Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal help?


  • This topic is locked This topic is locked
28 replies to this topic

#1 the.unseen

the.unseen

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 30 August 2009 - 12:02 AM

http://www.bleepingcomputer.com/forums/ind...p;#entry1405268

I posted on the virus forum but have been redirected here for further help with a rootkit.

heres the log rootrepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 20:16
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x805B1000 Size: 286720 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x81E12000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x8ED85000 Size: 294912 File Visible: - Signed: -
Status: -

Name: afvpygmb.SYS
Image Path: C:\Windows\System32\Drivers\afvpygmb.SYS
Address: 0x89FAF000 Size: 229376 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x89C78000 Size: 32768 File Visible: - Signed: -
Status: -

Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x89C80000 Size: 122880 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\Windows\System32\Drivers\avgldx86.sys
Address: 0x8F06E000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\Windows\System32\Drivers\avgmfx86.sys
Address: 0x8F068000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\Windows\System32\Drivers\avgtdix.sys
Address: 0x8ED3A000 Size: 101888 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x8E9F4000 Size: 28672 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x80488000 Size: 32768 File Visible: - Signed: -
Status: -

Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0xAF997000 Size: 102400 File Visible: - Signed: -
Status: -

Name: cdd.dll
Image Path: C:\Windows\System32\cdd.dll
Address: 0x972A0000 Size: 57344 File Visible: - Signed: -
Status: -

Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0x8F0FD000 Size: 90112 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x8E3D9000 Size: 98304 File Visible: - Signed: -
Status: -

Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x804D1000 Size: 917504 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x8A1A0000 Size: 135168 File Visible: - Signed: -
Status: -

Name: CLFS.SYS
Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x80490000 Size: 266240 File Visible: - Signed: -
Status: -

Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x8F113000 Size: 53248 File Visible: - Signed: -
Status: -

Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x8A1C1000 Size: 36864 File Visible: - Signed: -
Status: -

Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x8F051000 Size: 94208 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x8A18F000 Size: 69632 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\Windows\system32\drivers\drmk.sys
Address: 0x8E6BC000 Size: 151552 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8F12B000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8F120000 Size: 45056 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x8F133000 Size: 40960 File Visible: - Signed: -
Status: -

Name: dxgkrnl.sys
Image Path: C:\Windows\System32\drivers\dxgkrnl.sys
Address: 0x8E056000 Size: 651264 File Visible: - Signed: -
Status: -

Name: e1e6032.sys
Image Path: C:\Windows\system32\DRIVERS\e1e6032.sys
Address: 0x8E102000 Size: 241664 File Visible: - Signed: -
Status: -

Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x8A168000 Size: 159744 File Visible: - Signed: -
Status: -

Name: fastfat.SYS
Image Path: C:\Windows\System32\Drivers\fastfat.SYS
Address: 0xA845F000 Size: 163840 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\Windows\system32\DRIVERS\fdc.sys
Address: 0x8E3CE000 Size: 45056 File Visible: - Signed: -
Status: -

Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x89CD0000 Size: 65536 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x89C9E000 Size: 204800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8E9E4000 Size: 36864 File Visible: - Signed: -
Status: -

Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x8ECF5000 Size: 110592 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\Windows\System32\Drivers\GEARAspiWDM.sys
Address: 0x8E3F1000 Size: 9984 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x821CB000 Size: 208896 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8E195000 Size: 73728 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Address: 0x8F0DC000 Size: 65536 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDPARSE.SYS
Address: 0x8E800000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\Windows\system32\DRIVERS\hidusb.sys
Address: 0x8F0D3000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HSX_CNXT.sys
Image Path: C:\Windows\system32\DRIVERS\HSX_CNXT.sys
Address: 0x8E30D000 Size: 737280 File Visible: - Signed: -
Status: -

Name: HSX_DPV.sys
Image Path: C:\Windows\system32\DRIVERS\HSX_DPV.sys
Address: 0x8E20A000 Size: 1060864 File Visible: - Signed: -
Status: -

Name: HSXHWBS2.sys
Image Path: C:\Windows\system32\DRIVERS\HSXHWBS2.sys
Address: 0x8E1A7000 Size: 303104 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\Windows\system32\drivers\HTTP.sys
Address: 0xAF90F000 Size: 438272 File Visible: - Signed: -
Status: -

