Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Posible RootKit infection


  • This topic is locked This topic is locked
31 replies to this topic

#1 woofer-001

woofer-001

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 03 September 2009 - 11:04 PM

Cannot run DDS. ~ OB

Referred from: http://www.bleepingcomputer.com/forums/t/254429/trojanmetajuan-rootkittdss-infection/

TRojan.MetaJuan - Rootkit.TDSS Infection

RootRepeal started and shut down almost immediately. Neve did get the Select Scan Window, it just ran.
Report posted below.

Tried to run it a second time and the screen went to a blue screen of death.
Message summarized said
A Problem has been detected and Windows has been shut down to prevent damage to your machine.
Machine_Check_Exception
***STOP: 0x)0000009c (0x00000004, 0x8054D5F0, 0xB2000000, 0x00070F0F)
....then some other stuff

RootRepeal results

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/03 22:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:WINDOWSsystem32DRIVERS1394BUS.SYS
Address: 0xF7617000 Size: 53248 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A8000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: DriverACPI_HAL
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: Afc.sys
Image Path: C:WINDOWSsystem32driversAfc.sys
Address: 0xF781F000 Size: 32768 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:WINDOWSSystem32driversafd.sys
Address: 0xBAAD3000 Size: 138368 File Visible: - Signed: -
Status: -

Name: aic78xx.sys
Image Path: aic78xx.sys
Address: 0xF7647000 Size: 56960 File Visible: - Signed: -
Status: -

Name: ASACPI.sys
Image Path: C:WINDOWSsystem32DRIVERSASACPI.sys
Address: 0xF799B000 Size: 5152 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF749A000 Size: 95360 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:WINDOWSSystem32ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:WINDOWSSystem32Driversavgtdix.sys
Address: 0xBAB1D000 Size: 101888 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:WINDOWSSystem32DriversBeep.SYS
Address: 0xF79B1000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:WINDOWSsystem32BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:WINDOWSSystem32DriversCdfs.SYS
Address: 0xF744B000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:WINDOWSsystem32DRIVERScdrom.sys
Address: 0xF76A7000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:WINDOWSsystem32DRIVERSCLASSPNP.SYS
Address: 0xF7667000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7657000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF74B2000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798B000 Size: 5888 File Visible: - Signed: -
Status: -

Name: dump_nvata.sys
Image Path: C:WINDOWSSystem32Driversdump_nvata.sys
Address: 0xBA95A000 Size: 94208 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF79D5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:WINDOWSSystem32driversDxapi.sys
Address: 0xBA995000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:WINDOWSSystem32driversdxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:WINDOWSSystem32driversdxgthk.sys
Address: 0xF7A7E000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:WINDOWSSystem32DriversFastfat.SYS
Address: 0xB9F18000 Size: 143360 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:WINDOWSsystem32DRIVERSfdc.sys
Address: 0xF773F000 Size: 27392 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:WINDOWSsystem32DRIVERSflpydisk.sys
Address: 0xF77AF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF7867000 Size: 128896 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:WINDOWSSystem32framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:WINDOWSSystem32DriversFs_Rec.SYS
Address: 0xF79AD000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74D8000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:WINDOWSSystem32DriversGEARAspiWDM.sys
Address: 0xF7767000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:WINDOWSsystem32hal.dll
Address: 0x806EC000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:WINDOWSsystem32DRIVERSHIDCLASS.SYS
Address: 0xF745B000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:WINDOWSsystem32DRIVERSHIDPARSE.SYS
Address: 0xBACD6000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:WINDOWSsystem32DRIVERShidusb.sys
Address: 0xBAC66000 Size: 9600 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:WINDOWSsystem32DRIVERSimapi.sys
Address: 0xF76C7000 Size: 41856 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:WINDOWSsystem32DRIVERSipnat.sys
Address: 0xBAB36000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:WINDOWSsystem32DRIVERSipsec.sys
Address: 0xBABE3000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:WINDOWSsystem32DRIVERSkbdclass.sys
Address: 0xF7727000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:WINDOWSsystem32DRIVERSkbdhid.sys
Address: 0xBADF5000 Size: 14848 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:WINDOWSsystem32KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:WINDOWSsystem32DRIVERSks.sys
Address: 0xBAF6A000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7970000 Size: 92032 File Visible: - Signed: -
Status: -

Name: lccfltr.sys
Image Path: C:WINDOWSsystem32driverslccfltr.sys
Address: 0xBADFD000 Size: 12896 File Visible: - Signed: -
Status: -

Name: MarvinBus.sys
Image Path: C:WINDOWSsystem32DRIVERSMarvinBus.sys
Address: 0xBAD2F000 Size: 188416 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:WINDOWSsystem32DRIVERSmouclass.sys
Address: 0xF7737000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:WINDOWSsystem32DRIVERSmouhid.sys
Address: 0xBAFFC000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7627000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:WINDOWSsystem32DRIVERSmrxsmb.sys
Address: 0xBAA39000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:WINDOWSSystem32DriversMsfs.SYS
Address: 0xF777F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:WINDOWSsystem32DRIVERSmsgpc.sys
Address: 0xF7587000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:WINDOWSsystem32DRIVERSmssmbios.sys
Address: 0xBAFC8000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7AE8000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7A22000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:WINDOWSsystem32DRIVERSndistapi.sys
Address: 0xBAFF8000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:WINDOWSsystem32DRIVERSndisuio.sys
Address: 0xBA434000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:WINDOWSsystem32DRIVERSndiswan.sys
Address: 0xBAE05000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:WINDOWSSystem32DriversNDProxy.SYS
Address: 0xF7557000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:WINDOWSsystem32DRIVERSnetbios.sys
Address: 0xF7527000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:WINDOWSsystem32DRIVERSnetbt.sys
Address: 0xBAAF5000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:WINDOWSSystem32DriversNpfs.SYS
Address: 0xF7797000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B03000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:WINDOWSsystem32ntoskrnl.exe
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:WINDOWSSystem32DriversNull.SYS
Address: 0xF7A77000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xF746B000 Size: 92800 File Visible: - Signed: -
Status: -

Name: NVENETFD.sys
Image Path: C:WINDOWSsystem32DRIVERSNVENETFD.sys
Address: 0xF7537000 Size: 33536 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: C:WINDOWSsystem32DRIVERSnvnetbus.sys
Address: 0xF7947000 Size: 12928 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: C:WINDOWSsystem32DRIVERSNVNRM.SYS
Address: 0xBAEEF000 Size: 262144 File Visible: - Signed: -
Status: -

