Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by extremley nasty malware, can't even run DDS, please help


  • This topic is locked This topic is locked
14 replies to this topic

#1 MaxGen

MaxGen

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 29 August 2009 - 12:01 PM

Please do not add posts to your topic. It will only delay a response due to the way the topics are tracked
A member will respond when your post comes up in rotation
Thank you



I got infected by a nasty malware while surfing a news forum. It rebooted my computer (XP sP2). Now my situation is:
1. Even in safe mode, I canot run any anti-spyware software: Malwarebyte's will close in one second after starting scanning. SuperAntiSpeware will close after about 10 seconds of scanning. Then the .exe application file will no longer work. When I tried to run them again, it will say "Windows cannot access he specified device, path, or file. You may not have the appropriate premission to access the item."
2. Cannot connect to any website, it always shows trying to connect. (The wireless connection itself shows OK).
3. It removed the system restore tab from system property, and does not run system restore claiming that it is disabled by group policy. I got around and brought back that tab and enabled restore, but the restore point table shows only August and there is no restore points. I can't move to other months.
4. Worst of all, after I downloaded DDS.scr using another computer, copied onto the infected desktop, and tried to run, it ended up the same as any anti-spyware software - it closes itself immediately after scanning started. I can't even post the HijiackThis logs.

There could be other symptoms I have yet to discover. Never seen this kind of nasty stuff. Please help!!!

Edited by garmanma, 29 August 2009 - 05:12 PM.


BC AdBot (Login to Remove)

 


#2 MaxGen

MaxGen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 29 August 2009 - 02:37 PM

I found a current thread of this forum seems dealing with the same issue:
http://www.bleepingcomputer.com/forums/ind...+run+HijackThis

It has been hanlded by HJT Team member farbar quite successfully.

I followed his initial instructions, i.e.,
1. scan with Win32diag.exe, save the log;
2. scan with Win32diag.exe again using run with command "%userprofile%\desktop\win32kdiag.exe" -f -r, save the log;
3. run with commands below and save the log.txt;
cmd /c copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
cmd /c dir /a C:\eventlog.dll >log.txt&log.txt&del log.txt
4. run Avenger with script below, and save the log;
Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

I am posting all the log files below, hopefully farbar can provide his comments. I have pretty much duplicated the behaviour so far as described in that thread, excep that on my computer in "C:\WINDOWS\ServicePackFiles\i386" there is eventlog.dll to start with - there is only one zipped file called msrdp, thus the commands in the step 3 above fails to copy the DLL file, and thus in step 4, Avenger failed to move it back to C:\WINDOWS\system32.

When I searched the computer for eventlog.dll, I found 2 places has this file. One is at C:\WINDOWS\system32, another is at C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7.

Should I go over the above steps 3 and 4 again but change the "C:\WINDOWS\ServicePackFiles\i386" to "C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7"? Or I can ignore this issue and proceed with those further steps as described in that thread?

The logs are below:
1. Log after first Win32diag.exe scan:
Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933360\KB933360

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB951072-v2\KB951072-v2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB956390-IE7\KB956390-IE7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16.tmp\ZAP16.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20A.tmp\ZAP20A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29.tmp\ZAP29.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP366.tmp\ZAP366.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36B.tmp\ZAP36B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP44B.tmp\ZAP44B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP477.tmp\ZAP477.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B9.tmp\ZAP4B9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\ASM\ASM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\OPTIONS\CABS\CABS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\OPTIONS\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\42bdf2dd6f3cb2280ad31b41b6c04cff\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\10\policy\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\policy\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\policy\msft\windows\networking\networking

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\70\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\abcfbcf3d9d76a35839e0526ed748b7b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerCinema\PowerCinema

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerDVD\PowerDVD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{A9587C0A-11DC-4AA3-B757-7C6A04A89078}\{A9587C0A-11DC-4AA3-B757-7C6A04A89078}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView\SampleView

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Bluetooth Software\sync\sync

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\4e7df047f7c5\4e7df047f7c5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\8c4b0263c66b\8c4b0263c66b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Money\15.0\Webcache\Webcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Apps\2.0\7ENA1DQZ.3MD\193M9O9M.OQY\manifests\manifests

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth Exchange Folder\Bluetooth Exchange Folder

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 12:00:00 63488 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 12:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\BTN%Copy%1\BTN%Copy%2\BTN%Copy%2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCA50.tmp\MCA50.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

2. Log after second Win32diag scan using run command "%userprofile%\desktop\win32kdiag.exe" -f -r

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933360\KB933360

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933360\KB933360

Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Found mount point : C:\WINDOWS\$hf_mig$\KB951072-v2\KB951072-v2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB951072-v2\KB951072-v2

Found mount point : C:\WINDOWS\$hf_mig$\KB956390-IE7\KB956390-IE7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB956390-IE7\KB956390-IE7

