Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32K.stream


  • This topic is locked This topic is locked
22 replies to this topic

#1 Bowmajo

Bowmajo

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 17 August 2009 - 02:20 PM

Hello, My machine is infected currently with Win32K.Stream as reported by Stopzilla it originally also had a Vundo.f but that seems to be gone now. Anyway if I try and run Malwarebytes,Highjackthis or anything that could help identify or remove the infection the program will start to run then stop no errors until I try and run it again then I get " Windows can not acces the specified device, path, or file. You may not have the Appropriate permissions to access them" so I'm at a lost.

Read all the posts I could find, but nothing is helping Stopzilla says it removing the files but after reboot they are back

DDS (Ver_09-07-30.01) - NTFSx86
Run by 020812 at 13:52:03.20 on 2009-08-17
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2631 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
svchost.exe
C:\Program Files\IP VPN Remote Services\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\eCopy\Desktop 9.0\Bin\eDP2eD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AccessManager\Client\sygman.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\020812\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.mykonicaminolta.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = dankaint:80
uInternet Settings,ProxyOverride = *dankaind.com;*americas.danka.com;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QPMEnroll] c:\windows\system32\QPMEnroll.exe
mRun: [AccessManager] c:\program files\accessmanager\client\AccessMgr.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Norton Ghost 9.0] c:\program files\symantec\norton ghost\agent\GhostTray.exe
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [eCopy Scan Inbox Monitor] "c:\program files\ecopy\desktop 9.0\bin\InboxMonitor.exe" -run
mRun: [eDP2eD] "c:\program files\ecopy\desktop 9.0\bin\eDP2eD.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [CISCO] c:\program files\ip vpn remote services\setupfiles\delayinst.exe delay c:\program files\ip vpn remote services\setupfiles\setup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\ip vpn remote services\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
LSP: bmnet.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229554574583
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229554562852
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} - hxxp://vision21dprd.americas.danka.com:8012/jinitiator/oajinit.exe
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D3DFD3FF-7858-47E8-BB20-ACFF66DECF48} - hxxp://192.168.0.60/jpgviewlrx.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\020812\applic~1\mozilla\firefox\profiles\nse542az.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\020812\application data\mozilla\firefox\profiles\nse542az.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\020812\application data\mozilla\firefox\profiles\nse542az.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - component: c:\documents and settings\020812\application data\mozilla\firefox\profiles\nse542az.default\extensions\{db348de1-a97d-4171-ab0c-ff50eae57ff4}\components\FFAlert.dll
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-8-17 3968]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 74480]
R2 AMBroker;Access Manager Configuration Service;c:\program files\accessmanager\client\AMBroker.exe [2004-8-5 77824]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-3-2 49152]
R2 Sygman;SSA Integration Manager;c:\program files\accessmanager\client\sygman.exe [2004-8-5 126976]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-12-1 6016]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-10-15 589592]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-5 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-5 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-5 170408]
R3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [2008-1-31 27392]
R3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [2008-1-31 41728]
R3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [2008-1-31 39808]
R3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [2008-1-31 5888]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [2007-5-25 99248]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-20 113152]
S3 CMAP_S3C;C-Map S3C Chart Plotter USB Driver (cmap_cp.sys);c:\windows\system32\drivers\cmap_cp.sys [2005-6-27 18736]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\accessmanager\client\DAPlugin.exe [2004-8-5 81920]
S3 IMNPF;Packet Filter;c:\windows\system32\drivers\imnpf.sys [2008-8-5 33456]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-2-11 34136]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-12-18 189792]
S3 WnsDrvr;WnsDrvr;c:\windows\system32\drivers\wnsdrvr.sys [2008-11-2 25952]
S3 YNBUFQECN;YNBUFQECN;c:\docume~1\020812\locals~1\temp\YNBUFQECN.exe [2009-8-17 588672]
S4 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S4 sp_spi_da;Visual Insight Dial Analysis;c:\program files\accessmanager\smoc\spi_da.exe [2003-4-17 81920]

