Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Antivirus Pro & Protection System


  • This topic is locked This topic is locked
8 replies to this topic

#1 lexibelle

lexibelle

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 19 August 2009 - 08:06 PM

My husband's computer is once again infected. We know it's definitely got the fake 'virus' programs Protection System and Antivirus Pro, but there may be more. I have tried using the removal guides for both of the above, however we can't get MalwareBytes to run. After a lot of praying, we were able to run the DDS program, however I've only been able to run the Rootkit Reveal in SafeMode, so I'm not sure if the results will be valid.

Any help will be appreciated if it will keep my husband from throwing his laptop out the window.

Here are the logs:

-----------------------------------

DDS (Ver_09-07-30.01) - NTFSx86
Run by Ray at 20:44:07.39 on Wed 08/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.593 [GMT -4:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
svchost.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscsvc32.exe
C:\Documents and Settings\Ray\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJman000&ptb=5MmatqBAqXbxfF6Q48IpcQ
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mWinlogon: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\hs7f3uhduhfukde.dll: {bd56a320-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\hs7f3uhduhfukde.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hs7f3uhduhfukde.dll: {bd56a320-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\hs7f3uhduhfukde.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-16 64160]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-7-11 90112]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-1-25 200576]
S2 antippro2009_100;AntipyProex;c:\windows\svchast.exe [2009-8-19 163840]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-4-30 69692]
S3 netskt;netskt;c:\windows\system32\netskt.sys [2009-4-30 2304]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-08-19 13:52 41,631 a------- c:\windows\system32\certstore.dat
2009-08-19 09:55 1,382 a------- c:\windows\system32\onhelp.htm
2009-08-19 09:42 163,840 a------- c:\windows\svchast.exe
2009-08-19 09:42 64 a------- c:\windows\ppp4.dat
2009-08-19 09:42 36 a------- c:\windows\system32\sysnet.dat
2009-08-19 09:42 9 a------- c:\windows\system32\bennuar.old
2009-08-19 09:42 1 a------- c:\windows\ppp3.dat
2009-08-19 09:42 492,032 a------- c:\windows\system32\dddesot.dll
2009-08-19 09:42 390,144 a------- c:\windows\system32\desot.exe
2009-08-19 09:42 86 a------- c:\windows\system32\sonhelp.htm
2009-08-19 09:41 <DIR> --d----- c:\program files\Windows Antivirus Pro
2009-08-19 09:12 <DIR> --d----- c:\program files\Protection System
2009-08-18 23:57 <DIR> --d----- c:\docume~1\ray\applic~1\AVG8
2009-08-18 23:24 31,232 a------- c:\windows\system32\wingenocx.dll
2009-08-18 23:12 208,697 a------- C:\yfoxxyaw.exe
2009-08-18 23:12 2 a------- C:\-460461292
2009-08-18 22:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RegCure
2009-08-16 22:06 <DIR> --d----- c:\program files\common files\xing shared
2009-08-16 22:06 <DIR> --d----- c:\program files\common files\Real
2009-08-16 19:47 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-14 23:35 <DIR> --d----- c:\program files\Boilsoft Video Joiner
2009-08-08 18:22 <DIR> --d----- c:\program files\Xvid
2009-08-08 15:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MumboJumbo
2009-08-07 16:12 <DIR> --d----- c:\program files\DVD Decrypter
2009-08-07 13:46 <DIR> --d----- c:\program files\DVD Shrink
2009-08-07 13:43 <DIR> --d----- c:\program files\SlySoft
2009-08-06 17:03 <DIR> --d-h--- c:\program files\Zero G Registry
2009-08-06 17:02 <DIR> --d-h--- c:\documents and settings\ray\InstallAnywhere
2009-07-24 15:25 3,247 a------- c:\windows\system32\wbem\Outlook_01ca0c94816ad1f8.mof