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16.tmp\ZAP16.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16.tmp\ZAP16.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20A.tmp\ZAP20A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20A.tmp\ZAP20A.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29.tmp\ZAP29.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29.tmp\ZAP29.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP366.tmp\ZAP366.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP366.tmp\ZAP366.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36B.tmp\ZAP36B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36B.tmp\ZAP36B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP44B.tmp\ZAP44B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP44B.tmp\ZAP44B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP477.tmp\ZAP477.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP477.tmp\ZAP477.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B9.tmp\ZAP4B9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B9.tmp\ZAP4B9.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CAVTemp\CAVTemp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\inf\ASM\ASM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\inf\ASM\ASM

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\OPTIONS\CABS\CABS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\OPTIONS\CABS\CABS

Found mount point : C:\WINDOWS\OPTIONS\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\OPTIONS\Install\Install

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\42bdf2dd6f3cb2280ad31b41b6c04cff\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\42bdf2dd6f3cb2280ad31b41b6c04cff\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\10\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\10\policy\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\10\policy\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\policy\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\policy\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\msft\windows\net\net

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\policy\msft\windows\networking\networking

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\policy\msft\windows\networking\networking

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\msft\windows\common\common

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\policy\60\60

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\70\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\70\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\70\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\abcfbcf3d9d76a35839e0526ed748b7b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\abcfbcf3d9d76a35839e0526ed748b7b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerCinema\PowerCinema

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerCinema\PowerCinema

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerDVD\PowerDVD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerDVD\PowerDVD

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{A9587C0A-11DC-4AA3-B757-7C6A04A89078}\{A9587C0A-11DC-4AA3-B757-7C6A04A89078}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{A9587C0A-11DC-4AA3-B757-7C6A04A89078}\{A9587C0A-11DC-4AA3-B757-7C6A04A89078}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView\SampleView

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView\SampleView

Found mount point : C:\WINDOWS\system32\config\systemprofile\Bluetooth Software\sync\sync

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Bluetooth Software\sync\sync

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\4e7df047f7c5\4e7df047f7c5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\4e7df047f7c5\4e7df047f7c5

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\8c4b0263c66b\8c4b0263c66b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\8c4b0263c66b\8c4b0263c66b

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Money\15.0\Webcache\Webcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Money\15.0\Webcache\Webcache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Apps\2.0\7ENA1DQZ.3MD\193M9O9M.OQY\manifests\manifests

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Apps\2.0\7ENA1DQZ.3MD\193M9O9M.OQY\manifests\manifests

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth Exchange Folder\Bluetooth Exchange Folder

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth Exchange Folder\Bluetooth Exchange Folder

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 12:00:00 63488 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 12:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\BTN%Copy%1\BTN%Copy%2\BTN%Copy%2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\BTN%Copy%1\BTN%Copy%2\BTN%Copy%2

Found mount point : C:\WINDOWS\Temp\MCA50.tmp\MCA50.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCA50.tmp\MCA50.tmp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

3. Log.txt content after run with commands
cmd /c copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
cmd /c dir /a C:\eventlog.dll >log.txt&log.txt&del log.txt

Volumn in drive C has no label.
Volumn serial Number is BC31-38B6

Directory of C:\

4. Avenger log:


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\eventlog.dll" not found!
File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

(Follow up: I just scanned again with Win32Kdiag, and it still came up with all those Found mount points...)

Edited by MaxGen, 29 August 2009 - 02:54 PM.


#3 MaxGen

MaxGen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 30 August 2009 - 03:54 AM

Follow up:

As described above, I followed the steps recommendd by farbar in another thread and so far reached the step of ComboFix. Below are logs from the first Malwarebyte's scan, updated definition then immediately the second scan, RootRepeal scan, and ComboFix scan, in the order of timing. Unable to understand much from the ComboFix log, I definitely need professional advice now.

1. First Malwarebyte's scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/29/2009 11:24:12 PM
mbam-log-2009-08-29 (23-24-12).txt

Scan type: Quick Scan
Objects scanned: 125612
Time elapsed: 18 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e43ddb16-90ea-404b-8a98-d8bf0d32a0e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e43ddb16-90ea-404b-8a98-d8bf0d32a0e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreaxs (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hayiguyime (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux (Trojan.JSRedir.H) -> Bad: (C:\WINDOWS\system32\..\qvfs.gfo) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\fyblb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\44.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OFD05IY0\agqqerbspt[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V93GP44I\zjjaof[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y596GG77\clzqdervli[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y596GG77\zwjkbb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


2. Second Malwarebyte's scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2715
Windows 5.1.2600 Service Pack 2

8/30/2009 12:20:13 AM
mbam-log-2009-08-30 (00-19-57).txt

Scan type: Quick Scan
Objects scanned: 128234
Time elapsed: 17 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\emxtqjit.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\ueja73hkjd.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QZMWKZK5\xdqrivm[1].htm (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y596GG77\Install[1].exe (Trojan.FakeAlert) -> No action taken.