Name: NVSNPU.SYS
Image Path: C:WINDOWSsystem32DRIVERSNVSNPU.SYS
Address: 0xBAEBC000 Size: 208896 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF7607000 Size: 61056 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7597000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:WINDOWSsystem32DRIVERSPCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PCTCore.sys
Image Path: PCTCore.sys
Address: 0xF7830000 Size: 225280 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: DriverPnpManager
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:WINDOWSsystem32DRIVERSpsched.sys
Address: 0xBADCC000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:WINDOWSsystem32DRIVERSptilink.sys
Address: 0xF77B7000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7677000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:WINDOWSsystem32DRIVERSrasacd.sys
Address: 0xBADE1000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:WINDOWSsystem32DRIVERSrasl2tp.sys
Address: 0xF76D7000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:WINDOWSsystem32DRIVERSraspppoe.sys
Address: 0xF76E7000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:WINDOWSsystem32DRIVERSraspptp.sys
Address: 0xF76F7000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:WINDOWSsystem32DRIVERSraspti.sys
Address: 0xF77C7000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: FileSystemRAW
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:WINDOWSsystem32DRIVERSrdbss.sys
Address: 0xBAAA8000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:WINDOWSSystem32DRIVERSRDPCDD.sys
Address: 0xF79B5000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:WINDOWSsystem32DRIVERSrdpdr.sys
Address: 0xBAD9B000 Size: 196864 File Visible: - Signed: -
Status: -

Name: RDPWD.SYS
Image Path: C:WINDOWSSystem32DriversRDPWD.SYS
Address: 0xBA02B000 Size: 139392 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:WINDOWSsystem32DRIVERSredbook.sys
Address: 0xF76B7000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xB9E08000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:WINDOWSsystem32DRIVERSSCSIPORT.SYS
Address: 0xF7482000 Size: 98304 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:WINDOWSsystem32DRIVERSsrv.sys
Address: 0xBA04E000 Size: 333184 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:WINDOWSsystem32DRIVERSswenum.sys
Address: 0xF79A1000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7B90000 Size: 323584 File Visible: No Signed: -
Status: -

Name: SymIM.sys
Image Path: C:WINDOWSsystem32DRIVERSSymIM.sys
Address: 0xF774F000 Size: 29696 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:WINDOWSsystem32DRIVERStcpip.sys
Address: 0xBAB8B000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:WINDOWSsystem32DRIVERSTDI.SYS
Address: 0xF778F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: TDTCP.SYS
Image Path: C:WINDOWSSystem32DriversTDTCP.SYS
Address: 0xF77E7000 Size: 21760 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:WINDOWSsystem32DRIVERStermdd.sys
Address: 0xF7577000 Size: 40704 File Visible: - Signed: -
Status: -

Name: TMPassthru.sys
Image Path: C:WINDOWSsystem32DRIVERSTMPassthru.sys
Address: 0xBACFE000 Size: 199936 File Visible: - Signed: -
Status: -

Name: tunmp.sys
Image Path: C:WINDOWSsystem32DRIVERStunmp.sys
Address: 0xF7923000 Size: 12416 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:WINDOWSsystem32DRIVERSupdate.sys
Address: 0xBAD67000 Size: 209408 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:WINDOWSsystem32DRIVERSusbccgp.sys
Address: 0xBACC6000 Size: 31616 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:WINDOWSsystem32DRIVERSUSBD.SYS
Address: 0xF79A9000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:WINDOWSsystem32DRIVERSusbehci.sys
Address: 0xF780F000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:WINDOWSsystem32DRIVERSusbhub.sys
Address: 0xF7547000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:WINDOWSsystem32DRIVERSusbohci.sys
Address: 0xF77DF000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:WINDOWSsystem32DRIVERSUSBPORT.SYS
Address: 0xBAF8D000 Size: 143360 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:WINDOWSSystem32driversvga.sys
Address: 0xF7807000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:WINDOWSSystem32driversVIDEOPRT.SYS
Address: 0xBAC4A000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7637000 Size: 52352 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:WINDOWSSystem32watchdog.sys
Address: 0xF77EF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: DriverWin32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:WINDOWSSystem32win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:WINDOWSwin32k.sys:1
Address: 0xF7757000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:WINDOWSwin32k.sys:2
Address: 0xBAA09000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:WINDOWSsystem32DRIVERSWMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: DriverWMIxWDM
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF795D000 Size: 77568 File Visible: - Signed: -
Status: -

Name: yk51x86.sys
Image Path: C:WINDOWSsystem32DRIVERSyk51x86.sys
Address: 0xBAF2F000 Size: 241280 File Visible: - Signed: -
Status: -

---------------------------------------------------------------------------------------------------------

Was also asked to run and post the results for Win32KDiag[1].exe. The resulting report is posted below.
Had a taskbar balloon that said the following

"Win32KDiag[1].exe -Corrupt File

"The File or Directory System Volume InformationEfaDataSYMEFA.DB journal is corrupt and unreadable. Please run ChkDsk Utility"

-----------------------------------------
Report from Win32KDiag[1].exe
Log file is located at: C:Documents and SettingsAdministratorDesktopWin32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:WINDOWS'...



Found mount point : C:WINDOWS$hf_mig$KB918899KB918899

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB922760KB922760

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB925454KB925454

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB944533KB944533

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSaddinsaddins

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP2831.tmpZAP2831.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP2915.tmpZAP2915.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP2936.tmpZAP2936.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP80C.tmpZAP80C.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAPC91.tmpZAPC91.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytemptemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytmptmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSbackdirbackdir

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConfigConfig

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConnection WizardConnection Wizard

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd1d1

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd2d2

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd3d3

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd4d4

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd5d5

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd6d6

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd7d7

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCSCd8d8

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSftpcacheftpcache

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSGoogle ToolbarGoogle Toolbar

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimechsimeappletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeCHTIMEAppletsApplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejpappletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejp98imejp98

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimjp8_1appletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimkr6_1appletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimkr6_1dictsdicts

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimesharedresres

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed000021094B0090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109511090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109B10090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109F100A0C00000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109F100C0400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed0DC1503A46F231838AD88BCDDC8E8F7C3.2.307293.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed68AB67CA3301000077060000000000308.0.08.0.0

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$ManagedDC3BF90CC0D3D2F398A9A6D1762F70F32.2.307292.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSjavatrustlibtrustlib

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMicrosoft.NETFrameworkv1.1.4322Temporary ASP.NET FilesBind LogsBind Logs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET FilesTemporary ASP.NET Files

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMinidumpMinidump

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmsappsmsinfomsinfo

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthERRORREPQHEADLESQHEADLES

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthERRORREPQSIGNOFFQSIGNOFF

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthERRORREPUserDumpsUserDumps

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrBATCHBATCH

Mount point destination : Device__max++>^

Cannot access: C:WINDOWSpchealthhelpctrbinariesHelpSvc.exe

[1] 2004-08-04 08:00:00 743936 C:WINDOWSpchealthhelpctrbinariesHelpSvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ehelpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 08:00:00 743936 C:WINDOWSsystem32dllcachehelpsvc.exe (Microsoft Corporation)



Found mount point : C:WINDOWSpchealthhelpctrConfigCheckPointCheckPoint

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrHelpFilesHelpFiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrInstalledSKUsInstalledSKUs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrSystemDFSDFS

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrSystemNewsNews

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrSystem_OEMSystem_OEM

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrTempTemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPIFPIF

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSRegistrationCRMLogCRMLog

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSrepairBackupBootableSystemStateBootableSystemState

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSrepairBackupServiceStateServiceState

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSShellNewTwain32Twain32

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionAuthCabsDownloadedDownloaded

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownload355f788b6de8a3ec79e9aa172e6317f1backupbackup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownload585dc2612ebcefc90e7dee4c276ee95e585dc2612ebcefc90e7dee4c276ee95e

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloadcf66607446e145f5d8c8bf3f55214656backupbackup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms1010

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms52msftmsft

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms60msftmsft

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms7070

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloadS-1-5-183506ffed37b2861bc2600dfeb100584a3506ffed37b2861bc2600dfeb100584a

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSunJavaDeploymentDeployment

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSxsCaPendDelSxsCaPendDel

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210251025

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210311031

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210371037

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210411041

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210421042

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210541054

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3220522052

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3230763076

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem323com_dmi3com_dmi

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32appmgmtMACHINEMACHINE

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32appmgmtS-1-5-21-1708537768-1715567821-725345543-1003S-1-5-21-1708537768-1715567821-725345543-1003

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32appmgmtS-1-5-21-1708537768-1715567821-725345543-500S-1-5-21-1708537768-1715567821-725345543-500

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32CacheCache

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32CatRoot_bakCatRoot_bak

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configRCCBakupRCCBakup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftMedia PlayerMedia Player

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCertificatesCertificates

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCRLsCRLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCTLsCTLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileDesktopDesktop

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileFavoritesFavorites

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMicrosoftCD BurningCD Burning

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileMy DocumentsMy Documents

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileNetHoodNetHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofilePrintHoodPrintHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileRecentRecent

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32dhcpdhcp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32driversdisdndisdn

Mount point destination : Device__max++>^

Cannot access: C:WINDOWSsystem32eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9eeventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 55808 C:WINDOWSsystem32dllcacheeventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 63488 C:WINDOWSsystem32eventlog.dll ()

[2] 2004-08-04 08:00:00 55808 C:WINDOWSsystem32logevent.dll (Microsoft Corporation)



Found mount point : C:WINDOWSsystem32EVGAEVGA

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32exportexport

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32GroupPolicyMachineMachine

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32GroupPolicyUserUser

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32IMECINTLGNTCINTLGNT

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32IMEPINTLGNTPINTLGNT

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32IMETINTLGNTTINTLGNT

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32LogfilesLogfiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32Macromedupdateupdate

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32muidispspecdispspec

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32NtmsDataExportExport

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmlispsgnupispsgnup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemcustoemcust

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemhwoemhw

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemregoemreg

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobesamplesample

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0000DriverFilesi386i386

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0003DriverFilesDriverFiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0004DriverFilesi386i386

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0005DriverFilesi386i386

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0006DriverFilesDriverFiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0007DriverFilesi386i386

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0008DriverFilesi386i386

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0009DriverFilesDriverFiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ReinstallBackups0010DriverFilesi386i386

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ShellExtShellExt

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spooldriversIA64IA64

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spooldriversW32ALPHAW32ALPHA

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spooldriversWIN40WIN40

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spooldriversx64x64

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spoolPRINTERSPRINTERS

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32wbemmofbadbad

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32wbemsnmpsnmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32winswins

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32xircomxircom

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTemp271072.0.172.39LocalesLocales

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempAskBarDisRSS11

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempAskBarDisupgradeupgrade

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempGoogle ToolbarGoogle Toolbar

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTwain32Twain32

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSWinSxSInstallTemp135816135816

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSWinSxSx86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : Device__max++>^



Finished!

Merged posts. ~ OB

Edited by Orange Blossom, 04 September 2009 - 12:09 PM.
Fix topic link, remove unnecessary quote. ~ OB


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:09 AM

Posted 05 September 2009 - 10:40 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please follow these steps first:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\system32\dllcache\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop everything and come back and tell me first. Executing The Avenger script (step #2) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

===============================
Next set of steps...


Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 05 September 2009 - 11:29 AM

Hi Sam

Here is the report.

The utility would not run in Safe Mode
*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Be advised
.... that prior to catching this bug on August 29th, I had a hal.dll problem that has had me booting off a legal copy of Windows XP Professional CD (SP2). THis may have saved me from being totally hosed, but may adversly impact some of your utilities.


woofer-001

Edited by woofer-001, 05 September 2009 - 09:09 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:09 AM

Posted 06 September 2009 - 09:15 AM

Well done! Now here is the next set of steps for you.


Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


==================


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 September 2009 - 07:42 PM

As requested here is the first report....
----------------------------------------------------
Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2831.tmp\ZAP2831.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2831.tmp\ZAP2831.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2915.tmp\ZAP2915.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2915.tmp\ZAP2915.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2936.tmp\ZAP2936.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2936.tmp\ZAP2936.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP80C.tmp\ZAP80C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP80C.tmp\ZAP80C.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC91.tmp\ZAPC91.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC91.tmp\ZAPC91.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\backdir\backdir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\backdir\backdir

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000030\8.0.0\8.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000030\8.0.0\8.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2004-08-04 08:00:00 743936 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 08:00:00 743936 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\ShellNew\Twain32\Twain32

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ShellNew\Twain32\Twain32

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\585dc2612ebcefc90e7dee4c276ee95e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\585dc2612ebcefc90e7dee4c276ee95e

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf66607446e145f5d8c8bf3f55214656\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf66607446e145f5d8c8bf3f55214656\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3506ffed37b2861bc2600dfeb100584a\3506ffed37b2861bc2600dfeb100584a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3506ffed37b2861bc2600dfeb100584a\3506ffed37b2861bc2600dfeb100584a

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1708537768-1715567821-725345543-1003\S-1-5-21-1708537768-1715567821-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1708537768-1715567821-725345543-1003\S-1-5-21-1708537768-1715567821-725345543-1003

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1708537768-1715567821-725345543-500\S-1-5-21-1708537768-1715567821-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1708537768-1715567821-725345543-500\S-1-5-21-1708537768-1715567821-725345543-500

Found mount point : C:\WINDOWS\system32\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Cache\Cache

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\system32\config\RCCBakup\RCCBakup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\RCCBakup\RCCBakup

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\EVGA\EVGA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\EVGA\EVGA

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\Logfiles\Logfiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Logfiles\Logfiles

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\NtmsData\Export\Export

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\DriverFiles

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\DriverFiles

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\DriverFiles

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64

Found mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHA

Found mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Found mount point : C:\WINDOWS\system32\spool\drivers\x64\x64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\x64\x64

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\27107\2.0.172.39\Locales\Locales

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\27107\2.0.172.39\Locales\Locales