==================== Find3M ====================

2009-08-19 20:44 98,508 a------- c:\windows\system32\drivers\963b11d5.sys
2009-08-19 20:35 6,525 a------- c:\windows\system32\uacinit.dll
2009-08-19 20:35 74,240 a------- c:\windows\system32\uacbbr.dll
2009-08-18 23:13 208,388 a------- c:\windows\system32\msxml71.dll
2009-08-18 23:13 684,544 a------- c:\windows\system32\wscsvc32.exe
2009-08-18 23:13 257,536 a------- c:\windows\system32\resdll.dll
2009-08-18 23:13 909,312 a------- c:\windows\system32\uacav.dll
2009-08-18 23:13 49,664 a------- c:\windows\system32\drivers\UACejgjujcokj.sys
2009-08-18 23:13 23,552 a------- c:\windows\system32\UACoglrbogowj.dll
2009-08-18 23:13 705 a------- C:\fpgx.exe
2009-08-18 23:13 705 a------- C:\ljna.exe
2009-08-18 23:13 15,000 a------- c:\windows\system32\hs7f3uhduhfukde.dll
2009-08-16 22:06 499,712 a------- c:\windows\system32\msvcp71.dll
2009-08-16 22:06 348,160 a------- c:\windows\system32\msvcr71.dll
2009-08-08 12:10 216,064 a------- c:\windows\PEV.exe
2009-08-02 14:49 62,009 a------- c:\windows\system32\wpfb_ati2dvag.dll
2009-07-06 21:08 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-06 16:09 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-07-06 16:09 47,360 a------- c:\docume~1\ray\applic~1\pcouffin.sys
2009-07-03 10:49 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-03 10:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-07 16:24 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-06-07 16:16 819,200 a------- c:\windows\system32\xvidcore.dll

============= FINISH: 20:45:26.01 ===============

-------------------------------------------------------------------------------------------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/19 20:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF7542000 Size: 53248 File Visible: - Signed: -
Status: -

Name: 963b11d5.sys
Image Path: C:\WINDOWS\System32\drivers\963b11d5.sys
Address: 0xF68A6000 Size: 52736 File Visible: No Signed: -
Status: -

Name: a8sew6bh.SYS
Image Path: C:\WINDOWS\System32\Drivers\a8sew6bh.SYS
Address: 0xF5B06000 Size: 229376 File Visible: - Signed: -
Status: -

Name: ABP480N5.SYS
Image Path: ABP480N5.SYS
Address: 0xF77FA000 Size: 23552 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF72EA000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF794E000 Size: 11648 File Visible: - Signed: -
Status: -

Name: adpu160m.sys
Image Path: adpu160m.sys
Address: 0xF7233000 Size: 101888 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xEE708000 Size: 15968 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF0B80000 Size: 138368 File Visible: - Signed: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF7682000 Size: 42368 File Visible: - Signed: -
Status: -

Name: agpCPQ.sys
Image Path: agpCPQ.sys
Address: 0xF7692000 Size: 44928 File Visible: - Signed: -
Status: -

Name: aha154x.sys
Image Path: aha154x.sys
Address: 0xF7956000 Size: 12800 File Visible: - Signed: -
Status: -

Name: aic78u2.sys
Image Path: aic78u2.sys
Address: 0xF75B2000 Size: 55168 File Visible: - Signed: -
Status: -

Name: aic78xx.sys
Image Path: aic78xx.sys
Address: 0xF7582000 Size: 56960 File Visible: - Signed: -
Status: -

Name: aliide.sys
Image Path: aliide.sys
Address: 0xF7A36000 Size: 5248 File Visible: - Signed: -
Status: -

Name: alim1541.sys
Image Path: alim1541.sys
Address: 0xF7662000 Size: 42752 File Visible: - Signed: -
Status: -

Name: amdagp.sys
Image Path: amdagp.sys
Address: 0xF7672000 Size: 43008 File Visible: - Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF6896000 Size: 57344 File Visible: - Signed: -
Status: -

Name: amsint.sys
Image Path: amsint.sys
Address: 0xF7962000 Size: 12032 File Visible: - Signed: -
Status: -

Name: AnyDVD.sys
Image Path: C:\WINDOWS\System32\Drivers\AnyDVD.sys
Address: 0xF5F20000 Size: 96256 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF68B6000 Size: 60800 File Visible: - Signed: -
Status: -

Name: asc.sys
Image Path: asc.sys
Address: 0xF77CA000 Size: 26496 File Visible: - Signed: -
Status: -

Name: asc3350p.sys
Image Path: asc3350p.sys
Address: 0xF7802000 Size: 22400 File Visible: - Signed: -
Status: -

Name: asc3550.sys
Image Path: asc3550.sys
Address: 0xF7966000 Size: 14848 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF724C000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF078000 Size: 626688 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF025000 Size: 339968 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF6490000 Size: 3891200 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF1E0000 Size: 3821568 File Visible: - Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF111000 Size: 540672 File Visible: - Signed: -
Status: -

Name: atiok3x2.dll
Image Path: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBF195000 Size: 307200 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF9C3000 Size: 2674688 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7B48000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF794A000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF5E6C000 Size: 371712 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7A80000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7942000 Size: 12288 File Visible: - Signed: -
Status: -

Name: camc6aud.sys
Image Path: C:\WINDOWS\system32\drivers\camc6aud.sys
Address: 0xF7782000 Size: 38016 File Visible: - Signed: -
Status: -

Name: camc6hal.sys
Image Path: C:\WINDOWS\system32\drivers\camc6hal.sys
Address: 0xF5D3D000 Size: 350080 File Visible: - Signed: -
Status: -