3. RootRepeal log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/30 00:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9F415000 Size: 876544 File Visible: No Signed: -
Status: -

Name: imvseds.sys
Image Path: imvseds.sys
Address: 0xF74CD000 Size: 61440 File Visible: No Signed: -
Status: -

Name: PCI_PNP7950
Image Path: \Driver\PCI_PNP7950
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9E29D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spab.sys
Image Path: spab.sys
Address: 0xF72CB000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\program files\yahoo!\antivirus\schedule.txt
Status: Size mismatch (API: 9262268, Raw: 9262122)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "d347bus.sys" at address 0xf729a818

#: 041 Function Name: NtCreateKey
Status: Hooked by "d347bus.sys" at address 0xf729a7d0

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "d347bus.sys" at address 0xf728ea20

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "d347bus.sys" at address 0xf728f2a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "d347bus.sys" at address 0xf729a910

#: 119 Function Name: NtOpenKey
Status: Hooked by "d347bus.sys" at address 0xf729a794

#: 160 Function Name: NtQueryKey
Status: Hooked by "d347bus.sys" at address 0xf728f2c8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "d347bus.sys" at address 0xf729a866

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "d347bus.sys" at address 0xf729a0b0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spab.sys" at address 0xf72eb19c

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86907860 Size: 11

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x869531f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x85da5f48 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x85b53500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x869741f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x869741f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869741f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869741f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x869741f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869741f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x869741f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x869ba1f8 Size: 121

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_READ]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP]
Process: System Address: 0x85ca97b0 Size: 99

Object: Hidden Code [Driver: adjr1vdkȅఄ扏济ParTechInc0, IRP_MJ_CREATE]
Process: System Address: 0x869b91f8 Size: 121

Object: Hidden Code [Driver: adjr1vdkȅఄ扏济ParTechInc0, IRP_MJ_CLOSE]
Process: System Address: 0x869b91f8 Size: 121

Object: Hidden Code [Driver: adjr1vdkȅఄ扏济ParTechInc0, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869b91f8 Size: 121

Object: Hidden Code [Driver: adjr1vdkȅఄ扏济ParTechInc0, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869b91f8 Size: 121

Object: Hidden Code [Driver: adjr1vdkȅఄ扏济ParTechInc0, IRP_MJ_POWER]
Process: System Address: 0x869b91f8 Size: 121

Object: Hidden Code [Driver: adjr1vdkȅఄ扏济ParTechInc0, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869b91f8 Size: 121

Object: Hidden Code [Driver: adjr1vdkȅఄ扏济ParTechInc0, IRP_MJ_PNP]
Process: System Address: 0x869b91f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8584c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8584c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8584c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8584c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8584c500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8584c500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x869da7d8 Size: 99

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x869b71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x869b71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869b71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869b71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x869b71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869b71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x869b71f8 Size: 121

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x85d8ffb0 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x85d98528 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85d828b8 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85874500 Size: 121

Object: Hidden Code [Driver: Program Fil, IRP_MJ_READ]
Process: System Address: 0x85db6440 Size: 11

Object: Hidden Code [Driver: Msfsȅః扏济Fs_Recl耀ȃఆ䵃, IRP_MJ_READ]
Process: System Address: 0x85d62ad0 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x85dbbe70 Size: 11

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_READ]
Process: System Address: 0x86968670 Size: 11

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x8588e500 Size: 121

Object: Hidden Code [Driver: CdfsЅ乖睥Ёః瑎て, IRP_MJ_PNP]
Process: System Address: 0x8588e500 Size: 121