=============== Created Last 30 ================

2009-08-17 13:47 688 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-17 13:45 840 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-17 10:51 3,968 a------- c:\windows\system32\drivers\AvgArCln.sys
2009-08-17 10:40 13,213,696 a------- c:\windows\system32\HPOKCBPNF
2009-08-17 10:39 7,668 a------- c:\windows\system32\drivers\RKREVEAL150.SYS
2009-08-17 01:04 <DIR> --d----- C:\VundoFix Backups
2009-08-16 16:33 <DIR> --d----- c:\program files\STOPzilla!
2009-08-16 16:01 <DIR> --d----- c:\program files\Trend Micro
2009-08-16 16:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 01:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-16 01:26 <DIR> --d----- c:\program files\common files\iS3
2009-08-16 01:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-08-16 00:50 4 a------- c:\windows\system32\bincd32.dat
2009-08-16 00:42 64 a------- c:\windows\ppp4.dat
2009-08-16 00:42 36 a------- c:\windows\system32\sysnet.dat
2009-08-16 00:42 9 a------- c:\windows\system32\bennuar.old
2009-08-16 00:42 2 a------- c:\windows\ppp3.dat
2009-08-16 00:42 390,144 a------- c:\windows\system32\desot.exe
2009-08-16 00:42 89 a------- c:\windows\system32\sonhelp.htm
2009-08-16 00:41 24,576 a------- c:\windows\system32\tapi.nfo
2009-08-16 00:40 15,000 a------- c:\windows\system32\hs7f3uhduhfukde.dll
2009-08-16 00:40 2 a--sh--- C:\6458628
2009-07-23 19:13 <DIR> --d----- c:\docume~1\020812\applic~1\LimeWire
2009-07-23 18:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-23 18:58 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-23 18:57 <DIR> --d----- c:\program files\LimeWire
2009-07-21 23:25 <DIR> --d----- c:\program files\Roxio
2009-07-21 23:25 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll

==================== Find3M ====================

2009-08-16 15:56 170,900 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-07-09 11:33 44,328 a------- c:\docume~1\020812\applic~1\GDIPFONTCACHEV1.DAT
2008-11-02 19:51 12 a------- c:\documents and settings\020812\bitpim.dat

============= FINISH: 13:52:46.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:32 AM

Posted 17 August 2009 - 06:08 PM

Hi, Bowmajo :thumbup2:

Welcome.

Please open a command prompt window (Start -> Run, type CMD and click OK) Copy and paste the following commands at the command prompt and press Enter after each line:


DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\ntelogon.dll >Log.txt
Net Start >>Log.txt & START notepad Log.txt


Copy the resulting report on your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Bowmajo

Bowmajo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 17 August 2009 - 07:28 PM

Thanks JSntgRvr for your help with this hopefully it will be an easy fix :thumbup2:



Volume in drive C has no label.
Volume Serial Number is 0062-8D04

Directory of C:\WINDOWS\$NtServicePackUninstall$

2005-03-08 10:46 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

2005-03-08 10:44 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 07:12 PM 407,040 netlogon.dll
2 File(s) 588,288 bytes

Directory of C:\WINDOWS\system32

2008-04-13 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

2008-04-13 07:12 PM 407,040 netlogon.dll
2 File(s) 588,288 bytes

Total Files Listed:
6 File(s) 1,763,840 bytes
0 Dir(s) 100,183,490,560 bytes free
These Windows services are started:

Access Manager Configuration Service
Application Layer Gateway Service
Automatic Updates
Bluetooth Support Service
Cisco Systems, Inc. VPN Service
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Help and Support
HID Input Service
Intel® PROSet/Wireless Event Log
Intel® PROSet/Wireless Registry Service
Intel® PROSet/Wireless Service
Intel® PROSet/Wireless SSO Service
IPSEC Services
Java Quick Starter
lxcz_device
Machine Debug Manager
McAfee Framework Service
McAfee McShield
McAfee Task Manager
Net Logon
Network Connections
Network Location Awareness (NLA)
NICCONFIGSVC
Norton Ghost
Plug and Play
Pml Driver HPZ12
Print Spooler
Protected Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SigmaTel Audio Service
Smart Card
SSA Integration Manager
SSDP Discovery Service
STOPzilla Service
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
WebClient
Windows Audio
Windows Driver Foundation - User-mode Driver Framework
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Workstation
Yahoo! Updater

The command completed successfully.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:32 AM

Posted 17 August 2009 - 11:28 PM

Hi, Bowmajo :thumbup2:

Those results seem legit. Lets locate the win32k.sys. Run the following command as you did the previous one.

DIR /a/s %windir%\win32k.sys >Log.txt & START notepad Log.txt

Post the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Bowmajo

Bowmajo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 18 August 2009 - 12:05 AM

Here is the results from the last commands

Volume in drive C has no label.
Volume Serial Number is 0062-8D04

Directory of C:\WINDOWS\$hf_mig$\KB890859\SP2QFE

2005-03-01 08:11 PM 1,836,160 win32k.sys
1 File(s) 1,836,160 bytes

Directory of C:\WINDOWS\$hf_mig$\KB925902\SP2QFE

2007-03-08 08:49 AM 1,843,968 win32k.sys
1 File(s) 1,843,968 bytes

Directory of C:\WINDOWS\$hf_mig$\KB941693\SP2QFE

2008-03-19 04:40 AM 1,845,888 win32k.sys
1 File(s) 1,845,888 bytes

Directory of C:\WINDOWS\$hf_mig$\KB954211\SP3QFE

2008-09-15 07:25 AM 1,846,912 win32k.sys
1 File(s) 1,846,912 bytes

Directory of C:\WINDOWS\$hf_mig$\KB958690\SP3QFE

2009-02-09 06:08 AM 1,847,552 win32k.sys
1 File(s) 1,847,552 bytes

Directory of C:\WINDOWS\$hf_mig$\KB968537\SP3QFE

2009-04-17 05:50 AM 1,847,808 win32k.sys
1 File(s) 1,847,808 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