Name: cbidf2k.sys
Image Path: cbidf2k.sys
Address: 0xF796E000 Size: 13952 File Visible: - Signed: -
Status: -

Name: cd20xrnt.sys
Image Path: cd20xrnt.sys
Address: 0xF7A42000 Size: 7680 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xEE12D000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7742000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7612000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF7A22000 Size: 14080 File Visible: - Signed: -
Status: -

Name: cmdide.sys
Image Path: cmdide.sys
Address: 0xF7A3E000 Size: 6656 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF7946000 Size: 9344 File Visible: - Signed: -
Status: -

Name: cpqarray.sys
Image Path: cpqarray.sys
Address: 0xF7952000 Size: 14976 File Visible: - Signed: -
Status: -

Name: dac2w2k.sys
Image Path: dac2w2k.sys
Address: 0xF7207000 Size: 179584 File Visible: - Signed: -
Status: -

Name: dac960nt.sys
Image Path: dac960nt.sys
Address: 0xF795E000 Size: 14720 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7602000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7264000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7A40000 Size: 5888 File Visible: - Signed: -
Status: -

Name: dpti2o.sys
Image Path: dpti2o.sys
Address: 0xF780A000 Size: 20192 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7792000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0A74000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A9E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF4DA5000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C3B000 Size: 4096 File Visible: - Signed: -
Status: -

Name: ElbyCDIO.sys
Image Path: C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
Address: 0xF7932000 Size: 17280 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xED917000 Size: 143360 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF68D6000 Size: 34944 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF71E7000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7A7E000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF728A000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806CE000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7902000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hpn.sys
Image Path: hpn.sys
Address: 0xF781A000 Size: 25952 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF5B3E000 Size: 703616 File Visible: - Signed: -
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xF5BEA000 Size: 1038208 File Visible: - Signed: -
Status: -

Name: HSFHWATI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
Address: 0xF5CE8000 Size: 200576 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEE25F000 Size: 262784 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF7A7C000 Size: 8192 File Visible: - Signed: -
Status: -

Name: i2omp.sys
Image Path: i2omp.sys
Address: 0xF77DA000 Size: 18560 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7762000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7732000 Size: 41856 File Visible: - Signed: -
Status: -

Name: ini910u.sys
Image Path: ini910u.sys
Address: 0xF796A000 Size: 16000 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF7A38000 Size: 5504 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF0A9D000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF0C22000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7552000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF78EA000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A32000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xED781000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF5EFD000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF71D0000 Size: 92032 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF7622000 Size: 57472 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xEE2B4000 Size: 11840 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7A84000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF78FA000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF78F2000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7562000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mraid35x.sys
Image Path: mraid35x.sys
Address: 0xF77D2000 Size: 17280 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xEE3B8000 Size: 179584 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF0ABE000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7912000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7093000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF6B04000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF70C3000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7103000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF6FB2000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xEE704000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF5AEF000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7063000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF76B2000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF0BA2000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF7772000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF791A000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7130000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C18000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF7532000 Size: 61056 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7AFB000 Size: 4096 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF77BA000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF72D9000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCI_PNP3808
Image Path: \Driver\PCI_PNP3808
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7AFA000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF77B2000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF72A9000 Size: 119936 File Visible: - Signed: -
Status: -

Name: pcouffin.sys
Image Path: C:\WINDOWS\System32\Drivers\pcouffin.sys
Address: 0xF7083000 Size: 47360 File Visible: - Signed: -
Status: -

Name: PdiPorts.sys
Image Path: C:\WINDOWS\System32\Drivers\PdiPorts.sys
Address: 0xF6B10000 Size: 10368 File Visible: - Signed: -
Status: -

Name: perc2.sys
Image Path: perc2.sys
Address: 0xF7812000 Size: 27296 File Visible: - Signed: -
Status: -

Name: perc2hib.sys
Image Path: perc2hib.sys
Address: 0xF7A44000 Size: 5504 File Visible: - Signed: -
Status: -

Name: pivot.sys
Image Path: C:\WINDOWS\System32\drivers\pivot.sys
Address: 0xF7722000 Size: 40960 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF5D19000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF5ADE000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF601A000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7632000 Size: 35712 File Visible: - Signed: -
Status: -

Name: ql1080.sys
Image Path: ql1080.sys
Address: 0xF75D2000 Size: 40320 File Visible: - Signed: -
Status: -

Name: ql10wnt.sys
Image Path: ql10wnt.sys
Address: 0xF7592000 Size: 33152 File Visible: - Signed: -
Status: -

Name: ql12160.sys
Image Path: ql12160.sys
Address: 0xF75F2000 Size: 45312 File Visible: - Signed: -
Status: -