==EOF==


4. ComboFix log:
ComboFix 09-08-29.01 - Owner 0/2009 Sun 1:00.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1014.545 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( Files deleted )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1137624906
c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
C:\enurmyv.exe
C:\p2hhr.bat
c:\program files\StormII
C:\qbuf.exe
c:\recycler\S-1-5-21-4090685425-1968907776-73614702-1003
C:\svfp.exe
C:\tujfbtrj.exe
c:\windows\run.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-29 17:24 . 2009-08-29 17:24 -------- d-----w- c:\program files\Trend Micro
2009-08-29 08:05 . 2009-08-29 08:25 117760 ----a-w- c:\documents and settings\Administrator.THINKINGHEAD.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-29 08:04 . 2009-08-29 08:04 -------- d-----w- c:\documents and settings\Administrator.THINKINGHEAD.000\Application Data\SUPERAntiSpyware.com
2009-08-29 06:36 . 2009-08-29 22:03 -------- d--h--w- c:\windows\PIF
2009-08-29 06:11 . 2009-08-29 06:11 49152 ----a-w- C:\blyuwrjl.exe
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\program files\MSBuild
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 18:15 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 18:15 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 18:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 18:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 18:15 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 18:15 . 2009-08-22 18:16 -------- d-----w- C:\518835f27a033c04f3d9
2009-08-22 18:15 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 18:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 18:01 . 2009-08-22 18:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-13 02:25 . 2009-08-13 02:25 -------- d-----w- c:\program files\Alcohol Soft
2009-08-12 17:37 . 2009-08-29 23:51 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 05:09 . 2009-08-12 05:09 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-12 04:43 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 04:42 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-11 07:09 . 2009-08-11 07:09 -------- d-----w- c:\program files\ISODisk
2009-08-11 07:09 . 2006-04-26 08:03 9600 ----a-w- c:\windows\system32\drivers\ISODisk.sys
2009-08-11 06:49 . 2009-08-11 06:49 -------- d-----w- c:\program files\Free ISO Creator
2009-08-11 05:14 . 2009-08-11 05:14 -------- d-----w- c:\windows\BBSTORE
2009-08-11 05:13 . 2009-08-11 05:46 -------- d-----w- c:\program files\The Learning Company
2009-08-10 09:42 . 2006-08-10 03:58 218624 -c--a-w- c:\windows\system32\dllcache\uxtheme.dll
2009-08-10 07:30 . 2009-08-10 07:30 -------- d-----w- c:\program files\Alex Feinman
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 08:06 . 2008-07-22 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-30 07:39 . 2008-07-22 15:39 -------- d-----w- c:\program files\Titan Backup
2009-08-30 05:49 . 2009-04-03 07:37 -------- d-----w- c:\program files\SPM
2009-08-30 05:27 . 2009-04-03 08:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-30 00:04 . 2009-04-03 08:26 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-29 22:03 . 2006-12-24 06:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-08-25 00:49 . 2006-12-27 01:35 -------- d-----w- c:\documents and settings\Owner\Application Data\SolidWorks
2009-08-05 09:11 . 2006-03-11 06:30 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:36 . 2009-04-03 07:37 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-04-03 07:37 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 01:00 . 2009-07-25 01:00 -------- d-----w- c:\program files\Common Files\Optical Research Associates
2009-07-25 00:59 . 2009-07-25 00:59 -------- d-----w- c:\program files\Optical Research Associates
2009-07-25 00:59 . 2006-06-29 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 09:29 . 2007-10-19 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-18 09:29 . 2007-10-19 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2009-07-17 18:55 . 2006-03-11 06:30 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-03-11 06:30 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2006-03-11 06:30 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-03-11 06:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-03-11 06:30 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2006-03-11 06:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2006-03-11 06:30 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2006-03-11 06:30 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2006-03-11 06:30 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2006-03-11 06:30 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2006-03-11 07:49 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2006-03-11 06:30 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"LxrAutorun"="c:\documents and settings\Owner\Local Settings\Application Data\Lexar Media\LxrAutorun.exe" [2006-11-09 24576]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"arima hotkey"="c:\program files\Arima Hotkey\arima_hotkey.exe" [2006-03-18 753664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"CaAvTray"="c:\program files\Yahoo!\Antivirus\CAVTray.exe" [2007-04-28 230512]
"CAVRID"="c:\program files\Yahoo!\Antivirus\CAVRID.exe" [2007-04-28 185456]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-26 185896]
"TrueImageMonitor.exe"="d:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="d:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"sohutv web version"="c:\program files\sohutv_web\SysTrayIcon.exe" [2008-08-06 459600]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88204]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-6-29 2168360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\sohutv_web\\SysTrayIcon.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SPM\\SPM.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [3/1/2009 3:01 AM 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [3/1/2009 3:01 AM 971552]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [8/11/2009 12:09 AM 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [5/18/2008 7:36 AM 72672]
R3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [6/29/2006 1:02 PM 5632]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\ssipddp.sys [7/24/2009 6:00 PM 54272]
S2 woxuplwp;Microsoft USB Generic Parent Controller;c:\windows\System32\svchost.exe -k netsvcs [3/10/2006 11:30 PM 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/8/2009 11:27 PM 16512]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [6/11/2007 11:10 PM 18864]
S3 Qvod Terminal;Qvod Terminal;c:\program files\QvodPlayer\QvodTerminal.exe [3/21/2009 12:52 AM 524288]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ARHOTKEY

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
woxuplwp
.
Contents of the ¡®Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=IIutfdBTSr1aVMCp_tCcGdRq3-Q
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\VetRedir.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm1zm8xi.default\
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 01:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed sucessfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2333739885-1484201064-1245539986-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ gSQƉ5uƉ2*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,80,01,00,00,01,00,00,00,03,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Yahoo!\Antivirus\iSafe.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Yahoo!\Antivirus\VetMsg.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\TITANB~1\TITANB~2.EXE
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
d:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-08-30 1:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 08:11

Pre-Run: 212,222,689,280 bytes free
Post-Run: 214,169,264,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

275 --- E O F --- 2009-08-22 18:29

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:53 PM

Posted 30 August 2009 - 06:26 AM

Hi MaxGen,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  • We need to run the tool again with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • We need to run The Avenger.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


#5 MaxGen

MaxGen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 30 August 2009 - 04:24 PM

Hello, farbar, thanks a lot for your help.