Name: igdkmd32.sys
Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys
Address: 0x8DA09000 Size: 6606848 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: C:\Windows\system32\DRIVERS\intelide.sys
Address: 0x89C4C000 Size: 28672 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\Windows\system32\DRIVERS\intelppm.sys
Address: 0x89F76000 Size: 61440 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x8E648000 Size: 45056 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\Windows\system32\DRIVERS\kbdhid.sys
Address: 0x8F0EC000 Size: 36864 File Visible: - Signed: -
Status: -

Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x8040F000 Size: 32768 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x89F85000 Size: 172032 File Visible: - Signed: -
Status: -

Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x89CE9000 Size: 462848 File Visible: - Signed: -
Status: -

Name: lltdio.sys
Image Path: C:\Windows\system32\DRIVERS\lltdio.sys
Address: 0xAF8B8000 Size: 65536 File Visible: - Signed: -
Status: -

Name: luafv.sys
Image Path: C:\Windows\system32\drivers\luafv.sys
Address: 0x8F160000 Size: 110592 File Visible: - Signed: -
Status: -

Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x80417000 Size: 393216 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\Windows\system32\DRIVERS\mdmxsdk.sys
Address: 0xA845B000 Size: 12672 File Visible: - Signed: -
Status: -

Name: modem.sys
Image Path: C:\Windows\system32\drivers\modem.sys
Address: 0x8E3C1000 Size: 53248 File Visible: - Signed: -
Status: -

Name: monitor.sys
Image Path: C:\Windows\system32\DRIVERS\monitor.sys
Address: 0x8F13D000 Size: 61440 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x8E653000 Size: 45056 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\Windows\system32\DRIVERS\mouhid.sys
Address: 0x8F0F5000 Size: 32768 File Visible: - Signed: -
Status: -

Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x89C68000 Size: 65536 File Visible: - Signed: -
Status: -

Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0xAF9B0000 Size: 86016 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\Windows\system32\drivers\mrxdav.sys
Address: 0xAF9C5000 Size: 131072 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0x8F18B000 Size: 126976 File Visible: - Signed: -
Status: -

Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0x8F1AA000 Size: 233472 File Visible: - Signed: -
Status: -

Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0xAF9E5000 Size: 98304 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x8E7AF000 Size: 45056 File Visible: - Signed: -
Status: -

Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x807BE000 Size: 32768 File Visible: - Signed: -
Status: -

Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x89D5A000 Size: 188416 File Visible: - Signed: -
Status: -

Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x89F11000 Size: 176128 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x8E660000 Size: 40960 File Visible: - Signed: -
Status: -

Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x8A159000 Size: 61440 File Visible: - Signed: -
Status: -

Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x89E06000 Size: 1093632 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x8E1F1000 Size: 45056 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys
Address: 0xAF8F2000 Size: 40960 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x89DC9000 Size: 143360 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x8E6AB000 Size: 69632 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x8EDEC000 Size: 57344 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x8ED53000 Size: 204800 File Visible: - Signed: -
Status: -

Name: NETIO.SYS
Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x89F3C000 Size: 237568 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x8E7BA000 Size: 57344 File Visible: - Signed: -
Status: -

Name: npkcrypt.sys
Image Path: C:\Program Files\Nexon\MapleStory\npkcrypt.sys
Address: 0xA8487000 Size: 21504 File Visible: - Signed: -
Status: -

Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x8F047000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x8A009000 Size: 1110016 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x81E12000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x8E9ED000 Size: 28672 File Visible: - Signed: -
Status: -

Name: nwifi.sys
Image Path: C:\Windows\system32\DRIVERS\nwifi.sys
Address: 0xAF8C8000 Size: 172032 File Visible: - Signed: -
Status: -

Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x8EDD6000 Size: 90112 File Visible: - Signed: -
Status: -

Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x807ED000 Size: 61440 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x807C6000 Size: 159744 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: C:\Windows\system32\drivers\pciide.sys
Address: 0x89C61000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\Windows\system32\DRIVERS\PCIIDEX.SYS
Address: 0x89C53000 Size: 57344 File Visible: - Signed: -
Status: -

Name: peauth.sys
Image Path: C:\Windows\system32\drivers\peauth.sys
Address: 0xA848D000 Size: 909312 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x81E12000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\Windows\system32\drivers\portcls.sys
Address: 0x8E9B7000 Size: 184320 File Visible: - Signed: -
Status: -

Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x80477000 Size: 69632 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: C:\Windows\System32\Drivers\PxHelp20.sys
Address: 0x89CE0000 Size: 36288 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x8E7C8000 Size: 36864 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x89FE7000 Size: 94208 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x89DEC000 Size: 61440 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x8E60F000 Size: 81920 File Visible: - Signed: -
Status: -

Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x8E623000 Size: 86016 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x81E12000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x8F00B000 Size: 245760 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys
Address: 0x8E717000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys
Address: 0x8E71F000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA85B0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: rspndr.sys
Image Path: C:\Windows\system32\DRIVERS\rspndr.sys
Address: 0xAF8FC000 Size: 77824 File Visible: - Signed: -
Status: -

Name: RTKVHDA.sys
Image Path: C:\Windows\system32\drivers\RTKVHDA.sys
Address: 0x8E807000 Size: 1767872 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\Windows\System32\Drivers\SCSIPORT.SYS
Address: 0x80798000 Size: 155648 File Visible: - Signed: -
Status: -

Name: secdrv.SYS
Image Path: C:\Windows\System32\Drivers\secdrv.SYS
Address: 0xA856B000 Size: 40960 File Visible: - Signed: -
Status: -

Name: smb.sys
Image Path: C:\Windows\system32\DRIVERS\smb.sys
Address: 0x8ED26000 Size: 81920 File Visible: - Signed: -
Status: -

Name: spgz.sys
Image Path: C:\Windows\System32\Drivers\spgz.sys
Address: 0x8068E000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: spldr.sys
Image Path: C:\Windows\System32\Drivers\spldr.sys
Address: 0x8A151000 Size: 32768 File Visible: - Signed: -
Status: -

Name: spsys.sys
Image Path: C:\Windows\system32\drivers\spsys.sys
Address: 0xAF809000 Size: 716800 File Visible: - Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: srv.sys
Image Path: C:\Windows\System32\DRIVERS\srv.sys
Address: 0xA840F000 Size: 311296 File Visible: - Signed: -
Status: -

Name: srv2.sys
Image Path: C:\Windows\System32\DRIVERS\srv2.sys
Address: 0x8E76B000 Size: 159744 File Visible: - Signed: -
Status: -

Name: srvnet.sys
Image Path: C:\Windows\System32\DRIVERS\srvnet.sys
Address: 0xAF97A000 Size: 118784 File Visible: - Signed: -
Status: -

Name: storport.sys
Image Path: C:\Windows\system32\DRIVERS\storport.sys
Address: 0x89D88000 Size: 266240 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\Windows\system32\DRIVERS\swenum.sys
Address: 0x8E65E000 Size: 4992 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\Windows\System32\drivers\tcpip.sys
Address: 0x8EC0E000 Size: 946176 File Visible: - Signed: -
Status: -

Name: tcpipreg.sys
Image Path: C:\Windows\System32\drivers\tcpipreg.sys
Address: 0xA8575000 Size: 49152 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\Windows\system32\DRIVERS\TDI.SYS
Address: 0x8E3F4000 Size: 45056 File Visible: - Signed: -
Status: -

Name: tdx.sys
Image Path: C:\Windows\system32\DRIVERS\tdx.sys
Address: 0x8ED10000 Size: 90112 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\Windows\system32\DRIVERS\termdd.sys
Address: 0x8E638000 Size: 65536 File Visible: - Signed: -
Status: -

Name: TSDDD.dll
Image Path: C:\Windows\System32\TSDDD.dll
Address: 0x97280000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunmp.sys
Image Path: C:\Windows\system32\DRIVERS\tunmp.sys
Address: 0x8A000000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunnel.sys
Image Path: C:\Windows\system32\DRIVERS\tunnel.sys
Address: 0x8A1F5000 Size: 45056 File Visible: - Signed: -
Status: -

Name: umbus.sys
Image Path: C:\Windows\system32\DRIVERS\umbus.sys
Address: 0x8E66A000 Size: 53248 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\Windows\system32\DRIVERS\USBD.SYS
Address: 0x8F0D1000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\Windows\system32\DRIVERS\usbehci.sys
Address: 0x8E186000 Size: 61440 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\Windows\system32\DRIVERS\usbhub.sys
Address: 0x8E677000 Size: 212992 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS
Address: 0x8E148000 Size: 253952 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\Windows\system32\DRIVERS\USBSTOR.SYS
Address: 0x8F0BF000 Size: 73728 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys
Address: 0x8E13D000 Size: 45056 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\Windows\System32\drivers\vga.sys
Address: 0x8E6EA000 Size: 49152 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS
Address: 0x8E6F6000 Size: 135168 File Visible: - Signed: -
Status: -