Name: ql1240.sys
Image Path: ql1240.sys
Address: 0xF75A2000 Size: 40448 File Visible: - Signed: -
Status: -

Name: ql1280.sys
Image Path: ql1280.sys
Address: 0xF75E2000 Size: 49024 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF6FF7000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF77A2000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF70B3000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF70A3000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF6012000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF0B55000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7A86000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF4DCD000 Size: 196864 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7752000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED721000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF7318000 Size: 98304 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xF5D93000 Size: 67584 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xEE19D000 Size: 40960 File Visible: - Signed: -
Status: -

Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xF70DE000 Size: 73728 File Visible: - Signed: -
Status: -

Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xF7822000 Size: 32768 File Visible: - Signed: -
Status: -

Name: sfsync04.sys
Image Path: sfsync04.sys
Address: 0xF72C7000 Size: 73728 File Visible: - Signed: -
Status: -

Name: sfvfs02.sys
Image Path: sfvfs02.sys
Address: 0xF70F0000 Size: 77824 File Visible: - Signed: -
Status: -

Name: sisagp.sys
Image Path: sisagp.sys
Address: 0xF7642000 Size: 41088 File Visible: - Signed: -
Status: -

Name: sparrow.sys
Image Path: sparrow.sys
Address: 0xF77C2000 Size: 19072 File Visible: - Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spxa.sys
Image Path: spxa.sys
Address: 0xF7330000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xEE1E5000 Size: 333184 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7A76000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sym_hi.sys
Image Path: sym_hi.sys
Address: 0xF77EA000 Size: 28384 File Visible: - Signed: -
Status: -

Name: sym_u3.sys
Image Path: sym_u3.sys
Address: 0xF77F2000 Size: 30688 File Visible: - Signed: -
Status: -

Name: symc810.sys
Image Path: symc810.sys
Address: 0xF795A000 Size: 16256 File Visible: - Signed: -
Status: -

Name: symc8xx.sys
Image Path: symc8xx.sys
Address: 0xF77E2000 Size: 32640 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF5EC7000 Size: 220032 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEE15D000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF0BCA000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF6022000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7073000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tifm21.sys
Image Path: C:\WINDOWS\system32\drivers\tifm21.sys
Address: 0xF5DA4000 Size: 162432 File Visible: - Signed: -
Status: -

Name: toside.sys
Image Path: toside.sys
Address: 0xF7A3A000 Size: 4992 File Visible: - Signed: -
Status: -

Name: Udfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS
Address: 0xF0A8C000 Size: 66176 File Visible: - Signed: -
Status: -

Name: ultra.sys
Image Path: ultra.sys
Address: 0xF75C2000 Size: 36736 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF4D71000 Size: 209408 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7A6E000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF78E2000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7033000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF78DA000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF5F38000 Size: 143360 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF4E1E000 Size: 26496 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF790A000 Size: 20992 File Visible: - Signed: -
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xF7652000 Size: 42240 File Visible: - Signed: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF7A3C000 Size: 5376 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF5FAE000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7572000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF68C6000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF782A000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEDCD0000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF4E16000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF4CA9000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF7A34000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: wpfb_ati2dvag.dll
Image Path: C:\WINDOWS\System32\wpfb_ati2dvag.dll
Address: 0xBF012000 Size: 77824 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF71BD000 Size: 77568 File Visible: - Signed: -
Status: -

Name: yk51x86.sys
Image Path: C:\WINDOWS\system32\DRIVERS\yk51x86.sys
Address: 0xF5F5B000 Size: 230912 File Visible: - Signed: -
Status: -

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 AM

Posted 19 August 2009 - 09:46 PM

Hi, lexibelle :thumbup2:

Welcome.

Please download the Win32kDiag.exe tool from any of the following locations and save it to your desktop:

http://rootrepeal.psikotick.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe
http://ad13.geekstogo.com/Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.. Post its contents in a reply,

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 lexibelle

lexibelle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 20 August 2009 - 07:40 AM

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B8.tmp\ZAP1B8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D1.tmp\ZAP1D1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E4.tmp\ZAP1E4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2004-08-10 15:00:00 743936 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-10 15:00:00 743936 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SMINST\APPS\DTA\DTA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\root\root

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1682703293-1251011013-3375665933-1006\S-1-5-21-1682703293-1251011013-3375665933-1006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-220523388-492894223-725345543-500\S-1-5-21-220523388-492894223-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{2ADDCD01-393C-4D9E-9BC0-3F671C87BBBA}\{2ADDCD01-393C-4D9E-9BC0-3F671C87BBBA}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dllcache\cache\cache

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\963b11d5.sys

[1] 2009-08-20 08:35:16 98508 C:\WINDOWS\system32\drivers\963b11d5.sys ()



Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\dumprep.exe (Microsoft Corporation)

[1] 2004-08-10 15:00:00 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)

[1] 2004-08-10 15:00:00 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\eventlog.dll (Microsoft Corporation)

[1] 2004-08-10 15:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-10 15:00:00 60928 C:\WINDOWS\system32\eventlog.dll ()



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\temp\43f319b4-ae8d-4b3d-876b-2c8c6cff22d4.tmp

[1] 2009-07-23 12:49:07 0 C:\WINDOWS\temp\43f319b4-ae8d-4b3d-876b-2c8c6cff22d4.tmp ()



Cannot access: C:\WINDOWS\temp\9e893461-fbba-4cd8-a170-f14d4e01f65e.tmp

[1] 2009-07-23 15:24:16 0 C:\WINDOWS\temp\9e893461-fbba-4cd8-a170-f14d4e01f65e.tmp ()



Cannot access: C:\WINDOWS\temp\a8a7448d-82a3-46cc-8a7e-4e474be4daab.tmp

[1] 2009-07-23 15:24:16 0 C:\WINDOWS\temp\a8a7448d-82a3-46cc-8a7e-4e474be4daab.tmp ()



Cannot access: C:\WINDOWS\temp\aa73cc16-e55e-4324-b3d3-7b1833026346.tmp

[1] 2009-07-23 15:23:57 0 C:\WINDOWS\temp\aa73cc16-e55e-4324-b3d3-7b1833026346.tmp ()



Cannot access: C:\WINDOWS\temp\9823ab8c-b05e-4a60-aac7-f39b50973adb.tmp

[1] 2009-07-23 12:48:57 0 C:\WINDOWS\temp\9823ab8c-b05e-4a60-aac7-f39b50973adb.tmp ()



Cannot access: C:\WINDOWS\temp\990ff225-e6cc-4c21-968d-d5e5ee521c94.tmp

[1] 2009-07-23 12:49:09 0 C:\WINDOWS\temp\990ff225-e6cc-4c21-968d-d5e5ee521c94.tmp ()



Cannot access: C:\WINDOWS\temp\af2834db-f13f-47f7-8cde-22591e417433.tmp

[1] 2009-07-22 23:58:19 0 C:\WINDOWS\temp\af2834db-f13f-47f7-8cde-22591e417433.tmp ()



Cannot access: C:\WINDOWS\temp\7553d5ae-f6d6-4c6c-a6ca-977013d11388.tmp

[1] 2009-07-22 23:58:04 0 C:\WINDOWS\temp\7553d5ae-f6d6-4c6c-a6ca-977013d11388.tmp ()



Cannot access: C:\WINDOWS\temp\aea8c924-0dd7-49e4-81a1-0a60db5fa551.tmp

[1] 2009-07-22 23:58:12 0 C:\WINDOWS\temp\aea8c924-0dd7-49e4-81a1-0a60db5fa551.tmp ()



Cannot access: C:\WINDOWS\temp\b149a612-76c7-4a8d-918b-021b82a2f3df.tmp

[1] 2009-07-22 23:57:57 0 C:\WINDOWS\temp\b149a612-76c7-4a8d-918b-021b82a2f3df.tmp ()



Cannot access: C:\WINDOWS\temp\b18ad0be-29f8-4853-b0ce-c80e103d0dc5.tmp

[1] 2009-07-22 23:58:15 0 C:\WINDOWS\temp\b18ad0be-29f8-4853-b0ce-c80e103d0dc5.tmp ()



Cannot access: C:\WINDOWS\temp\bdcd1504-53c6-4d97-b875-d22f2ab2a07a.tmp

[1] 2009-07-22 23:58:14 0 C:\WINDOWS\temp\bdcd1504-53c6-4d97-b875-d22f2ab2a07a.tmp ()



Cannot access: C:\WINDOWS\temp\c34be5b4-e235-459a-8c62-cef2bb77efb2.tmp

[1] 2009-07-22 23:58:15 0 C:\WINDOWS\temp\c34be5b4-e235-459a-8c62-cef2bb77efb2.tmp ()



Cannot access: C:\WINDOWS\temp\cff023f7-a0e7-4903-9775-3d31e0deae13.tmp

[1] 2009-07-22 23:58:04 0 C:\WINDOWS\temp\cff023f7-a0e7-4903-9775-3d31e0deae13.tmp ()



Cannot access: C:\WINDOWS\temp\7ada6b99-9e51-454e-985c-d8fa08edc0b5.tmp

[1] 2009-07-22 23:57:29 0 C:\WINDOWS\temp\7ada6b99-9e51-454e-985c-d8fa08edc0b5.tmp ()