After posting my last reply-post, I upgraded my ATT yahoo on-line antivirus program (hasn't been updated since March) to McAfee security suite and did a full system scan. It removed quie a few trojans missed by Malwarebyte's (I did quick scan only with MBAM), including Artemis and PWS-QQRob etc. I post the McAfee screenshot below as it does not generate a text log file. Then I scanned with Malwarebyte's again. Just now I did Win32kdiag and Avenger per your instruction.

Forgot to mention in my last reply-post, is that I did find a i386 folder directly under C:\Windows, and in there is a compressed eventlog.dll file, so I expanded that and followed your steps in the other thread to replace the evenlog.dll file under System32, which is obviously was a trojan file then as its size was wrong and no microsoft signature. But just now I also followed your new instruction above to replace the file again, with the DLL from SoftwareDistribution. It appears a newer version - 2006 vs. 2004, same size with MS signature.

1. McAfee scan result screenshot.
See attachment.

2. Malwarebyte's log:

Malwarebytes' Anti-Malware 1.40
Database version: 2717
Windows 5.1.2600 Service Pack 2

8/30/2009 4:01:58 AM
mbam-log-2009-08-30 (04-01-58).txt

Scan type: Quick Scan
Objects scanned: 110976
Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


3. Win32kdiag log:

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


Finished!

4. Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:53 PM

Posted 31 August 2009 - 12:47 AM

Thanks for the detailed feedback.
  • We need to run Combofix once more. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    File::
    C:\blyuwrjl.exe
    AtJob::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


#7 MaxGen

MaxGen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 31 August 2009 - 11:56 AM

Hi, farar, here are the ESET log and ComboFix log. I forgot to mention that after I first installed McAfee security suite yesterday, I did a quick scan first, which picked up the C:\blyuwrjl.exe. The I did a full scan for which the log was posted yesterday.

The two files ESET scan found below are actually a compressed photo file and a screen saver. Not trojans.

By the way, now I have McAfee running all the time. When I do any of your suggested scans, if I need to disable McAfee, please let me know. (I did disable it for ComboFix scan.) Thanks alot.

1. ComboFix log:

ComboFix 09-08-30.02 - Owner 1/2009 Mon 1:40.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1014.550 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\blyuwrjl.exe"
.