Name: volmgr.sys
Image Path: C:\Windows\system32\drivers\volmgr.sys
Address: 0x80400000 Size: 61440 File Visible: - Signed: -
Status: -

Name: volmgrx.sys
Image Path: C:\Windows\System32\drivers\volmgrx.sys
Address: 0x89C02000 Size: 303104 File Visible: - Signed: -
Status: -

Name: volsnap.sys
Image Path: C:\Windows\system32\drivers\volsnap.sys
Address: 0x8A118000 Size: 233472 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\Windows\system32\DRIVERS\wanarp.sys
Address: 0x8E7D1000 Size: 77824 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\Windows\System32\drivers\watchdog.sys
Address: 0x8E0F5000 Size: 53248 File Visible: - Signed: -
Status: -

Name: Wdf01000.sys
Image Path: C:\Windows\system32\drivers\Wdf01000.sys
Address: 0x80605000 Size: 507904 File Visible: - Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\Windows\system32\drivers\WDFLDR.SYS
Address: 0x80681000 Size: 53248 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0x97060000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\Windows\System32\win32k.sys
Address: 0x97060000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8F14C000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8F151000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\Windows\System32\Drivers\WMILIB.SYS
Address: 0x8078F000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x81E12000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\Windows\system32\drivers\ws2ifsl.sys
Address: 0x8EDCD000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WUDFPf.sys
Image Path: C:\Windows\system32\DRIVERS\WUDFPf.sys
Address: 0xA859E000 Size: 73728 File Visible: - Signed: -
Status: -

Name: WUDFRd.sys
Image Path: C:\Windows\system32\DRIVERS\WUDFRd.sys
Address: 0xA8589000 Size: 83328 File Visible: - Signed: -
Status: -

Name: xaudio.sys
Image Path: C:\Windows\system32\DRIVERS\xaudio.sys
Address: 0xA8581000 Size: 32768 File Visible: - Signed: -
Status: -






I didnt get much info on what infected the computer other then that its a rootkit any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 01 September 2009 - 11:15 PM

Hi the.unseen,

Let's begin.....

Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 the.unseen

the.unseen
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 04 September 2009 - 09:14 PM

Sorry it took so long, I can only come back on the weekends....

heres both logs

PEEK:

Volume in drive C is OS
Volume Serial Number is 4625-F7F7

Directory of C:\WINDOWS\System32

01/19/2008 00:36 177,152 scecli.dll

Directory of C:\WINDOWS\System32

01/19/2008 00:35 592,384 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 02:46 62,976 cngaudit.dll
3 File(s) 832,512 bytes



WIN32K:


Log file is located at: C:\Users\Leung\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP22FB.tmp\ZAP22FB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Xfire\Xfire

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16866_none_3fdf3668c441aa88\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16866_none_3fdf3668c441aa88

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21062_none_4064aa2ddd631838\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21062_none_4064aa2ddd631838

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18267_none_41c67558c16754d0\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18267_none_41c67558c16754d0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22444_none_4262b303da776dda\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22444_none_4262b303da776dda

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18046_none_43c188b4be7e55e2\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18046_none_43c188b4be7e55e2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22147_none_444c25c9d79b0f03\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22147_none_444c25c9d79b0f03

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\com\dmp\dmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\Journal\Journal

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Messenger\Messenger

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Silverlight\Silverlight

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 04 September 2009 - 09:33 PM

Hi the.unseen,


Please do the following.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind 
    cngaudit.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 the.unseen

the.unseen
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 04 September 2009 - 10:07 PM

Here it is:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:02 on 04/09/2009 by Leung (Administrator - Elevation successful)

========== filefind ==========

Searching for "cngaudit.dll"
C:\Windows\System32\cngaudit.dll --a--- 62976 bytes [08:43 02/11/2006] [09:46 02/11/2006] (Unable to calculate MD5)
C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

-=End Of File=-

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 05 September 2009 - 11:26 AM

Hi the.unseen


We will need to take this cleanup in phases. You are not clean until I tell you so - even if it appears that everything is running fine!

Let's begin....

==========

Step 1

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)
"%userprofile%\desktop\win32kdiag.exe" -f -r
into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.