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\1

Found mount point : C:\WINDOWS\Temp\AskBarDis\upgrade\upgrade

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\upgrade\upgrade

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Twain32\Twain32

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Twain32\Twain32

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\135816\135816

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\135816\135816

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

#6 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 September 2009 - 11:23 PM

Finally got Combo-Fix to run this morning at 1:30AM...
Although ComboFix could not load Recovery Console, it is now loaded.
--------------------------------------------------
ComboFix 09-09-06.03 - Fred 09/07/2009 0:53.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1557 [GMT -4:00]
Running from: c:\documents and settings\Fred\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\All Users\Application Data\15236404
c:\documents and settings\All Users\Application Data\15236404\15236404
c:\documents and settings\All Users\Application Data\15236404\15236404.exe
c:\documents and settings\All Users\Application Data\15236404\pc15236404ins
c:\documents and settings\Fred\Start Menu\Programs\Total Security
c:\documents and settings\Fred\Start Menu\Programs\Total Security\Total Security 2009.lnk
C:\fyblb.exe
c:\program files\INSTALL.LOG
c:\program files\Protection System
c:\program files\Protection System\blacklist.cga
c:\program files\Protection System\core.cga
c:\program files\Protection System\coreext.dll
c:\program files\Protection System\firewall.dll
c:\program files\Protection System\help.ico
c:\program files\Protection System\psystem.exe
c:\program files\Protection System\uninstall.exe
C:\svfp.exe
c:\windows\AUTOLNCH.REG
c:\windows\Downloaded Program Files\Install.inf
c:\windows\Installer\1694598.msi
c:\windows\Installer\18a46a.msi
c:\windows\Installer\18a470.msi
c:\windows\Installer\18a48e.msi
c:\windows\Installer\18a4a0.msi
c:\windows\Installer\65584.msi
c:\windows\Installer\937b6.msi
c:\windows\jestertb.dll
c:\windows\system32\AVR09.exe
c:\windows\system32\Cache
c:\windows\system32\drivers\kbiwkmnghjiplp.sys
c:\windows\system32\drivers\UAChjdaluwoaq.sys
c:\windows\system32\fidogile.dll
c:\windows\system32\gavedewu.exe
c:\windows\system32\gikuyaju.exe
c:\windows\system32\horefupa.exe
c:\windows\system32\kbiwkmnswesete.dat
c:\windows\system32\kbiwkmpuwpkhab.dat
c:\windows\system32\kbiwkmrrwtfnyi.dat
c:\windows\system32\kbiwkmtsqyvfvn.dll
c:\windows\system32\kbiwkmwlaagtpn.dll
c:\windows\system32\lubudeyu.dll
c:\windows\system32\matehabu.dll
c:\windows\system32\najeriwa.exe
c:\windows\system32\nunuluna.dll
c:\windows\system32\pofolehe.dll
c:\windows\system32\siyojama.dll
c:\windows\system32\sopikahu.exe
c:\windows\system32\tabisape.exe
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClckspfpasd.dll
c:\windows\system32\UACljhbfurabd.dll
c:\windows\system32\uacserf.dll
c:\windows\system32\uacsr.dat
c:\windows\system32\UACufuqvkrrdu.dat
c:\windows\system32\UACvdcrbpetan.dll
c:\windows\system32\UACwtkvnwcxcw.dll
c:\windows\system32\vohejido.exe
c:\windows\system32\voyuvesu.exe
c:\windows\system32\wedusoha.exe
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wscsvc32.exe
c:\windows\system32\yemopego.exe
c:\windows\system32\yufarapu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_kbiwkmxjdgfgtn