2008-03-19 04:47 AM 1,845,248 win32k.sys
1 File(s) 1,845,248 bytes

Directory of C:\WINDOWS\$NtUninstallKB890859$

2005-03-08 10:48 AM 1,835,904 win32k.sys
1 File(s) 1,835,904 bytes

Directory of C:\WINDOWS\$NtUninstallKB925902$

2005-03-01 08:06 PM 1,836,288 win32k.sys
1 File(s) 1,836,288 bytes

Directory of C:\WINDOWS\$NtUninstallKB941693$

2007-03-08 08:47 AM 1,843,584 win32k.sys
1 File(s) 1,843,584 bytes

Directory of C:\WINDOWS\$NtUninstallKB954211$

2008-04-13 02:30 PM 1,845,632 win32k.sys
1 File(s) 1,845,632 bytes

Directory of C:\WINDOWS\$NtUninstallKB958690$

2008-09-15 07:12 AM 1,846,400 win32k.sys
1 File(s) 1,846,400 bytes

Directory of C:\WINDOWS\$NtUninstallKB968537$

2009-02-09 06:13 AM 1,846,784 win32k.sys
1 File(s) 1,846,784 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 02:30 PM 1,845,632 win32k.sys
1 File(s) 1,845,632 bytes

Directory of C:\WINDOWS\system32

2009-04-17 07:26 AM 1,847,168 win32k.sys
1 File(s) 1,847,168 bytes

Directory of C:\WINDOWS\system32\dllcache

2009-04-17 07:26 AM 1,847,168 win32k.sys
1 File(s) 1,847,168 bytes

Total Files Listed:
16 File(s) 29,508,096 bytes
0 Dir(s) 100,309,159,936 bytes free

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:32 AM

Posted 18 August 2009 - 02:00 AM

Hi, Bowmajo :thumbup2:

Download the following Security Update. It should replace the win32k.sys:

Security Update for Windows XP (KB968537)

Once done, run the following command once more and post the report.

DIR /a/s %windir%\win32k.sys >Log.txt & START notepad Log.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Bowmajo

Bowmajo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 18 August 2009 - 06:52 AM

Ran the security Patch as you requested

Volume in drive C has no label.
Volume Serial Number is 0062-8D04

Directory of C:\WINDOWS\$hf_mig$\KB890859\SP2QFE

2005-03-01 08:11 PM 1,836,160 win32k.sys
1 File(s) 1,836,160 bytes

Directory of C:\WINDOWS\$hf_mig$\KB925902\SP2QFE

2007-03-08 08:49 AM 1,843,968 win32k.sys
1 File(s) 1,843,968 bytes

Directory of C:\WINDOWS\$hf_mig$\KB941693\SP2QFE

2008-03-19 04:40 AM 1,845,888 win32k.sys
1 File(s) 1,845,888 bytes

Directory of C:\WINDOWS\$hf_mig$\KB954211\SP3QFE

2008-09-15 07:25 AM 1,846,912 win32k.sys
1 File(s) 1,846,912 bytes

Directory of C:\WINDOWS\$hf_mig$\KB958690\SP3QFE

2009-02-09 06:08 AM 1,847,552 win32k.sys
1 File(s) 1,847,552 bytes

Directory of C:\WINDOWS\$hf_mig$\KB968537\SP3QFE

2009-04-17 05:50 AM 1,847,808 win32k.sys
1 File(s) 1,847,808 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

2008-03-19 04:47 AM 1,845,248 win32k.sys
1 File(s) 1,845,248 bytes

Directory of C:\WINDOWS\$NtUninstallKB890859$

2005-03-08 10:48 AM 1,835,904 win32k.sys
1 File(s) 1,835,904 bytes

Directory of C:\WINDOWS\$NtUninstallKB925902$

2005-03-01 08:06 PM 1,836,288 win32k.sys
1 File(s) 1,836,288 bytes

Directory of C:\WINDOWS\$NtUninstallKB941693$

2007-03-08 08:47 AM 1,843,584 win32k.sys
1 File(s) 1,843,584 bytes

Directory of C:\WINDOWS\$NtUninstallKB954211$

2008-04-13 02:30 PM 1,845,632 win32k.sys
1 File(s) 1,845,632 bytes

Directory of C:\WINDOWS\$NtUninstallKB958690$

2008-09-15 07:12 AM 1,846,400 win32k.sys
1 File(s) 1,846,400 bytes

Directory of C:\WINDOWS\$NtUninstallKB968537$

2009-02-09 06:13 AM 1,846,784 win32k.sys
1 File(s) 1,846,784 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 02:30 PM 1,845,632 win32k.sys
1 File(s) 1,845,632 bytes