Cannot access: C:\WINDOWS\temp\8d532182-6f28-4073-88df-c834e9912dcb.tmp

[1] 2009-07-24 17:34:41 0 C:\WINDOWS\temp\8d532182-6f28-4073-88df-c834e9912dcb.tmp ()



Cannot access: C:\WINDOWS\temp\90d69268-b399-422a-ba5e-a6a31c8f10b0.tmp

[1] 2009-08-03 15:33:49 0 C:\WINDOWS\temp\90d69268-b399-422a-ba5e-a6a31c8f10b0.tmp ()



Cannot access: C:\WINDOWS\temp\918af2f3-b5ca-4b1d-b885-321a08fcda41.tmp

[1] 2009-08-07 17:23:16 0 C:\WINDOWS\temp\918af2f3-b5ca-4b1d-b885-321a08fcda41.tmp ()



Cannot access: C:\WINDOWS\temp\922cc08e-75fd-4131-ba62-cbdcb7301816.tmp

[1] 2009-08-03 22:22:33 0 C:\WINDOWS\temp\922cc08e-75fd-4131-ba62-cbdcb7301816.tmp ()



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 AM

Posted 20 August 2009 - 11:02 AM

Hi, lexibelle :thumbup2:

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:Files to move:C:\WINDOWS\system32\dllcache\eventlog.dll | C:\WINDOWS\system32\eventlog.dllC:\WINDOWS\system32\dllcache\dumprep.exe | C:\WINDOWS\system32\dumprep.exeC:\WINDOWS\system32\dllcache\helpsvc.exe | C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exeFiles to delete:C:\WINDOWS\system32\drivers\963b11d5.sysC:\WINDOWS\temp\43f319b4-ae8d-4b3d-876b-2c8c6cff22d4.tmpC:\WINDOWS\temp\922cc08e-75fd-4131-ba62-cbdcb7301816.tmpC:\WINDOWS\temp\918af2f3-b5ca-4b1d-b885-321a08fcda41.tmpC:\WINDOWS\temp\90d69268-b399-422a-ba5e-a6a31c8f10b0.tmpC:\WINDOWS\temp\8d532182-6f28-4073-88df-c834e9912dcb.tmpC:\WINDOWS\temp\7ada6b99-9e51-454e-985c-d8fa08edc0b5.tmpC:\WINDOWS\temp\cff023f7-a0e7-4903-9775-3d31e0deae13.tmpC:\WINDOWS\temp\c34be5b4-e235-459a-8c62-cef2bb77efb2.tmpC:\WINDOWS\temp\bdcd1504-53c6-4d97-b875-d22f2ab2a07a.tmpC:\WINDOWS\temp\b18ad0be-29f8-4853-b0ce-c80e103d0dc5.tmpC:\WINDOWS\temp\b149a612-76c7-4a8d-918b-021b82a2f3df.tmpC:\WINDOWS\temp\aea8c924-0dd7-49e4-81a1-0a60db5fa551.tmpC:\WINDOWS\temp\7553d5ae-f6d6-4c6c-a6ca-977013d11388.tmpC:\WINDOWS\temp\af2834db-f13f-47f7-8cde-22591e417433.tmpC:\WINDOWS\temp\990ff225-e6cc-4c21-968d-d5e5ee521c94.tmpC:\WINDOWS\temp\9823ab8c-b05e-4a60-aac7-f39b50973adb.tmpC:\WINDOWS\temp\aa73cc16-e55e-4324-b3d3-7b1833026346.tmpC:\WINDOWS\temp\a8a7448d-82a3-46cc-8a7e-4e474be4daab.tmpC:\WINDOWS\temp\9e893461-fbba-4cd8-a170-f14d4e01f65e.tmp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 lexibelle

lexibelle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 20 August 2009 - 03:42 PM

Hey,

I downloaded Avenger with no problem, however when I copy the script into the box and press Execute I'm getting the following error message:

Error: Invalid script. A valid script must begin with a command directive. Aborting execution!

I've tried copying/pasting several times just to be sure I didn't copy something I extra, etc.

Any ideas?

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 AM

Posted 20 August 2009 - 06:35 PM

Hi, lexibelle :thumbup2:

Lets try a variation of the same command.
  • Download the attached file and save it to your C:\ drive.
  • When having saved it, the file path should be C:\remove.txt
  • Open the Avenger.
  • Select Load Script from the menu, then From File .
  • Browse to C:\remove.txt and click open.
  • Then click the Execute button.
  • This will begin the execution of the script currently in memory.
  • The Avenger will set itself up to run the next time you reboot your computer, and then will prompt you to restart immediately.
  • After your system restarts, a log file should open with the results of Avengerís actions. This log file is located at C:\avenger.txt. The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backups.zip.
Continue with the instructions above.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 lexibelle

lexibelle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 20 August 2009 - 08:28 PM

Okay so I was able to get Avenger to run and after uninstalling his existing version of MalewareBytes, was able to re-install after a lot of ending processes. However, I can not get MalewareBytes to load. I've tried several times, including trying a renaming script we'd downloaded previously (from this site when we had another problem), however that's not even running.