==========

Step 2

Please do this:
  • In the Vista machine we need to run cmd.exe as administrator otherwise access to the
    DLL you want to copy will be denied.
    • Click on Start button.
    • Type Cmd in the Start Search text box.
    • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
    • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

      copy "C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll" C:\ /y
    • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
    • Press Enter.[list]When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
      NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\cngaudit.dll | C:\Windows\System32\cngaudit.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 the.unseen

the.unseen
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 05 September 2009 - 12:05 PM

WIN32K-------------------------------------------



Log file is located at: C:\Users\Leung\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1: 3
Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\0409\0409

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Branding\en-US\en-US

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\inetsrv\inetsrv

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-09-05 09:36:51 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()


Avenger---------------------------------------------------




Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "a0rns7ba" found!
Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\cngaudit.dll|C:\Windows\System32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 05 September 2009 - 12:23 PM

Hi the.unseen,

Please do the following.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind 
    cngaudit.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 the.unseen

the.unseen
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 05 September 2009 - 12:33 PM

Here it is:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:02 on 04/09/2009 by Leung (Administrator - Elevation successful)

========== filefind ==========

Searching for "cngaudit.dll"
C:\Windows\System32\cngaudit.dll --a--- 62976 bytes [08:43 02/11/2006] [09:46 02/11/2006] (Unable to calculate MD5)
C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

-=End Of File=-

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 05 September 2009 - 12:35 PM

Please tell me the antivirus you have on this computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 05 September 2009 - 12:38 PM

In step #2, did you get this message within the Command Prompt: "1 file(s) copied"?

If you did not get the message then you should NOT have Executing The Avenger script (step #3) won't work if the file copy was not successful.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 the.unseen

the.unseen
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 05 September 2009 - 12:44 PM

I did get the one file copied message and uses avenger...
Im running AVG

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 05 September 2009 - 12:47 PM

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 05 September 2009 - 12:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 the.unseen

the.unseen
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 05 September 2009 - 01:30 PM

Heres the log:


ComboFix 09-09-04.02 - Leung 09/05/2009 11:14.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3060.2184 [GMT -7:00]
Running from: c:\users\Leung\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-541243244-389507019-761528019-500
c:\program files\iWin Games\iWinGamesHookIE.dll
c:\program files\iWin\tbiWi1.dll
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\users\Maggie\AppData\Local\Microsoft\Windows\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\Installer\f023fd.msi
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\svchast.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\bennuar.old
c:\windows\system32\drivers\kbiwkmnvycbicx.sys
c:\windows\system32\drivers\kbiwkmvrbtxpvr.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\kbiwkmbcnnvdlr.dat
c:\windows\system32\kbiwkmjtwoegcr.dll
c:\windows\system32\kbiwkmkpnmrcit.dll
c:\windows\system32\kbiwkmlejxfdri.dll
c:\windows\system32\kbiwkmpwqrptxh.dat
c:\windows\system32\kbiwkmrdutpbfo.dll
c:\windows\system32\kbiwkmstvpwxtm.dat
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sysnet.dat
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100
-------\Service_kbiwkmkcninfso
-------\Service_kbiwkmrsiwmpin


