208000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7A70000 Size: 4096 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xF69FD000 Size: 143360 File Visible: - Signed: -

Status: -

Name: fltMgr.sys

Image Path: fltMgr.sys

Address: 0xF7360000 Size: 128896 File Visible: - Signed: -

Status: -

Name: framebuf.dll

Image Path: C:\WINDOWS\System32\framebuf.dll

Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF79A9000 Size: 7936 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7408000 Size: 125056 File Visible: - Signed: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806FD000 Size: 134272 File Visible: - Signed: -

Status: -

Name: HDAudBus.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Address: 0xF7198000 Size: 155648 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF75B7000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF780F000 Size: 28672 File Visible: - Signed: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF797F000 Size: 9600 File Visible: - Signed: -

Status: -

Name: i2omgmt.SYS

Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS

Address: 0xF79A5000 Size: 8192 File Visible: - Signed: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF7507000 Size: 41856 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF7487000 Size: 35840 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF788F000 Size: 24576 File Visible: - Signed: -

Status: -

Name: kbdhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys

Address: 0xF7983000 Size: 14848 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7987000 Size: 8192 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF71BE000 Size: 143360 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7321000 Size: 92032 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF772F000 Size: 23040 File Visible: - Signed: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xF7224000 Size: 12160 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7497000 Size: 42240 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF779F000 Size: 19072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF7947000 Size: 15488 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF724C000 Size: 107904 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7267000 Size: 182912 File Visible: - Signed: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF77AF000 Size: 30848 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7294000 Size: 574464 File Visible: - Signed: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7B13000 Size: 2944 File Visible: - Signed: -

Status: -

Name: nvata.sys

Image Path: nvata.sys

Address: 0xF7380000 Size: 105472 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF770F000 Size: 18688 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7427000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF7707000 Size: 28672 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF74D7000 Size: 35680 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -

Status: -

Name: rdpdr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xF7167000 Size: 196864 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF7527000 Size: 57472 File Visible: - Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF75C7000 Size: 49152 File Visible: No Signed: -

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xF734E000 Size: 73472 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF7997000 Size: 4352 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF7537000 Size: 40704 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF7133000 Size: 209408 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF799D000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF7807000 Size: 27264 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF7547000 Size: 57600 File Visible: - Signed: -

Status: -

Name: usbohci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys

Address: 0xF77DF000 Size: 17024 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF71E1000 Size: 143360 File Visible: - Signed: -

Status: -

Name: USBSTOR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

Address: 0xF77F7000 Size: 26496 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF7787000 Size: 20992 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS

Address: 0xF70B2000 Size: 81920 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF74B7000 Size: 52352 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF776F000 Size: 20480 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xF7757000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xF6C20000 Size: 61440 File Visible: No Signed: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF7989000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -

Status: -

Link to post
Share on other sites

  • Root Admin

Hello and Welcome to Malwarebytes. Please try the following and see if it works or not.

Restore Access to Programs

  • Please download the following tool: Inherit.exe and save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.
  • Click on START -> RUN and Copy then Paste the following text (including the quote " marks) into the Run box and click OK
  • "%userprofile%\desktop\Inherit.exe" "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
  • You can also Drag-and-Drop any files onto inherit.exe if you want.
  • Repeat for any other files you get an access denied message

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

  • Root Admin

Post reopened at user request.

You can also try running the following.

Download and run Win32kDiag:

  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

[*]Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

[*]When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

[*]Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic, please do not attach the file.

Please let it run for at least an hour without bothering it regardless of what it says.

If it finds and reports a lot of items then run the following.

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Then try to run the following

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

HI

Thank-you for your reply and assistance....

I managed to run the Win32kDiag.exe and this is the log file output....