So what do I do next?

Here's the log from Avenger:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:37:30 2009

16:37:30: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:38:41 2009

16:38:41: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:39:30 2009

16:39:30: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:41:13 2009

16:41:07: Error: Invalid syntax in command:
"C:\WINDOWS\system32\dllcache\eventlog.dll | C:\WINDOWS\system32\eventlog.dllC:\WINDOWS\system32\dllcache\dumprep.exe | C:\WINDOWS\system32\dumprep.exeC:\WINDOWS\system32\dllcache\helpsvc.exe | C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exeFiles to delete:C:\WINDOWS\system32\drivers\963b11d5.sysC:\WINDOWS\temp\43f319b4-ae8d-4b3d-876b-2c8c6cff22d4.tmpC:\WINDOWS\temp\922cc08e-75fd-4131-ba62-cbdcb7301816.tmpC:\WINDOWS\temp\918af2f3-b5ca-4b1d-b885-321a08fcda41.tmpC:\WINDOWS\temp\90d69268-b399-422a-ba5e-a6a31c8f10b0.tmpC:\WINDOWS\temp\8d532182-6f28-4073-88df-c834e9912dcb.tmpC:\WINDOWS\temp\7ada6b99-9e51-454e-985c-d8fa08edc0b5.tmpC:\WINDOWS\temp\cff023f7-a0e7-4903-9775-3d31e0deae13.tmpC:\WINDOWS\temp\c34be5b4-e235-459a-8c62-cef2bb77efb2.tmpC:\WINDOWS\temp\bdcd1504-53c6-4d97-b875-d22f2ab2a07a.tmpC:\WINDOWS\temp\b18ad0be-29f8-4853-b0ce-c80e103d0dc5.tmpC:\WINDOWS\temp\b149a612-76c7-4a8d-918b-021b82a2f3df.tmpC:\WINDOWS\temp\aea8c924-0dd7-49e4-81a1-0a60db5fa551.tmpC:\WINDOWS\temp\7553d5ae-f6d6-4c6c-a6ca-977013d11388.tm"
Skipping line. (File move mode)
16:41:13: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:41:32 2009

16:41:28: Error: Invalid syntax in command:
"C:\WINDOWS\system32\dllcache\eventlog.dll | C:\WINDOWS\system32\eventlog.dllC:\WINDOWS\system32\dllcache\dumprep.exe | C:\WINDOWS\system32\dumprep.exeC:\WINDOWS\system32\dllcache\helpsvc.exe | C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exeFiles to delete:C:\WINDOWS\system32\drivers\963b11d5.sysC:\WINDOWS\temp\43f319b4-ae8d-4b3d-876b-2c8c6cff22d4.tmpC:\WINDOWS\temp\922cc08e-75fd-4131-ba62-cbdcb7301816.tmpC:\WINDOWS\temp\918af2f3-b5ca-4b1d-b885-321a08fcda41.tmpC:\WINDOWS\temp\90d69268-b399-422a-ba5e-a6a31c8f10b0.tmpC:\WINDOWS\temp\8d532182-6f28-4073-88df-c834e9912dcb.tmpC:\WINDOWS\temp\7ada6b99-9e51-454e-985c-d8fa08edc0b5.tmpC:\WINDOWS\temp\cff023f7-a0e7-4903-9775-3d31e0deae13.tmpC:\WINDOWS\temp\c34be5b4-e235-459a-8c62-cef2bb77efb2.tmpC:\WINDOWS\temp\bdcd1504-53c6-4d97-b875-d22f2ab2a07a.tmpC:\WINDOWS\temp\b18ad0be-29f8-4853-b0ce-c80e103d0dc5.tmpC:\WINDOWS\temp\b149a612-76c7-4a8d-918b-021b82a2f3df.tmpC:\WINDOWS\temp\aea8c924-0dd7-49e4-81a1-0a60db5fa551.tmpC:\WINDOWS\temp\7553d5ae-f6d6-4c6c-a6ca-977013d11388.tm"
Skipping line. (File move mode)
16:41:32: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:42:44 2009

16:42:44: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:42:47 2009

16:42:47: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:44:47 2009

16:44:47: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Aug 20 16:47:50 2009

16:47:50: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "afkmz1le" found!
Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\WINDOWS\system32\dllcache\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.
File move operation "C:\WINDOWS\system32\dllcache\dumprep.exe|C:\WINDOWS\system32\dumprep.exe" completed successfully.
File move operation "C:\WINDOWS\system32\dllcache\helpsvc.exe|C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe" completed successfully.