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-05 18:20 . 2009-09-05 18:20 -------- d-----w- c:\users\Maggie\AppData\Local\temp
2009-09-05 18:20 . 2009-09-05 18:24 -------- d-----w- c:\users\Leung\AppData\Local\temp
2009-09-05 18:20 . 2009-09-05 18:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-29 23:31 . 2009-08-29 23:31 -------- d-----w- c:\program files\CCleaner
2009-08-29 19:48 . 2009-08-29 20:37 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-29 19:46 . 2009-08-29 19:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 19:46 . 2009-08-29 19:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-29 19:46 . 2009-08-29 19:46 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-29 19:46 . 2009-08-29 19:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-29 19:46 . 2009-08-30 01:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-29 19:46 . 2009-08-29 19:46 -------- d-----w- c:\program files\AVG
2009-08-29 19:46 . 2009-08-29 23:56 -------- d-----w- c:\programdata\avg8
2009-08-29 19:35 . 2009-08-29 19:35 -------- d-----w- c:\users\Leung\AppData\Roaming\AVG8
2009-08-29 19:35 . 2009-08-29 19:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:35 . 2009-08-29 23:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 19:35 . 2009-08-29 23:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-27 22:04 . 2009-08-27 22:04 -------- d-----w- C:\Windows Antivirus Pro
2009-08-27 17:27 . 2009-08-27 17:27 -------- d-----w- c:\windows\Sun
2009-08-26 19:41 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 21:07 . 2009-06-05 12:34 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-25 21:07 . 2009-06-05 10:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-21 01:50 . 2009-08-21 01:50 -------- d-----w- c:\users\Maggie\AppData\Local\OLYMPUS
2009-08-21 01:47 . 2009-08-21 01:47 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-08-21 01:47 . 2007-05-28 18:14 626688 ----a-r- c:\windows\system32\msvcr80.dll
2009-08-21 01:47 . 2007-05-28 18:13 548864 ----a-r- c:\windows\system32\msvcp80.dll
2009-08-21 01:47 . 2007-05-28 18:13 95744 ----a-r- c:\windows\system32\atl80.dll
2009-08-21 01:46 . 2009-08-21 01:46 -------- d-----w- c:\users\Leung\AppData\Local\OLYMPUS
2009-08-21 01:45 . 2009-08-21 01:45 -------- d-----w- c:\program files\OLYMPUS
2009-08-13 23:36 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-13 23:36 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-13 23:36 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-13 23:36 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-13 23:36 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-13 23:36 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 23:36 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-13 23:36 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-13 02:30 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-13 02:30 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-13 02:30 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-13 02:30 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-13 02:30 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-13 02:30 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-13 02:27 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-13 02:26 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-13 01:05 . 2009-08-13 01:05 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 18:20 . 2009-02-22 17:12 -------- d-----w- c:\program files\iWin
2009-09-05 18:20 . 2009-02-22 17:12 -------- d-----w- c:\program files\iWin Games
2009-09-02 01:12 . 2008-07-24 00:21 195930716 ----a-w- c:\windows\DUMP49ea.tmp
2009-09-02 00:11 . 2008-07-24 00:21 218339964 ----a-w- c:\windows\DUMP4b13.tmp
2009-08-29 23:33 . 2008-08-15 22:38 -------- d-----w- c:\users\Leung\AppData\Roaming\Azureus
2009-08-29 21:48 . 2008-07-23 17:15 -------- d-----w- c:\programdata\McAfee
2009-08-25 01:19 . 2008-08-15 02:40 -------- d-----w- c:\users\Maggie\AppData\Roaming\LimeWire
2009-08-21 01:46 . 2008-08-23 01:00 -------- d-----w- c:\programdata\Apple Computer
2009-08-14 22:50 . 2009-07-24 02:24 -------- d-----w- c:\programdata\HP
2009-08-13 16:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-07 05:28 . 2008-08-01 06:57 -------- d-----w- c:\programdata\Roxio
2009-08-06 03:59 . 2009-08-06 03:59 -------- d-----w- c:\program files\LSoft Technologies
2009-08-06 03:00 . 2009-04-24 00:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-03 20:36 . 2009-07-25 05:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-07-25 05:16 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 19:07 . 2008-11-30 02:52 1594 ----a-w- c:\users\Maggie\AppData\Roaming\wklnhst.dat
2009-07-29 19:03 . 2008-09-13 00:49 -------- d-----w- c:\program files\Yahoo! Games
2009-07-29 19:02 . 2009-05-27 02:19 -------- d-----w- c:\program files\VirtualFamilies_at
2009-07-29 19:01 . 2008-08-01 10:32 -------- d-----w- c:\program files\Starcraft
2009-07-29 19:00 . 2008-07-23 17:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-29 18:53 . 2009-02-22 17:35 -------- d-----w- c:\program files\iWin.com
2009-07-29 18:52 . 2009-07-24 19:28 -------- d-----w- c:\program files\Diablo II