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-06 23:26 . 2009-09-06 23:32 -------- d-----w- C:\New Avenger
2009-09-06 03:35 . 2009-09-06 03:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-02 17:24 . 2009-09-04 00:37 -------- d-----w- C:\VRS
2009-09-02 17:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 17:03 . 2009-09-04 03:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 17:03 . 2009-09-02 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-02 17:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 16:23 . 2009-09-04 00:37 0 ----a-w- c:\windows\system32\SBRC.dat
2009-09-02 16:23 . 2009-03-17 17:26 65320 ----a-w- c:\windows\system32\sbbd.exe
2009-09-02 16:23 . 2008-10-22 21:08 92464 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-09-02 14:58 . 2009-09-02 14:58 -------- d-----w- C:\rsit
2009-09-02 14:48 . 2009-09-02 14:49 -------- d-----w- C:\HJ-TEMP
2009-09-02 14:41 . 2009-09-02 14:42 -------- d-----w- c:\documents and settings\All Users\Temp_HijackThis
2009-09-01 17:00 . 2009-09-01 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-01 17:00 . 2009-09-07 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-01 16:32 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-01 16:31 . 2009-08-24 18:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-01 16:31 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-01 16:31 . 2009-09-01 16:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-01 16:31 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 16:31 . 2009-09-01 16:49 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 16:31 . 2009-09-01 16:31 -------- d-----w- c:\documents and settings\Fred\Application Data\PC Tools
2009-09-01 16:31 . 2009-09-01 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-01 16:30 . 2009-09-04 03:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 16:18 . 2009-09-01 16:18 -------- d-----w- c:\documents and settings\Fred\Application Data\AVG8
2009-09-01 14:30 . 2009-09-01 17:22 -------- d-----w- C:\New Folder
2009-09-01 14:20 . 2009-09-01 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-30 13:51 . 2009-09-07 00:31 -------- d-----w- c:\windows\Google Toolbar
2009-08-29 22:49 . 2009-09-07 05:14 88140 ----a-w- c:\windows\system32\drivers\4087533c.sys
2009-08-24 02:02 . 2009-08-24 02:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-24 01:32 . 2009-08-24 01:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2009-08-24 01:32 . 2009-08-30 13:40 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-23 03:47 . 2009-08-23 03:47 -------- d-----w- c:\program files\Western Digital Corporation
2009-08-22 04:03 . 2009-08-31 02:40 -------- d-----w- c:\documents and settings\Fred\Application Data\vlc
2009-08-15 02:15 . 2009-08-15 02:15 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 02:15 . 2009-08-15 02:15 -------- d-----w- c:\program files\MSBuild
2009-08-15 02:15 . 2009-08-15 02:15 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 02:14 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 02:14 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 02:14 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 02:14 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 02:14 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 02:14 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 02:14 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 02:14 . 2009-09-07 00:36 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-13 22:03 . 2009-08-13 22:03 -------- d-----w- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 00:28 . 2009-06-07 00:28 50176 --sha-w- c:\windows\system32\hejivego.dll
2009-09-07 00:28 . 2009-06-07 00:28 88576 --sha-w- c:\windows\system32\yanulepi.dll
2009-09-06 12:28 . 2009-06-06 12:28 88064 --sha-w- c:\windows\system32\wiziwera.dll
2009-09-05 15:58 . 2009-06-05 15:58 88064 --sha-w- c:\windows\system32\jebodoma.dll
2009-09-04 14:23 . 2009-06-04 14:23 88064 --sha-w- c:\windows\system32\vepuhuje.dll
2009-09-04 02:24 . 2009-06-04 02:24 88576 --sha-w- c:\windows\system32\rahupeke.dll
2009-09-04 00:37 . 2008-12-20 22:51 -------- d-----w- c:\program files\DPFMate_v3
2009-09-02 14:58 . 2009-03-31 23:27 -------- d-----w- c:\program files\Trend Micro
2009-09-02 11:17 . 2009-06-02 11:17 166400 --sha-w- c:\windows\system32\mozifihi.dll
2009-09-02 11:17 . 2009-06-02 11:17 166400 --sha-w- c:\windows\system32\yamomenu.dll
2009-09-01 14:50 . 2009-06-01 14:49 49664 --sha-w- c:\windows\system32\lerijaye.dll
2009-08-30 15:57 . 2009-05-30 15:57 209408 ------w- c:\windows\system32\nojutoko.dll
2009-08-30 15:57 . 2009-05-30 15:57 209408 --sha-w- c:\windows\system32\musowewo.dll
2009-08-30 14:57 . 2009-05-30 14:57 209408 --sha-w- c:\windows\system32\yuzeditu.dll
2009-08-30 14:57 . 2009-05-30 14:57 209408 --sha-w- c:\windows\system32\bakedosu.dll
2009-08-30 13:57 . 2009-05-30 13:57 209408 --sha-w- c:\windows\system32\puwareda.dll
2009-08-30 13:57 . 2009-05-30 13:57 209408 --sha-w- c:\windows\system32\tisitora.dll
2009-08-30 13:51 . 2006-06-17 23:44 -------- d-----w- c:\program files\Google
2009-08-30 13:00 . 2009-05-30 13:00 209408 --sha-w- c:\windows\system32\melasora.dll
2009-08-30 13:00 . 2009-05-30 13:00 209408 --sha-w- c:\windows\system32\kavinepe.dll
2009-08-29 22:55 . 2006-11-12 21:25 -------- d-----w- c:\documents and settings\Fred\Application Data\Azureus
2009-08-29 15:56 . 2007-10-18 03:08 -------- d-----w- c:\program files\iTunes
2009-08-29 15:54 . 2006-11-12 21:13 -------- d-----w- c:\program files\Azureus
2009-08-24 01:38 . 2006-06-28 22:26 114592 ----a-w- c:\documents and settings\Fred\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 01:34 . 2008-09-28 17:45 -------- d-----w- c:\program files\Western Digital
2009-08-19 11:20 . 2009-03-09 14:39 -------- d-----w- c:\program files\Symantec
2009-08-19 11:20 . 2009-03-09 14:39 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-19 11:20 . 2009-03-09 14:39 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 11:20 . 2008-03-08 19:06 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 11:20 . 2008-03-08 19:06 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-18 19:11 . 2009-03-18 13:12 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-14 10:58 . 2009-09-01 16:31 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-13 22:13 . 2007-08-24 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:44 . 2007-04-22 03:57 -------- d-----w- c:\program files\Logitech
2009-07-15 11:14 . 2009-03-17 22:22 -------- d-----w- c:\program files\Common Files\Logitech
2009-07-15 11:14 . 2006-06-17 16:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 13:06 . 2009-07-09 13:06 -------- d-----r- c:\program files\Norton Support
2009-06-30 22:41 . 2008-12-26 03:02 138464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-30 22:40 . 2008-12-26 03:01 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2004-08-04 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-04 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-04 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-04 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2002-07-26 22:02 . 2008-01-01 01:05 153088 ----a-w- c:\program files\UNWISE.EXE
2009-06-07 00:28 . 2009-06-07 00:28 50176 --sha-w- c:\windows\system32\gidohanu.dll
2009-06-01 14:50 . 2009-06-01 14:50 49664 --sha-w- c:\windows\system32\hodisuto.dll.tmp
2009-06-07 00:28 . 2009-06-07 00:28 50176 --sha-w- c:\windows\system32\kolohage.dll
2009-06-01 14:50 . 2009-06-01 14:50 49664 --sha-w- c:\windows\system32\zerarapo.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{491b5ce3-cbb7-4d6b-a2e9-bfa65a0fc8ed}]
2009-06-07 00:28 50176 --sha-w- c:\windows\system32\kolohage.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChanger 2005"="c:\program files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 885248]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2009-07-15 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\wmccfg.exe" [2006-10-19 8704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2007-01-23 81920]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-10-16 202312]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-07-01 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-07-01 65536]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"mumavemoz"="c:\windows\system32\yanulepi.dll" [2009-09-07 88576]
"jiwagaseva"="c:\windows\system32\gidohanu.dll" [2009-06-07 50176]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-01-27 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 430080]