Error: file "C:\WINDOWS\system32\drivers\963b11d5.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\963b11d5.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\WINDOWS\temp\43f319b4-ae8d-4b3d-876b-2c8c6cff22d4.tmp"
Deletion of file "C:\WINDOWS\temp\43f319b4-ae8d-4b3d-876b-2c8c6cff22d4.tmp" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)


Error: file "C:\WINDOWS\temp\922cc08e-75fd-4131-ba62-cbdcb7301816.tmp" not found!
Deletion of file "C:\WINDOWS\temp\922cc08e-75fd-4131-ba62-cbdcb7301816.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\918af2f3-b5ca-4b1d-b885-321a08fcda41.tmp" not found!
Deletion of file "C:\WINDOWS\temp\918af2f3-b5ca-4b1d-b885-321a08fcda41.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\90d69268-b399-422a-ba5e-a6a31c8f10b0.tmp" not found!
Deletion of file "C:\WINDOWS\temp\90d69268-b399-422a-ba5e-a6a31c8f10b0.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\WINDOWS\temp\8d532182-6f28-4073-88df-c834e9912dcb.tmp"
Deletion of file "C:\WINDOWS\temp\8d532182-6f28-4073-88df-c834e9912dcb.tmp" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)


Error: file "C:\WINDOWS\temp\7ada6b99-9e51-454e-985c-d8fa08edc0b5.tmp" not found!
Deletion of file "C:\WINDOWS\temp\7ada6b99-9e51-454e-985c-d8fa08edc0b5.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\cff023f7-a0e7-4903-9775-3d31e0deae13.tmp" not found!
Deletion of file "C:\WINDOWS\temp\cff023f7-a0e7-4903-9775-3d31e0deae13.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\c34be5b4-e235-459a-8c62-cef2bb77efb2.tmp" not found!
Deletion of file "C:\WINDOWS\temp\c34be5b4-e235-459a-8c62-cef2bb77efb2.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\bdcd1504-53c6-4d97-b875-d22f2ab2a07a.tmp" not found!
Deletion of file "C:\WINDOWS\temp\bdcd1504-53c6-4d97-b875-d22f2ab2a07a.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\b18ad0be-29f8-4853-b0ce-c80e103d0dc5.tmp" not found!
Deletion of file "C:\WINDOWS\temp\b18ad0be-29f8-4853-b0ce-c80e103d0dc5.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\b149a612-76c7-4a8d-918b-021b82a2f3df.tmp" not found!
Deletion of file "C:\WINDOWS\temp\b149a612-76c7-4a8d-918b-021b82a2f3df.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\aea8c924-0dd7-49e4-81a1-0a60db5fa551.tmp" not found!
Deletion of file "C:\WINDOWS\temp\aea8c924-0dd7-49e4-81a1-0a60db5fa551.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\7553d5ae-f6d6-4c6c-a6ca-977013d11388.tmp" not found!
Deletion of file "C:\WINDOWS\temp\7553d5ae-f6d6-4c6c-a6ca-977013d11388.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\af2834db-f13f-47f7-8cde-22591e417433.tmp" not found!
Deletion of file "C:\WINDOWS\temp\af2834db-f13f-47f7-8cde-22591e417433.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\990ff225-e6cc-4c21-968d-d5e5ee521c94.tmp" not found!
Deletion of file "C:\WINDOWS\temp\990ff225-e6cc-4c21-968d-d5e5ee521c94.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\9823ab8c-b05e-4a60-aac7-f39b50973adb.tmp" not found!
Deletion of file "C:\WINDOWS\temp\9823ab8c-b05e-4a60-aac7-f39b50973adb.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\aa73cc16-e55e-4324-b3d3-7b1833026346.tmp" not found!
Deletion of file "C:\WINDOWS\temp\aa73cc16-e55e-4324-b3d3-7b1833026346.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\a8a7448d-82a3-46cc-8a7e-4e474be4daab.tmp" not found!
Deletion of file "C:\WINDOWS\temp\a8a7448d-82a3-46cc-8a7e-4e474be4daab.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\temp\9e893461-fbba-4cd8-a170-f14d4e01f65e.tmp" not found!
Deletion of file "C:\WINDOWS\temp\9e893461-fbba-4cd8-a170-f14d4e01f65e.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 AM

Posted 21 August 2009 - 12:07 AM

After all the script was accepted. Did you try to run Malware Bytes and Combo-fix?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:08 AM

Posted 26 August 2009 - 09:52 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users