2009-07-29 18:43 . 2008-12-18 01:49 -------- d-----w- c:\programdata\Arcade Lab
2009-07-28 16:17 . 2009-07-28 16:16 -------- d-----w- c:\users\Maggie\AppData\Roaming\HP
2009-07-25 16:24 . 2009-07-25 16:24 -------- d-----w- c:\program files\MSXML 4.0
2009-07-25 05:17 . 2009-07-25 05:17 -------- d-----w- c:\users\Leung\AppData\Roaming\Malwarebytes
2009-07-25 05:16 . 2009-07-25 05:16 -------- d-----w- c:\programdata\Malwarebytes
2009-07-24 20:32 . 2009-07-24 20:29 249856 ------w- c:\windows\Setup1.exe
2009-07-24 20:32 . 2009-07-24 20:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-24 02:53 . 2009-07-24 02:50 126 ----a-w- c:\users\Leung\AppData\Roaming\wklnhst.dat
2009-07-24 02:50 . 2009-07-24 02:50 -------- d-----w- c:\users\Leung\AppData\Roaming\Template
2009-07-24 02:42 . 2009-07-24 02:33 -------- d-----w- c:\users\Leung\AppData\Roaming\HP
2009-07-24 02:35 . 2009-07-24 02:24 157475 ----a-w- c:\windows\hpoins29.dat
2009-07-24 02:34 . 2009-07-24 02:34 -------- d-----w- c:\programdata\WEBREG
2009-07-24 02:32 . 2009-07-24 02:32 -------- d-----w- c:\programdata\Hewlett-Packard
2009-07-24 02:27 . 2009-07-24 02:27 -------- d-----w- c:\programdata\HP Product Assistant
2009-07-24 02:27 . 2009-07-24 02:25 -------- d-----w- c:\program files\HP
2009-07-24 02:26 . 2009-07-24 02:26 -------- d-----w- c:\program files\Common Files\HP
2009-07-24 02:26 . 2009-07-24 02:26 -------- d-----w- c:\program files\Hewlett-Packard
2009-07-24 02:26 . 2009-07-24 02:26 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-07-18 16:06 . 2009-07-29 15:39 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-29 15:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-29 15:39 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-16 21:09 . 2009-07-15 23:44 -------- d-----w- c:\programdata\PMB Files
2009-07-16 21:01 . 2009-07-16 21:01 -------- d-----w- c:\users\Maggie\AppData\Roaming\Xfire
2009-07-15 23:43 . 2009-07-15 23:43 -------- d-----w- c:\program files\Pando Networks
2009-07-01 17:25 . 2009-07-16 21:07 61440 ----a-w- c:\windows\system32\uc_atlantica_launching.dll
2009-06-15 15:24 . 2009-07-14 20:01 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-14 20:01 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-14 20:01 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-14 20:01 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-07 22:35 . 2009-06-07 22:35 10134 ----a-r- c:\users\Leung\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-07 22:14 . 2009-06-07 22:14 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2008-07-24 00:44 . 2008-07-24 00:31 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-28 95800]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-05 185872]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-11 4452352]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-23 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
ZyXEL G-200 Utility.lnk - c:\program files\ZyXEL\G-200v2\G-200.exe [2008-8-1 1605632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-23 17:22 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8755C59E-08F8-4342-8FF8-9C034CBE5308}c:\\program files\\counter-strike source\\hl2.exe"= UDP:c:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{E85DB58D-88C4-46B1-A566-4BAF27CCF844}c:\\program files\\counter-strike source\\hl2.exe"= TCP:c:\program files\counter-strike source\hl2.exe:hl2
"{7F63AC09-06AB-41B7-A15D-4AF66E80CE18}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{49A492EF-5CB9-41EF-AA2E-7FCDE6408239}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{261F34A8-8393-4530-854E-6220D1E7B72B}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{7F31E0C0-7864-421D-B30A-BD3FF02C6568}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{0562B963-4D52-4ABC-988E-DE12DB0E948D}c:\\program files\\imesh applications\\imesh\\imesh.exe"= UDP:c:\program files\imesh applications\imesh\imesh.exe:iMesh
"UDP Query User{B72C43D2-8DCE-4A15-AC6A-264545E28A33}c:\\program files\\imesh applications\\imesh\\imesh.exe"= TCP:c:\program files\imesh applications\imesh\imesh.exe:iMesh
"{E8E44FBE-2BD7-412C-93BD-308947336660}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5455EDDB-DC71-4BC4-8B60-E3F43FC2724E}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FF770B63-ECE6-4F07-9D78-09B34736A3BA}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{40CEB60D-597E-4BD9-B797-A81C85052B4F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{FF74A1F5-9454-4CF9-A1AC-43710586ED54}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7DCB9696-97C1-4E28-813D-6543DD5CE2A1}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5504A317-EF24-4C8C-A784-381438F21E0C}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{A3BCBFD1-C357-4F62-A1E9-6AE1F4BF8343}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{263F5FBE-AB2D-44B5-A7B4-A2D4E55CEB88}c:\\users\\maggie\\desktop\\left 4 dead\\left4dead.exe"= UDP:c:\users\maggie\desktop\left 4 dead\left4dead.exe:left4dead
"UDP Query User{5C4E2D61-40AB-46BD-954C-67773BA33B83}c:\\users\\maggie\\desktop\\left 4 dead\\left4dead.exe"= TCP:c:\users\maggie\desktop\left 4 dead\left4dead.exe:left4dead