c:\documents and settings\Fred\Start Menu\Programs\Startup\
GameSpot Download Manager.lnk - c:\program files\GameSpot\GameSpotDownloadManager_Win32.exe [2007-9-18 864256]
PowerReg Scheduler.exe [2006-6-17 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-7-15 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
MightyFAX Controller.lnk - c:\program files\MightyFax\MFNTCTL.EXE [2006-7-26 923640]
Sound Station.lnk - c:\program files\Sound Station\SNXUACP.exe [2008-12-25 643072]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{6978c5f8-5891-43a9-90ed-317440843f1b}"= "c:\windows\system32\jebodoma.dll" [2009-09-05 88064]
"{605f1573-b6d2-4f40-9d16-b7011f4b5e9d}"= "c:\windows\system32\yanulepi.dll" [2009-09-07 88576]
"{eaf40329-8c23-45ab-b191-1ac0b8d42d7d}"= "c:\windows\system32\yanulepi.dll" [2009-09-07 88576]
"{aa5a6f08-d19b-45ee-a87f-204b3ae8d960}"= "c:\windows\system32\wiziwera.dll" [2009-09-06 88064]
"{76e76f03-aaca-4a9c-a691-b3543f7f005a}"= "c:\windows\system32\yanulepi.dll" [2009-09-07 88576]
"{e00f2ea9-f791-4cbd-8da0-ef97a17c7943}"= "c:\windows\system32\wiziwera.dll" [2009-09-06 88064]
"{862be452-2357-484d-9e81-62cc29ad3cc8}"= "c:\windows\system32\jebodoma.dll" [2009-09-05 88064]
"{103ec582-4192-4014-ba70-cc1316bd4dc7}"= "c:\windows\system32\wiziwera.dll" [2009-09-06 88064]
"{f9d99ee7-aad7-4f4d-b394-9685a90b0025}"= "c:\windows\system32\wiziwera.dll" [2009-09-06 88064]
"{ba42096a-cc1b-4a9a-94ca-2d126a7db613}"= "c:\windows\system32\wiziwera.dll" [2009-09-06 88064]
"{8c66bbfb-148c-42b1-b3d0-4501efd3bcfe}"= "c:\windows\system32\yanulepi.dll" [2009-09-07 88576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rakawinak"= {6978c5f8-5891-43a9-90ed-317440843f1b} - c:\windows\system32\wiziwera.dll [2009-09-06 88064]
"kazozemuy"= {605f1573-b6d2-4f40-9d16-b7011f4b5e9d} - c:\windows\system32\yanulepi.dll [2009-09-07 88576]
"danejijab"= {eaf40329-8c23-45ab-b191-1ac0b8d42d7d} - c:\windows\system32\yanulepi.dll [2009-09-07 88576]
"weziduwok"= {aa5a6f08-d19b-45ee-a87f-204b3ae8d960} - c:\windows\system32\wiziwera.dll [2009-09-06 88064]
"najamapas"= {76e76f03-aaca-4a9c-a691-b3543f7f005a} - c:\windows\system32\yanulepi.dll [2009-09-07 88576]
"vegikezaz"= {e00f2ea9-f791-4cbd-8da0-ef97a17c7943} - c:\windows\system32\wiziwera.dll [2009-09-06 88064]
"koyujopak"= {103ec582-4192-4014-ba70-cc1316bd4dc7} - c:\windows\system32\wiziwera.dll [2009-09-06 88064]
"zezapoyaw"= {f9d99ee7-aad7-4f4d-b394-9685a90b0025} - c:\windows\system32\wiziwera.dll [2009-09-06 88064]
"zesabokow"= {ba42096a-cc1b-4a9a-94ca-2d126a7db613} - c:\windows\system32\wiziwera.dll [2009-09-06 88064]
"fifanekup"= {8c66bbfb-148c-42b1-b3d0-4501efd3bcfe} - c:\windows\system32\yanulepi.dll [2009-09-07 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\siyojama.dll c:\windows\system32\yanulepi.dll c:\windows\system32\jebodoma.dll c:\windows\system32\wiziwera.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"SharedAccess"=2 (0x2)
"sdcoreservice"=3 (0x3)
"sdauxservice"=3 (0x3)
"RUBotted"=2 (0x2)
"IISADMIN"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Codemasters\\GRID Demo\\GRID.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"f:\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"f:\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"g:\\Program Files\\Paradox Interactive\\East India Company Demo\\eastindia.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Fred\\My Documents\\Wnding Road\\Winding Road Automatic\\assets\\Issue 28\\Winding Road Issue 28.exe"=
"c:\\Documents and Settings\\Fred\\My Documents\\Wnding Road\\Winding Road Automatic\\assets\\Issue 30\\Winding Road Issue 30.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/1/2009 12:31 PM 206256]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00A\SymEFA.sys [8/19/2009 7:20 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00A\BHDrvx86.sys [8/19/2009 7:20 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00A\cchpx86.sys [8/19/2009 7:18 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/12/2009 7:02 AM 276344]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/10/2009 4:40 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 3:33 AM 102448]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/15/2009 7:15 AM 14156]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [3/8/2008 11:56 AM 10880]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [3/31/2009 7:27 PM 206608]
R3 uafilter;uafilter;c:\windows\system32\drivers\UAFilter.sys [12/25/2008 1:55 PM 9874]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S2 gupdate1c9859013f84a96;Google Update Service (gupdate1c9859013f84a96);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:43 PM 133104]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe [8/19/2009 7:19 AM 117640]
S2 oxshdzi;oxshdzi;c:\windows\system32\drivers\lwgphkof.sys --> c:\windows\system32\drivers\lwgphkof.sys [?]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 8:44 AM 580992]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [6/17/2006 11:53 AM 5824]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [11/3/2005 10:52 AM 176640]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [9/2/2009 12:23 PM 92464]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [3/31/2009 7:27 PM 206608]
S4 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [3/31/2009 7:27 PM 582992]
S4 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/1/2009 12:31 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 23:43]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 23:43]

2009-09-07 c:\windows\Tasks\User_Feed_Synchronization-{D050F539-4C71-44EF-A094-04A42DD9044E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe
HKLM-Run-15185004 - c:\documents and settings\All Users\Application Data\15185004\15185004.exe
HKLM-Run-15236404 - c:\documents and settings\All Users\Application Data\15236404\15236404.exe
SharedTaskScheduler-{68c7bbfe-1e91-476e-be35-04b1e876fdc5} - c:\windows\system32\jukabama.dll
SSODL-titijopif-{68c7bbfe-1e91-476e-be35-04b1e876fdc5} - c:\windows\system32\jukabama.dll
Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://173.9.66.81:8082/SysCamInst.cab
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 01:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.10\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\4087533c]
"ImagePath"="\SystemRoot\System32\drivers\4087533c.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmxjdgfgtn]
"imagepath"="\systemroot\system32\drivers\kbiwkmnghjiplp.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1708537768-1715567821-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,51,2b,c5,f7,f6,
c8,9f,fa,e2,63,26,f1,3f,c8,ff,68,9e,f2,52,fe,e0,f0,96,e8,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,82,de,c0,52,6b,
10,13,06,6a,9c,d6,61,af,45,84,18,92,49,fd,48,6e,44,b9,1d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,75,ff,94,11,32,
73,b4,29,ff,7c,85,e0,43,d4,0e,fe,91,d6,41,3e,77,e6,34,75,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,be,fa,2f,4e,ea,
c7,fa,83,86,8c,21,01,be,91,eb,e7,24,e7,94,8a,4a,c1,9e,90,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,44,15,09,3e,37,
95,6c,11,f5,1d,4d,73,a8,13,5c,05,4f,ad,59,4b,50,7d,7e,bd,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,23,81,57,42,d9,
a9,ef,70,df,20,58,62,78,6b,cf,c8,81,12,83,3b,cd,00,cb,2b,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,70,df,ad,e7,26,
22,6f,ee,fb,a7,78,e6,12,2f,9a,ea,c2,62,65,a5,59,fd,02,66,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,47,70,cd,93,03,
2a,b1,b4,01,3a,48,fc,e8,04,4a,f1,4e,3a,61,7c,92,0e,22,be,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,38,89,4e,1c,4d,
4e,ee,2f,f6,0f,4e,58,98,5b,89,c9,e2,7f,fe,47,92,45,e1,d5,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,d3,72,71,a2,a5,
3c,ff,4c,3d,ce,ea,26,2d,45,aa,78,e3,d7,b6,b9,3b,57,e2,bf,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,66,e1,46,82,0f,
4e,d9,c7,2a,b7,cc,b5,b9,7f,41,e7,7c,6c,49,9c,dd,99,e6,ed,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,69,86,58,2a,b3,
13,08,f2,6c,43,2d,1e,aa,22,2f,9c,e4,bf,2a,b7,03,87,23,04,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmxjdgfgtn]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmnghjiplp.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\docume~1\Fred\LOCALS~1\TempIadHide3.dll
c:\windows\system32\gidohanu.dll
c:\windows\system32\jebodoma.dll
c:\windows\system32\yanulepi.dll
c:\windows\system32\wiziwera.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\locator.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\UAService7.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\searchindexer.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\Microsoft Office\Office\1033\MSOFFICE.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-09-07 1:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 05:23