Running from: C:\Documents and Settings\Mark Downie\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Mark Downie\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\A5W_DATA\A5W_DATA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\A5W_DATA\A5W_DATA

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP362.tmp\ZAP362.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP362.tmp\ZAP362.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F2.tmp\ZAP4F2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4F2.tmp\ZAP4F2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DE.tmp\ZAP5DE.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DE.tmp\ZAP5DE.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP610.tmp\ZAP610.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP610.tmp\ZAP610.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\aa23f1c18895fd721870de4beeed4ad5\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\aa23f1c18895fd721870de4beeed4ad5\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c1835c8cb0bb13f938a8a983ca5edea4\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\c1835c8cb0bb13f938a8a983ca5edea4\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e50981864c541bdea07741b88d379a52\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e50981864c541bdea07741b88d379a52\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : C:\WINDOWS\Temp\naiE\naiE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\naiE\naiE

Found mount point : C:\WINDOWS\Temp\RarSFX0\RarSFX0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX0\RarSFX0

Found mount point : C:\WINDOWS\Temp\RarSFX1\RarSFX1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX1\RarSFX1

Found mount point : C:\WINDOWS\Temp\RarSFX10\RarSFX10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX10\RarSFX10

Found mount point : C:\WINDOWS\Temp\RarSFX11\RarSFX11

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX11\RarSFX11

Found mount point : C:\WINDOWS\Temp\RarSFX12\RarSFX12

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX12\RarSFX12

Found mount point : C:\WINDOWS\Temp\RarSFX13\RarSFX13

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX13\RarSFX13

Found mount point : C:\WINDOWS\Temp\RarSFX14\RarSFX14

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX14\RarSFX14

Found mount point : C:\WINDOWS\Temp\RarSFX15\RarSFX15

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX15\RarSFX15

Found mount point : C:\WINDOWS\Temp\RarSFX16\RarSFX16

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX16\RarSFX16

Found mount point : C:\WINDOWS\Temp\RarSFX17\RarSFX17

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX17\RarSFX17

Found mount point : C:\WINDOWS\Temp\RarSFX18\RarSFX18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX18\RarSFX18

Found mount point : C:\WINDOWS\Temp\RarSFX19\RarSFX19

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX19\RarSFX19

Found mount point : C:\WINDOWS\Temp\RarSFX2\RarSFX2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX2\RarSFX2

Found mount point : C:\WINDOWS\Temp\RarSFX20\RarSFX20

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX20\RarSFX20

Found mount point : C:\WINDOWS\Temp\RarSFX21\RarSFX21

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX21\RarSFX21

Found mount point : C:\WINDOWS\Temp\RarSFX22\RarSFX22

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX22\RarSFX22

Found mount point : C:\WINDOWS\Temp\RarSFX23\RarSFX23

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX23\RarSFX23

Found mount point : C:\WINDOWS\Temp\RarSFX24\RarSFX24

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX24\RarSFX24

Found mount point : C:\WINDOWS\Temp\RarSFX25\RarSFX25

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX25\RarSFX25

Found mount point : C:\WINDOWS\Temp\RarSFX26\RarSFX26

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX26\RarSFX26

Found mount point : C:\WINDOWS\Temp\RarSFX27\RarSFX27

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX27\RarSFX27

Found mount point : C:\WINDOWS\Temp\RarSFX28\RarSFX28

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX28\RarSFX28

Found mount point : C:\WINDOWS\Temp\RarSFX29\RarSFX29

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX29\RarSFX29

Found mount point : C:\WINDOWS\Temp\RarSFX3\RarSFX3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX3\RarSFX3

Found mount point : C:\WINDOWS\Temp\RarSFX4\RarSFX4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX4\RarSFX4

Found mount point : C:\WINDOWS\Temp\RarSFX5\RarSFX5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX5\RarSFX5

Found mount point : C:\WINDOWS\Temp\RarSFX6\RarSFX6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX6\RarSFX6

Found mount point : C:\WINDOWS\Temp\RarSFX7\RarSFX7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX7\RarSFX7

Found mount point : C:\WINDOWS\Temp\RarSFX8\RarSFX8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX8\RarSFX8

Found mount point : C:\WINDOWS\Temp\RarSFX9\RarSFX9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RarSFX9\RarSFX9

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

------------------------------------------------------------------------------------

I then ran Combo-fix which worked ok - though when it tried on completion to reboot windows it failed with an 'access denied' windows message, and when i tried to reboot with windows task manager the machine hung. I rebooted manually (power off/power on) and re-ran combo-fix in safe mode. The resulting log file is as follows.......