((((((((((((((((((((((((( Files created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-30 19:09 . 2009-08-30 19:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-30 10:33 . 2009-08-30 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-08-30 10:31 . 2009-07-08 20:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-30 10:31 . 2009-07-08 20:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-08-30 10:31 . 2009-07-08 20:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-30 10:31 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-08-30 10:31 . 2009-08-30 10:31 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-30 10:31 . 2009-08-30 10:31 -------- d-----w- c:\program files\McAfee.com
2009-08-30 10:27 . 2009-07-08 20:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-30 10:15 . 2009-08-30 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-29 17:24 . 2009-08-29 17:24 -------- d-----w- c:\program files\Trend Micro
2009-08-29 08:05 . 2009-08-29 08:25 117760 ----a-w- c:\documents and settings\Administrator.THINKINGHEAD.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-29 08:04 . 2009-08-29 08:04 -------- d-----w- c:\documents and settings\Administrator.THINKINGHEAD.000\Application Data\SUPERAntiSpyware.com
2009-08-29 06:36 . 2009-08-29 22:03 -------- d--h--w- c:\windows\PIF
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\program files\MSBuild
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 18:15 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 18:15 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 18:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 18:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 18:15 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 18:15 . 2009-08-22 18:16 -------- d-----w- C:\518835f27a033c04f3d9
2009-08-22 18:15 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 18:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 18:01 . 2009-08-22 18:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-13 02:25 . 2009-08-13 02:25 -------- d-----w- c:\program files\Alcohol Soft
2009-08-12 17:37 . 2009-08-29 23:51 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 05:09 . 2009-08-12 05:09 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-12 04:43 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 04:42 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-11 07:09 . 2009-08-11 07:09 -------- d-----w- c:\program files\ISODisk
2009-08-11 07:09 . 2006-04-26 08:03 9600 ----a-w- c:\windows\system32\drivers\ISODisk.sys
2009-08-11 06:49 . 2009-08-11 06:49 -------- d-----w- c:\program files\Free ISO Creator
2009-08-11 05:14 . 2009-08-11 05:14 -------- d-----w- c:\windows\BBSTORE
2009-08-11 05:13 . 2009-08-11 05:46 -------- d-----w- c:\program files\The Learning Company
2009-08-10 09:42 . 2006-08-10 03:58 218624 -c--a-w- c:\windows\system32\dllcache\uxtheme.dll
2009-08-10 07:30 . 2009-08-10 07:30 -------- d-----w- c:\program files\Alex Feinman
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 07:18 . 2009-04-03 08:26 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-31 05:06 . 2006-12-27 01:35 -------- d-----w- c:\documents and settings\Owner\Application Data\SolidWorks
2009-08-31 04:59 . 2008-07-22 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-30 20:23 . 2006-06-29 20:13 -------- d-----w- c:\program files\McAfee
2009-08-30 11:18 . 2009-05-30 09:10 -------- d-----w- c:\program files\YoDaosTV_2
2009-08-30 10:22 . 2006-12-24 06:52 -------- d-----w- c:\program files\Yahoo!
2009-08-30 08:33 . 2006-12-24 09:10 66088 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 07:39 . 2008-07-22 15:39 -------- d-----w- c:\program files\Titan Backup
2009-08-30 05:49 . 2009-04-03 07:37 -------- d-----w- c:\program files\SPM
2009-08-30 05:27 . 2009-04-03 08:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-29 22:03 . 2006-12-24 06:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-08-05 09:11 . 2006-03-11 06:30 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:36 . 2009-04-03 07:37 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-04-03 07:37 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 01:00 . 2009-07-25 01:00 -------- d-----w- c:\program files\Common Files\Optical Research Associates
2009-07-25 00:59 . 2009-07-25 00:59 -------- d-----w- c:\program files\Optical Research Associates
2009-07-25 00:59 . 2006-06-29 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 09:29 . 2007-10-19 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-18 09:29 . 2007-10-19 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2009-07-17 18:55 . 2006-03-11 06:30 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-03-11 06:30 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 20:44 . 2009-07-08 20:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-06-29 16:12 . 2006-03-11 06:30 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-03-11 06:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-03-11 06:30 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2006-03-11 06:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2006-03-11 06:30 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2006-03-11 06:30 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2006-03-11 06:30 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2006-03-11 06:30 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2006-03-11 07:49 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2006-03-11 06:30 1290752 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[7] 2004-08-04 07:56 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll
[7] 2004-08-04 07:56 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\system32\dllcache\cache\eventlog.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-30_08.06.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-11 07:55 . 2009-08-31 07:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-11 07:55 . 2009-05-19 06:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-11 07:55 . 2009-08-31 07:16 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"LxrAutorun"="c:\documents and settings\Owner\Local Settings\Application Data\Lexar Media\LxrAutorun.exe" [2006-11-09 24576]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"arima hotkey"="c:\program files\Arima Hotkey\arima_hotkey.exe" [2006-03-18 753664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-26 185896]
"TrueImageMonitor.exe"="d:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="d:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"sohutv web version"="c:\program files\sohutv_web\SysTrayIcon.exe" [2008-08-06 459600]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88204]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-6-29 2168360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\sohutv_web\\SysTrayIcon.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SPM\\SPM.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [3/1/2009 3:01 AM 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [3/1/2009 3:01 AM 971552]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [8/11/2009 12:09 AM 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [5/18/2008 7:36 AM 72672]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/30/2009 3:33 AM 203280]
R3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [6/29/2006 1:02 PM 5632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\ssipddp.sys [7/24/2009 6:00 PM 54272]
S2 woxuplwp;Microsoft USB Generic Parent Controller;c:\windows\System32\svchost.exe -k netsvcs [3/10/2006 11:30 PM 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/8/2009 11:27 PM 16512]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [6/11/2007 11:10 PM 18864]
S3 Qvod Terminal;Qvod Terminal;c:\program files\QvodPlayer\QvodTerminal.exe [3/21/2009 12:52 AM 524288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ARHOTKEY

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
woxuplwp

Contents of the ‘Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-30 04:26]

2009-08-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-30 04:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=IIutfdBTSr1aVMCp_tCcGdRq3-Q
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm1zm8xi.default\
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 01:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes 。。。

scanning hidden autostart entries 。。。

scanning hidden files 。。。

scan completed sucessfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2333739885-1484201064-1245539986-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ gS怮茐5u茐2*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,80,01,00,00,01,00,00,00,03,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2244)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll

.
Completion time:: 2009-08-31 1:49
ComboFix-quarantined-files.txt 2009-08-31 08:49

Pre-Run: 213,967,712,256 bytes free
Post-Run: 213,945,044,992 bytes free

263 --- E O F --- 2009-08-22 18:29


2. ESET log:

C:\Documents and Settings\Owner\My Documents\Private\VPR\My Documents\Image\jian-10.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Private\VPR\My Documents\Image\jian-10\?-10-1.scr probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:53 PM

Posted 31 August 2009 - 02:10 PM

Hi MaxGen,
  • We need to run Combofix once more.
    Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Driver::
    woxuplwp
    NetSvc::
    woxuplwp
    RegLock::
    [HKEY_USERS\S-1-5-21-2333739885-1484201064-1245539986-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Tell me how is your computer running and if you still having any issues.


#9 MaxGen

MaxGen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 01 September 2009 - 12:08 AM

Hi, farbar, I ran comboFix and updated Java. So far so good.