"{62520F12-8E8B-4425-A4D2-1D0CE1138214}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{215A9986-3FEB-465F-9421-095E7FB0C353}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7E1AE0D7-60AD-48B2-B9AB-2784E000BDB5}"= UDP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{002CFF2F-ED51-4584-863E-D2E828B76413}"= TCP:c:\program files\iWin Games\iWinGames.exe:iWin Games application.
"{8B4D2D3B-F621-40AF-82D8-3D60ED864DD4}"= UDP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{6CD54E17-83ED-42C7-97CD-3D7761DD0EF1}"= TCP:c:\program files\iWin Games\WebUpdater.exe:iWin Games updater.
"{53A76697-ADC0-4F18-A255-64A1C05A239F}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{E16BC97F-AF59-427D-B976-CC5979461FEB}c:\\ijji\\english\\u_gunz.exe"= UDP:c:\ijji\english\u_gunz.exe:<ijji Downloader>
"UDP Query User{78A91F35-FDF6-446A-8BF7-45359A558CF1}c:\\ijji\\english\\u_gunz.exe"= TCP:c:\ijji\english\u_gunz.exe:<ijji Downloader>
"TCP Query User{A50856C6-E271-4A2D-B353-5B9EC146D75D}c:\\ijji\\english\\gunz\\gunz.exe"= UDP:c:\ijji\english\gunz\gunz.exe:Gunz
"UDP Query User{B695BFAF-1586-440F-BE50-C09EA569ED82}c:\\ijji\\english\\gunz\\gunz.exe"= TCP:c:\ijji\english\gunz\gunz.exe:Gunz
"{CDF47055-718B-42B1-AC99-51B5D2C6F185}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0E40CB22-1CB8-4635-B0FE-73C8BF145019}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3DFEF935-66BB-48D8-BAC7-A789D5D4AFBB}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{7D8D3F25-7CE3-4AD5-9216-73EEF3812503}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{6953A976-CAFF-41AA-950C-6A42B86E22B1}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{F8C1A24F-A412-416C-98DB-2B960F9AF3A5}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{0C5DAC92-64F3-45B2-8676-8F17D56549FC}"= c:Program FilesPando NetworksMedia BoosterPMB.exe:Pando Media Booster
"TCP Query User{DBDED96C-E45E-467F-BACA-EBD44C43CEBB}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{CEC904B1-813F-4E99-94AC-11478A129B8D}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire
"{2D40A842-81D3-496D-901A-DD3A30840FD4}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{71E445B4-4E8C-4742-8DC6-0B364B69C6B8}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{8246A122-055E-49EB-9ACD-5EBB5861611E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{A9A374A4-B873-46F1-972F-0F847F7CE421}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{5903BF38-7212-40F1-AF90-24FF13CBEDD6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{407DC4F5-7978-42AD-B796-C123C2658F0A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{DF9EE9AA-8DBB-454E-AD4D-522194AF0972}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{A0D235B9-EACB-4FEE-800E-26C8C9F63CCF}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{D7FAB94E-66E9-4CB5-8912-99053B557EB9}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{50297D64-C047-4407-8DF3-F4D63A93DE72}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{20327D65-FF0D-4FA5-9EA1-160C6C01850F}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{6842AFDC-E937-4F59-82FE-3A3F5976941F}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{4EAA216D-C41B-4EB0-ABC9-77D01E773E37}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [8/29/2009 12:46 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [8/29/2009 12:46 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/29/2009 12:46 297752]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [12/17/2008 15:00 78104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/14/2008 12:40 24652]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/29/2009 12:46 908056]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [4/23/2009 17:12 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 18:08 533360]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\System32\drivers\WUSB54GCx86.sys [8/5/2008 02:02 256000]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RegistryMechanic - k:\registry mechanic\RMTray.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS


.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Leung\AppData\Roaming\Mozilla\Firefox\Profiles\fwlxabd9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\users\Leung\AppData\Roaming\Mozilla\Firefox\Profiles\fwlxabd9.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 11:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmkcninfso]
"imagepath"="\systemroot\system32\drivers\kbiwkmnvycbicx.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrsiwmpin]
"imagepath"="\systemroot\system32\drivers\kbiwkmvrbtxpvr.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmkcninfso]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmnvycbicx.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrsiwmpin]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmvrbtxpvr.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-05 11:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 18:28

Pre-Run: 72,115,990,528 bytes free
Post-Run: 74,069,446,656 bytes free

380 --- E O F --- 2009-08-29 19:24

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:40 AM

Posted 05 September 2009 - 01:47 PM

Hi,

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\Windows Antivirus Pro

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users