Pre-Run: 65,712,926,720 bytes free
Post-Run: 65,796,108,288 bytes free

550 --- E O F --- 2009-08-26 11:27

Edited by woofer-001, 07 September 2009 - 09:38 AM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:09 AM

Posted 07 September 2009 - 12:16 PM

Well done! :(
But we still much to do.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
4087533c
oxshdzi

File::
c:\windows\system32\drivers\lwgphkof.sys
c:\windows\system32\gidohanu.dll
c:\windows\system32\jebodoma.dll
c:\windows\system32\yanulepi.dll
c:\windows\system32\wiziwera.dll
c:\windows\system32\siyojama.dll 
c:\windows\system32\yanulepi.dll
c:\windows\system32\kolohage.dll
c:\windows\system32\gidohanu.dll
c:\windows\system32\hodisuto.dll.tmp
c:\windows\system32\zerarapo.dll.tmp
c:\windows\system32\bakedosu.dll
c:\windows\system32\hejivego.dll
c:\windows\system32\jebodoma.dll
c:\windows\system32\kavinepe.dll
c:\windows\system32\lerijaye.dll
c:\windows\system32\melasora.dll
c:\windows\system32\mozifihi.dll
c:\windows\system32\musowewo.dll
c:\windows\system32\nojutoko.dll
c:\windows\system32\puwareda.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\tisitora.dll
c:\windows\system32\vepuhuje.dll
c:\windows\system32\wiziwera.dll
c:\windows\system32\yamomenu.dll
c:\windows\system32\yanulepi.dll
c:\windows\system32\yuzeditu.dll



Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rakawinak"=-
"kazozemuy"=-
"danejijab"=-
"weziduwok"=-
"najamapas"=-
"vegikezaz"=-
"koyujopak"=-
"zezapoyaw"=-
"zesabokow"=-
"fifanekup"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{6978c5f8-5891-43a9-90ed-317440843f1b}"=-
"{605f1573-b6d2-4f40-9d16-b7011f4b5e9d}"=-
"{eaf40329-8c23-45ab-b191-1ac0b8d42d7d}"=-
"{aa5a6f08-d19b-45ee-a87f-204b3ae8d960}"=-
"{76e76f03-aaca-4a9c-a691-b3543f7f005a}"=-
"{e00f2ea9-f791-4cbd-8da0-ef97a17c7943}"=-
"{862be452-2357-484d-9e81-62cc29ad3cc8}"=-
"{103ec582-4192-4014-ba70-cc1316bd4dc7}"=-
"{f9d99ee7-aad7-4f4d-b394-9685a90b0025}"=-
"{ba42096a-cc1b-4a9a-94ca-2d126a7db613}"=-
"{8c66bbfb-148c-42b1-b3d0-4501efd3bcfe}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mumavemoz"=-
"jiwagaseva"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{491b5ce3-cbb7-4d6b-a2e9-bfa65a0fc8ed}]

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmxjdgfgtn]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=====================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 07 September 2009 - 09:46 PM

Hi Sam

Both files log files are attached
Couple of notes...
AVG 8 was not agreeable to be shut down... finally uninstalled it... then had to hunt down and manually kill some reg entries. Malwarebytes still found evidence it was running somewhere in the background after rebooting.
MWB posted a warning that said


Registration Editor
Cannot export RegRuns00: Error opening the file.
There may be a disk or file system error


I suspect it has the result of my careful edits to kill AVG8.
----------------------------------------------
MalwareBytes report follows

-----------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

9/7/2009 9:52:17 PM
mbam-log-2009-09-07 (21-52-17).txt

Scan type: Quick Scan
Objects scanned: 107686
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6ae02e1c-8859-4f57-9097-5a55a56a4caf} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
-------------------------------------------------------------------------------------

ComboFix report follows below
-------------------------------------------------------------------------------------

ComboFix 09-09-06.03 - Fred 09/07/2009 20:36.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1466 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FILE ::
"c:\windows\system32\bakedosu.dll"
"c:\windows\system32\drivers\lwgphkof.sys"
"c:\windows\system32\gidohanu.dll"
"c:\windows\system32\hejivego.dll"
"c:\windows\system32\hodisuto.dll.tmp"
"c:\windows\system32\jebodoma.dll"
"c:\windows\system32\kavinepe.dll"
"c:\windows\system32\kolohage.dll"
"c:\windows\system32\lerijaye.dll"
"c:\windows\system32\melasora.dll"
"c:\windows\system32\mozifihi.dll"
"c:\windows\system32\musowewo.dll"
"c:\windows\system32\nojutoko.dll"
"c:\windows\system32\puwareda.dll"
"c:\windows\system32\rahupeke.dll"
"c:\windows\system32\siyojama.dll"
"c:\windows\system32\tisitora.dll"
"c:\windows\system32\vepuhuje.dll"
"c:\windows\system32\wiziwera.dll"
"c:\windows\system32\yamomenu.dll"
"c:\windows\system32\yanulepi.dll"
"c:\windows\system32\yuzeditu.dll"
"c:\windows\system32\zerarapo.dll.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bakedosu.dll
c:\windows\system32\gidohanu.dll
c:\windows\system32\hejivego.dll
c:\windows\system32\hodisuto.dll.tmp
c:\windows\system32\jebodoma.dll
c:\windows\system32\kavinepe.dll
c:\windows\system32\kolohage.dll
c:\windows\system32\lerijaye.dll
c:\windows\system32\melasora.dll
c:\windows\system32\mozifihi.dll
c:\windows\system32\musowewo.dll
c:\windows\system32\nojutoko.dll
c:\windows\system32\puwareda.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\tisitora.dll
c:\windows\system32\vepuhuje.dll
c:\windows\system32\wiziwera.dll
c:\windows\system32\yamomenu.dll
c:\windows\system32\yanulepi.dll
c:\windows\system32\yuzeditu.dll
c:\windows\system32\zerarapo.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmxjdgfgtn
-------\Legacy_OXSHDZI
-------\Service_4087533c
-------\Service_oxshdzi