I have a question. I definitely saved a system restore point in middle August (system restore content is saved on a separated partition D), but now on the system restore page, there is no restore points showing before August 28 - the date when it was infected. And when I click left arrow to move to an earlier month, nothing happens, it still shows August. Is this normal? Thank you.


ComboFix log:

ComboFix 09-08-30.02 - Owner 1/2009 Mon 12:59.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1014.434 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Files deleted )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WOXUPLWP
-------\Service_woxuplwp


((((((((((((((((((((((((( Files created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 09:03 . 2009-08-31 09:03 -------- d-----w- c:\program files\ESET
2009-08-30 19:09 . 2009-08-30 19:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-30 10:33 . 2009-08-30 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-08-30 10:31 . 2009-07-08 20:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-30 10:31 . 2009-07-08 20:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-08-30 10:31 . 2009-07-08 20:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-30 10:31 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-08-30 10:31 . 2009-08-30 10:31 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-30 10:31 . 2009-08-30 10:31 -------- d-----w- c:\program files\McAfee.com
2009-08-30 10:27 . 2009-07-08 20:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-30 10:15 . 2009-08-30 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-29 17:24 . 2009-08-29 17:24 -------- d-----w- c:\program files\Trend Micro
2009-08-29 08:05 . 2009-08-29 08:25 117760 ----a-w- c:\documents and settings\Administrator.THINKINGHEAD.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-29 08:04 . 2009-08-29 08:04 -------- d-----w- c:\documents and settings\Administrator.THINKINGHEAD.000\Application Data\SUPERAntiSpyware.com
2009-08-29 06:36 . 2009-08-29 22:03 -------- d--h--w- c:\windows\PIF
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\program files\MSBuild
2009-08-22 18:16 . 2009-08-22 18:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 18:15 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 18:15 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 18:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 18:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 18:15 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 18:15 . 2009-08-22 18:16 -------- d-----w- C:\518835f27a033c04f3d9
2009-08-22 18:15 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 18:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 18:01 . 2009-08-22 18:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-13 02:25 . 2009-08-13 02:25 -------- d-----w- c:\program files\Alcohol Soft
2009-08-12 17:37 . 2009-08-29 23:51 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 05:09 . 2009-08-12 05:09 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-12 04:43 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 04:42 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-11 07:09 . 2009-08-11 07:09 -------- d-----w- c:\program files\ISODisk
2009-08-11 07:09 . 2006-04-26 08:03 9600 ----a-w- c:\windows\system32\drivers\ISODisk.sys
2009-08-11 06:49 . 2009-08-11 06:49 -------- d-----w- c:\program files\Free ISO Creator
2009-08-11 05:14 . 2009-08-11 05:14 -------- d-----w- c:\windows\BBSTORE
2009-08-11 05:13 . 2009-08-11 05:46 -------- d-----w- c:\program files\The Learning Company
2009-08-10 09:42 . 2006-08-10 03:58 218624 -c--a-w- c:\windows\system32\dllcache\uxtheme.dll
2009-08-10 07:30 . 2009-08-10 07:30 -------- d-----w- c:\program files\Alex Feinman
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 20:08 . 2008-07-22 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-31 11:04 . 2006-06-29 20:13 -------- d-----w- c:\program files\McAfee
2009-08-31 07:18 . 2009-04-03 08:26 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-31 05:06 . 2006-12-27 01:35 -------- d-----w- c:\documents and settings\Owner\Application Data\SolidWorks
2009-08-30 11:18 . 2009-05-30 09:10 -------- d-----w- c:\program files\YoDaosTV_2
2009-08-30 10:22 . 2006-12-24 06:52 -------- d-----w- c:\program files\Yahoo!
2009-08-30 08:33 . 2006-12-24 09:10 66088 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 07:39 . 2008-07-22 15:39 -------- d-----w- c:\program files\Titan Backup
2009-08-30 05:49 . 2009-04-03 07:37 -------- d-----w- c:\program files\SPM
2009-08-30 05:27 . 2009-04-03 08:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-29 22:03 . 2006-12-24 06:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-08-05 09:11 . 2006-03-11 06:30 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:36 . 2009-04-03 07:37 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-04-03 07:37 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 01:00 . 2009-07-25 01:00 -------- d-----w- c:\program files\Common Files\Optical Research Associates
2009-07-25 00:59 . 2009-07-25 00:59 -------- d-----w- c:\program files\Optical Research Associates
2009-07-25 00:59 . 2006-06-29 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 09:29 . 2007-10-19 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-18 09:29 . 2007-10-19 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2009-07-17 18:55 . 2006-03-11 06:30 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-03-11 06:30 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 20:44 . 2009-07-08 20:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-06-29 16:12 . 2006-03-11 06:30 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-03-11 06:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-03-11 06:30 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2006-03-11 06:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2006-03-11 06:30 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2006-03-11 06:30 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2006-03-11 06:30 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2006-03-11 06:30 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2006-03-11 07:49 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2006-03-11 06:30 1290752 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[7] 2004-08-04 07:56 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll
[7] 2004-08-04 07:56 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\system32\dllcache\cache\eventlog.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-30_08.06.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-11 07:55 . 2009-08-31 16:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-11 07:55 . 2009-05-19 06:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-11 07:55 . 2009-08-31 16:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"LxrAutorun"="c:\documents and settings\Owner\Local Settings\Application Data\Lexar Media\LxrAutorun.exe" [2006-11-09 24576]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"arima hotkey"="c:\program files\Arima Hotkey\arima_hotkey.exe" [2006-03-18 753664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-26 185896]
"TrueImageMonitor.exe"="d:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="d:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"sohutv web version"="c:\program files\sohutv_web\SysTrayIcon.exe" [2008-08-06 459600]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88204]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-6-29 2168360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\sohutv_web\\SysTrayIcon.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SPM\\SPM.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [3/1/2009 3:01 AM 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [3/1/2009 3:01 AM 971552]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [8/11/2009 12:09 AM 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [5/18/2008 7:36 AM 72672]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/30/2009 3:33 AM 203280]
R3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [6/29/2006 1:02 PM 5632]
S2 0016101251716745mcinstcleanup;McAfee Application Installer Cleanup (0016101251716745);c:\windows\TEMP\001610~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\001610~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\ssipddp.sys [7/24/2009 6:00 PM 54272]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/8/2009 11:27 PM 16512]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [6/11/2007 11:10 PM 18864]
S3 Qvod Terminal;Qvod Terminal;c:\program files\QvodPlayer\QvodTerminal.exe [3/21/2009 12:52 AM 524288]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0016101251716745MCINSTCLEANUP
*NewlyCreated* - ARHOTKEY
.
Contents of the ‘Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-30 04:26]