ComboFix 09-10-18.04 - MarkDownie 19/10/2009 11:28.2.2 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.662 [GMT 1:00]

Running from: c:\documents and settings\Mark Downie\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mark Downie\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents

c:\windows\Installer\59231e.msi

c:\windows\system32\ndisapi.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NDISRD

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))

.

2009-10-19 10:27 . 2009-10-19 10:27 -------- d-----w- C:\32788R22FWJFW

2009-10-19 08:15 . 2009-10-19 08:15 -------- d-----w- C:\quarantine

2009-10-19 07:59 . 2009-10-19 10:23 -------- d-----w- C:\Combo-Fix

2009-10-15 15:14 . 2004-08-03 23:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2009-10-15 15:12 . 2001-08-17 21:36 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll

2009-10-15 15:11 . 2001-08-17 12:28 687999 ----a-w- c:\windows\system32\dllcache\usrwdxjs.sys

2009-10-15 15:10 . 2001-08-17 21:36 50176 ----a-w- c:\windows\system32\dllcache\umaxp60.dll

2009-10-15 15:09 . 2001-08-17 13:01 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys

2009-10-15 15:08 . 2001-08-17 21:36 53760 ----a-w- c:\windows\system32\dllcache\sw_wheel.dll

2009-10-15 15:07 . 2001-08-17 12:53 9600 ----a-w- c:\windows\system32\dllcache\sonymc.sys

2009-10-15 15:06 . 2001-08-17 13:56 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll

2009-10-15 15:05 . 2001-08-17 12:52 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys

2009-10-15 15:04 . 2004-08-03 21:29 166912 ----a-w- c:\windows\system32\dllcache\s3gnbm.sys

2009-10-15 15:03 . 2004-08-03 22:00 6016 ----a-w- c:\windows\system32\dllcache\qic157.sys

2009-10-15 15:02 . 2004-08-04 04:00 70144 ----a-w- c:\windows\system32\dllcache\pintlphr.exe

2009-10-15 15:02 . 2004-08-04 04:00 53760 ----a-w- c:\windows\system32\dllcache\pintlcsd.dll

2009-10-15 15:02 . 2004-08-04 04:00 175104 ----a-w- c:\windows\system32\dllcache\pintlcsa.dll

2009-10-15 15:02 . 2001-08-17 21:36 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll

2009-10-15 15:02 . 2001-08-17 13:07 19840 ----a-w- c:\windows\system32\dllcache\philtune.sys

2009-10-15 15:02 . 2001-08-17 13:04 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys

2009-10-15 15:02 . 2001-08-17 13:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys

2009-10-15 15:02 . 2001-08-17 13:04 75776 ----a-w- c:\windows\system32\dllcache\philcam1.sys

2009-10-15 15:02 . 2001-08-17 21:36 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll

2009-10-15 15:00 . 2001-08-17 12:28 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys

2009-10-15 14:59 . 2004-08-03 22:10 10880 ----a-w- c:\windows\system32\dllcache\ndisip.sys

2009-10-15 14:58 . 2001-08-17 13:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys

2009-10-15 14:57 . 2001-08-17 12:28 797500 ----a-w- c:\windows\system32\dllcache\ltsmt.sys

2009-10-15 14:56 . 2004-08-04 04:00 6144 ----a-w- c:\windows\system32\dllcache\kbd106n.dll

2009-10-15 14:55 . 2001-08-17 21:36 91136 ----a-w- c:\windows\system32\dllcache\icam4com.dll