Directory of C:\WINDOWS\system32

2009-04-17 07:26 AM 1,847,168 win32k.sys
1 File(s) 1,847,168 bytes

Directory of C:\WINDOWS\system32\dllcache

2009-04-17 07:26 AM 1,847,168 win32k.sys
1 File(s) 1,847,168 bytes

Total Files Listed:
16 File(s) 29,508,096 bytes
0 Dir(s) 100,097,224,704 bytes free

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:32 AM

Posted 18 August 2009 - 09:33 AM

Hi, Bowmajo :thumbup2:

Welcome.

Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Bowmajo

Bowmajo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 18 August 2009 - 10:20 AM

Hi JSntgRvr

I followed your last instructiins and Combo Fix will run, it starts and get the Combo Fix progress bar on the screen and it shows in the task bar, but after the progress indicator is at full it disappears and it also disappears from the task bar. Also no Anit virus or anti spyware will run, Mcafee,Malwarebytes ect

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:32 AM

Posted 18 August 2009 - 12:48 PM

Hi, Bowmajo :thumbup2:

We will need to do this manually

Set Explorer to view Hidden Files and Folders:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Show all Files and Folders
  • Remove the checkmark from Hide extensions for known file types
  • Remove the checkmark from Hide protected operating System files
  • Select Apply to All Folders | Yes | Apply | OK.
Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
.

Go to Start -> Search -> All files and folders. Select More advanced options and put a check mark on all check boxes, except for Search tape backup. Under look in, browse down to "Browse". Select My Computer -> C: ->Windows and click Ok. The file name will be win32k.sys, click on Search.

Once Search has completed, right click on the win32k.sys located in the C:\WINDOWS\system32\dllcache folder and select Rename. Rename the file to win32k.sys.vir

Do the same with the file in the C:\WINDOWS\system32 folder. Once done, open a command prompt (Start -> Run, type CMD and click OK) Do not close the Search window as you may be able to confirm if the file is replaced. Run the following commands (Copy and Paste) and press Enter after each command.

Copy /y C:\WINDOWS\$hf_mig$\KB968537\SP3QFE\win32k.sys C:\WINDOWS\system32\dllcache
Copy /y C:\WINDOWS\$hf_mig$\KB968537\SP3QFE\win32k.sys C:\WINDOWS\system32
Exit


You will be able to confirm if the files re-appear in the folders.

Once done, restart the computer and attempt Combo-fix.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Bowmajo

Bowmajo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 18 August 2009 - 03:45 PM

Ok I followed your instructions but Combo Fix does not run correctly :thumbup2:

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:32 AM

Posted 18 August 2009 - 04:33 PM

Very Odd.

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3
  • Double click Posted Image to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Posted Image button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, click the Posted Image button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Bowmajo

Bowmajo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 18 August 2009 - 05:54 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/18 17:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA822A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBA470000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA834A000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\modemlog_curitel pc card (udp).txt
Status: Size mismatch (API: 7842, Raw: 7642)

Path: C:\WINDOWS\system32\eventlog.dll
Status: Locked to the Windows API!

Path: c:\windows\temp\wfv2.tmp
Status: Allocation size mismatch (API: 50069504, Raw: 45875200)

Path: c:\documents and settings\020812\local settings\temp\~dfbf5a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\020812\local settings\temp\~dfd01e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

==EOF==

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:32 AM

Posted 18 August 2009 - 06:21 PM

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Bowmajo

Bowmajo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 18 August 2009 - 07:08 PM

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\bthservsdp.dat

[1] 2009-08-18 18:04:05 12 C:\WINDOWS\bthservsdp.dat ()



Cannot access: C:\WINDOWS\Prefetch\layout.ini

[1] 2009-08-18 15:12:01 222224 C:\WINDOWS\Prefetch\layout.ini ()



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2005-03-08 10:37:25 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 60928 C:\WINDOWS\system32\eventlog.dll ()



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\system32\MRT.exe ()



Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2005-03-08 10:51:05 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()



Cannot access: C:\WINDOWS\Thumbs.db

[1] 2009-08-17 17:42:30 7168 C:\WINDOWS\Thumbs.db ()





Finished!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users