2009-08-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-30 04:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=IIutfdBTSr1aVMCp_tCcGdRq3-Q
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm1zm8xi.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 13:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes 。。。

scanning hidden autostart entries 。。。

scanning hidden files 。。。

scan completed sucessfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2333739885-1484201064-1245539986-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ gS怮茐5u茐2*]
"Order"=hex:08,00,00,00,02,00,00,00,80,01,00,00,01,00,00,00,03,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\LxrSII1s.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Titan Backup\TitanBackup.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
d:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-08-31 13:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 20:13
ComboFix2.txt 2009-08-31 08:49

Pre-Run: 213,894,840,320 bytes free
Post-Run: 213,838,110,720 bytes free

296 --- E O F --- 2009-08-22 18:29

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:53 PM

Posted 01 September 2009 - 03:16 AM

I have a question. I definitely saved a system restore point in middle August (system restore content is saved on a separated partition D), but now on the system restore page, there is no restore points showing before August 28 - the date when it was infected. And when I click left arrow to move to an earlier month, nothing happens, it still shows August. Is this normal? Thank you.


Some infection try to do something to System Restore.

The system seems clean but let's see if the infection has locked some files/programs preventing them from running.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


#11 MaxGen

MaxGen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 02 September 2009 - 12:09 AM

Hi, farbar, here is the Junctions can log.


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\4d6d3a82-31a8-4e11-a0bb-1f4bada240c5.exe: Access is denied.





Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\Sniper.exe.exe: Access is denied.


.
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


..

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...

...

...

...

...

...

..

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:53 PM

Posted 02 September 2009 - 12:38 AM

  • We need to reset the permissions altered by the malware on some files (From SAS and a renamed Hijackthis) making them not to run.
    • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
    • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

      "%userprofile%\desktop\inherit" "c:\\Program Files\SUPERAntiSpyware\4d6d3a82-31a8-4e11-a0bb-1f4bada240c5.exe"
      "%userprofile%\desktop\inherit" "c:\\Program Files\Trend Micro\HijackThis\Sniper.exe.exe"

    • If you get a security warning select Run.
    • You will get a "Finish" popup. Click OK.
    • Do the same for the second line.
  • Please tell me how is the computer running.


#13 MaxGen

MaxGen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 02 September 2009 - 10:53 AM

Hi, farbar, ran the Inherit and SAS can run now. Supposedly that we have cleaned all trojans, if any backdoor trojans remained, do you think real-time programs like McAfee internet security suite with firewall, or Windows firewall, can block them from sending any data out, even though they were unknown trojans?

The computer rans normal. Thanks a lot for your great help.

MaxGen

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:53 PM

Posted 02 September 2009 - 12:07 PM

Hi MaxGen,

The backdoor trojans can bypass firewall sometimes. But your system looks safe. Just run and updated MBAM and McAfee after a couple of weeks and you will be good.

And you are very welcome.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /u


This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

You also remove any tool we used from your computer.

Happy Surfing.!

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:53 PM

Posted 06 September 2009 - 02:58 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users