2009-10-15 14:54 . 2001-08-17 12:28 289887 ----a-w- c:\windows\system32\dllcache\hsf_fall.sys

2009-10-15 14:53 . 2004-08-03 21:59 28288 ----a-w- c:\windows\system32\dllcache\grserial.sys

2009-10-15 14:52 . 2001-08-17 12:52 7040 ----a-w- c:\windows\system32\dllcache\exabyte2.sys

2009-10-15 14:51 . 2001-08-17 11:11 455199 ----a-w- c:\windows\system32\dllcache\el985n51.sys

2009-10-15 14:50 . 2001-08-17 11:17 90525 ----a-w- c:\windows\system32\dllcache\digifep5.sys

2009-10-15 14:49 . 2001-08-17 11:11 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys

2009-10-15 14:48 . 2001-08-17 21:36 5120 ----a-w- c:\windows\system32\dllcache\brscnrsm.dll

2009-10-15 14:47 . 2004-08-03 21:29 56623 ----a-w- c:\windows\system32\dllcache\ati1btxx.sys

2009-10-15 14:45 . 2009-10-15 14:45 -------- d-----w- c:\documents and settings\Mark Downie\Application Data\Malwarebytes

2009-10-15 14:45 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-15 14:45 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-15 14:45 . 2009-10-15 14:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-15 14:37 . 2004-08-04 04:00 46592 ----a-w- c:\windows\system32\dllcache\coadmin.dll

2009-10-15 14:37 . 2003-03-24 15:52 188480 ----a-w- c:\windows\system32\dllcache\cfgwiz.exe

2009-10-15 14:37 . 2003-03-24 15:52 16439 ----a-w- c:\windows\system32\dllcache\author.exe

2009-10-15 14:37 . 2003-03-24 15:52 20540 ----a-w- c:\windows\system32\dllcache\author.dll

2009-10-15 14:37 . 2004-08-04 04:00 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll

2009-10-15 14:37 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll

2009-10-15 14:37 . 2003-03-24 15:52 16439 ----a-w- c:\windows\system32\dllcache\admin.exe

2009-10-15 14:37 . 2003-03-24 15:52 20540 ----a-w- c:\windows\system32\dllcache\admin.dll

2009-10-15 13:48 . 2009-10-15 14:09 -------- d--h--w- c:\documents and settings\Mark Downie.AITECHPC11\Application Data\Gtek

2009-10-15 13:48 . 2009-10-15 14:09 -------- d-----w- c:\documents and settings\Mark Downie.AITECHPC11\Local Settings\Application Data\ApplicationHistory

2009-10-15 13:48 . 2007-04-21 17:29 74648 ----a-w- c:\documents and settings\Mark Downie.AITECHPC11\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-15 13:19 . 2009-10-15 14:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2009-10-06 09:47 . 2009-10-06 09:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-23 11:16 . 2009-10-15 14:09 -------- d-----w- c:\program files\RandomNamel

2009-09-23 11:05 . 2009-10-15 14:09 -------- d-----w- c:\program files\ERUNT

2009-09-22 13:33 . 2009-10-15 14:09 -------- d-----w- c:\program files\Windows Live Safety Center

2009-09-22 13:07 . 2009-09-22 13:07 -------- d-----w- c:\windows\system32\wbem\Repository

2009-09-22 10:54 . 2009-09-22 11:13 -------- d-----w- C:\$AVG8.VAULT$

2009-09-22 10:50 . 2009-09-22 10:51 -------- d-----w- c:\windows\system32\drivers\Avg(2)

2009-09-22 10:50 . 2009-10-15 14:09 -------- d-----w- c:\program files\AVG(2)

2009-09-22 10:50 . 2009-10-15 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8(2)

2009-09-22 08:37 . 2009-10-15 14:09 -------- d-----w- c:\documents and settings\Mark Downie\.housecall6.6

2009-09-22 07:49 . 2009-09-22 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-21 10:39 . 2009-09-21 10:39 -------- d-----w- c:\program files\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-19 10:22 . 2009-09-17 12:18 0 ----a-r- c:\windows\win32k.sys

2009-10-15 14:10 . 2009-10-15 14:10 -------- d-----w- c:\program files\Alex Feinman

2009-10-15 14:10 . 2008-04-23 14:55 -------- d-----w- c:\program files\Opera

2009-09-29 10:46 . 2007-04-21 17:29 104672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-22 07:04 . 2007-04-21 17:22 -------- d-----w- c:\program files\Google

2009-09-21 11:25 . 2008-09-29 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-09-21 11:21 . 2008-09-29 09:01 -------- d-----w- c:\program files\FolderMatch

2009-09-21 10:39 . 2009-07-14 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-17 20:16 . 2009-09-17 20:16 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-17 08:28 . 2007-05-09 10:06 -------- d-----w- c:\program files\Common Files\Real

2009-09-17 08:27 . 2009-09-17 08:27 -------- d-----w- c:\program files\Common Files\xing shared

2009-09-17 08:27 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-09-17 08:27 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-09-17 08:27 . 2007-05-09 10:06 -------- d-----w- c:\program files\Real

2009-09-15 13:38 . 2007-05-02 08:46 -------- d-----w- c:\documents and settings\Mark Downie\Application Data\AdobeUM

2009-09-09 08:46 . 2007-04-21 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-07 12:58 . 2007-05-08 09:06 -------- d-----w- c:\program files\Paint Shop Pro 6

2008-12-12 08:42 . 2007-10-18 06:35 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2008-07-11 06:25 . 2007-05-02 14:43 168 --sh--r- c:\windows\system32\5C51F65B36.sys

2008-07-11 06:27 . 2007-05-02 14:43 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-01 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 212992]

"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 110592]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-09-21 135224]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-17 198160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"DisablePersonalDirChange"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [02/05/2007 10:19 58048]

R1 waclient;Portwise Access Client Driver;c:\windows\system32\drivers\waclient.sys [23/12/2008 09:40 89088]

R2 Google MediaServer;Google MediaServer;c:\program files\Google\Google Media Server\GoogleMediaServer.exe [12/12/2008 10:07 622080]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [21/04/2007 18:22 29744]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [29/08/2007 07:22 83208]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [29/08/2007 07:22 15112]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [29/08/2007 07:22 108680]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [29/08/2007 07:22 100488]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [29/08/2007 07:22 98568]

.

Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-10-16 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (AITECHPC10-Mark Downie).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2007-04-21 17:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {3195CF7C-E9E2-49B2-8B61-14F285298E1C} - hxxps://dickinson-pw.garbuiodickinson.eu/wa/AccessClientLoader.cab

FF - ProfilePath - c:\documents and settings\Mark Downie\Application Data\Mozilla\Firefox\Profiles\t7t8wzsj.default\

FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -

AddRemove-ERUNT_is1 - c:\program files\ERUNT\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-19 11:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(512)

c:\windows\system32\EntApi.dll

- - - - - - - > 'explorer.exe'(2948)

c:\windows\system32\EntApi.dll

c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee.com\Agent\Mcdetect.exe

c:\program files\Network Associates\VirusScan\Mcshield.exe

c:\program files\Network Associates\VirusScan\VsTskMgr.exe

c:\progra~1\McAfee.com\Agent\McTskshd.exe

c:\progra~1\McAfee.com\PERSON~1\MpfService.exe

c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\searchprotocolhost.exe

c:\windows\system32\wscntfy.exe

c:\combo-fix28464c\CF21136.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Completion time: 2009-10-19 11:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-19 10:43

Pre-Run: 36,123,303,936 bytes free

Post-Run: 35,023,564,800 bytes free

- - End Of File - - 75CAFAFF73ED6C86E43F5903774EDF67

Many thanks for your help and support so far!! lets hope we can beat this thing!!

Mark

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.