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-06 23:26 . 2009-09-06 23:32 -------- d-----w- C:\New Avenger
2009-09-06 03:35 . 2009-09-06 03:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-02 17:24 . 2009-09-04 00:37 -------- d-----w- C:\VRS
2009-09-02 17:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 17:03 . 2009-09-04 03:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 17:03 . 2009-09-02 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-02 17:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 16:23 . 2009-09-04 00:37 0 ----a-w- c:\windows\system32\SBRC.dat
2009-09-02 16:23 . 2009-03-17 17:26 65320 ----a-w- c:\windows\system32\sbbd.exe
2009-09-02 16:23 . 2008-10-22 21:08 92464 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-09-02 14:58 . 2009-09-02 14:58 -------- d-----w- C:\rsit
2009-09-02 14:48 . 2009-09-02 14:49 -------- d-----w- C:\HJ-TEMP
2009-09-02 14:41 . 2009-09-02 14:42 -------- d-----w- c:\documents and settings\All Users\Temp_HijackThis
2009-09-01 16:32 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-01 16:31 . 2009-08-24 18:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-01 16:31 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-01 16:31 . 2009-09-01 16:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-01 16:31 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 16:31 . 2009-09-01 16:49 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 16:31 . 2009-09-01 16:31 -------- d-----w- c:\documents and settings\Fred\Application Data\PC Tools
2009-09-01 16:31 . 2009-09-01 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-01 16:30 . 2009-09-04 03:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 14:30 . 2009-09-01 17:22 -------- d-----w- C:\New Folder
2009-09-01 14:20 . 2009-09-01 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-30 13:51 . 2009-09-07 00:31 -------- d-----w- c:\windows\Google Toolbar
2009-08-29 22:49 . 2009-09-08 00:55 88140 ----a-w- c:\windows\system32\drivers\4087533c.sys
2009-08-24 02:02 . 2009-08-24 02:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-24 01:32 . 2009-08-24 01:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2009-08-24 01:32 . 2009-08-30 13:40 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-23 03:47 . 2009-08-23 03:47 -------- d-----w- c:\program files\Western Digital Corporation
2009-08-22 04:03 . 2009-08-31 02:40 -------- d-----w- c:\documents and settings\Fred\Application Data\vlc
2009-08-15 02:15 . 2009-08-15 02:15 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 02:15 . 2009-08-15 02:15 -------- d-----w- c:\program files\MSBuild
2009-08-15 02:15 . 2009-08-15 02:15 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 02:14 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 02:14 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 02:14 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 02:14 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 02:14 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 02:14 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 02:14 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 02:14 . 2009-09-07 00:36 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-13 22:03 . 2009-08-13 22:03 -------- d-----w- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 00:37 . 2008-12-20 22:51 -------- d-----w- c:\program files\DPFMate_v3
2009-09-02 14:58 . 2009-03-31 23:27 -------- d-----w- c:\program files\Trend Micro
2009-08-30 13:51 . 2006-06-17 23:44 -------- d-----w- c:\program files\Google
2009-08-29 22:55 . 2006-11-12 21:25 -------- d-----w- c:\documents and settings\Fred\Application Data\Azureus
2009-08-29 15:56 . 2007-10-18 03:08 -------- d-----w- c:\program files\iTunes
2009-08-29 15:54 . 2006-11-12 21:13 -------- d-----w- c:\program files\Azureus
2009-08-24 01:38 . 2006-06-28 22:26 114592 ----a-w- c:\documents and settings\Fred\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 01:34 . 2008-09-28 17:45 -------- d-----w- c:\program files\Western Digital
2009-08-19 11:20 . 2009-03-09 14:39 -------- d-----w- c:\program files\Symantec
2009-08-19 11:20 . 2009-03-09 14:39 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-19 11:20 . 2009-03-09 14:39 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 11:20 . 2008-03-08 19:06 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 11:20 . 2008-03-08 19:06 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-18 19:11 . 2009-03-18 13:12 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-14 10:58 . 2009-09-01 16:31 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-13 22:13 . 2007-08-24 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:44 . 2007-04-22 03:57 -------- d-----w- c:\program files\Logitech
2009-07-15 11:14 . 2009-03-17 22:22 -------- d-----w- c:\program files\Common Files\Logitech
2009-07-15 11:14 . 2006-06-17 16:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-30 22:41 . 2008-12-26 03:02 138464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-30 22:40 . 2008-12-26 03:01 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-29 16:12 . 2004-08-04 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2004-08-04 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-04 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-04 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-04 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2002-07-26 22:02 . 2008-01-01 01:05 153088 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( SnapShot@2009-09-07_05.13.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 00:51 . 2009-09-08 00:51 16384 c:\windows\Temp\Perflib_Perfdata_188.dat
+ 2009-09-08 00:22 . 2009-09-08 00:22 16384 c:\windows\Temp\Perflib_Perfdata_16c.dat
+ 2001-07-14 21:32 . 2001-07-14 21:32 69632 c:\windows\setupupd\temp\wsdueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChanger 2005"="c:\program files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 885248]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2009-07-15 16384]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\wmccfg.exe" [2006-10-19 8704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2007-01-23 81920]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-10-16 202312]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-07-01 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-07-01 65536]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-11-23 631362]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-01-27 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 430080]

c:\documents and settings\Fred\Start Menu\Programs\Startup\
GameSpot Download Manager.lnk - c:\program files\GameSpot\GameSpotDownloadManager_Win32.exe [2007-9-18 864256]
PowerReg Scheduler.exe [2006-6-17 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-7-15 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
MightyFAX Controller.lnk - c:\program files\MightyFax\MFNTCTL.EXE [2006-7-26 923640]
Sound Station.lnk - c:\program files\Sound Station\SNXUACP.exe [2008-12-25 643072]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
"sdcoreservice"=3 (0x3)
"sdauxservice"=3 (0x3)
"RUBotted"=2 (0x2)
"IISADMIN"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Codemasters\\GRID Demo\\GRID.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"f:\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"f:\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"g:\\Program Files\\Paradox Interactive\\East India Company Demo\\eastindia.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\Fred\\My Documents\\Wnding Road\\Winding Road Automatic\\assets\\Issue 28\\Winding Road Issue 28.exe"=
"c:\\Documents and Settings\\Fred\\My Documents\\Wnding Road\\Winding Road Automatic\\assets\\Issue 30\\Winding Road Issue 30.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/1/2009 12:31 PM 206256]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00A\SymEFA.sys [8/19/2009 7:20 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00A\BHDrvx86.sys [8/19/2009 7:20 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00A\cchpx86.sys [8/19/2009 7:18 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/12/2009 7:02 AM 276344]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/10/2009 4:40 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 3:33 AM 102448]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/15/2009 7:15 AM 14156]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [3/8/2008 11:56 AM 10880]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [3/31/2009 7:27 PM 206608]
R3 uafilter;uafilter;c:\windows\system32\drivers\UAFilter.sys [12/25/2008 1:55 PM 9874]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S2 gupdate1c9859013f84a96;Google Update Service (gupdate1c9859013f84a96);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 7:43 PM 133104]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe [8/19/2009 7:19 AM 117640]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 8:44 AM 580992]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [6/17/2006 11:53 AM 5824]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [11/3/2005 10:52 AM 176640]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [9/2/2009 12:23 PM 92464]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [3/31/2009 7:27 PM 206608]
S4 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [3/31/2009 7:27 PM 582992]
S4 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/1/2009 12:31 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 23:43]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 23:43]

2009-09-07 c:\windows\Tasks\User_Feed_Synchronization-{D050F539-4C71-44EF-A094-04A42DD9044E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://173.9.66.81:8082/SysCamInst.cab
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.10\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\4087533c]
"ImagePath"="\SystemRoot\System32\drivers\4087533c.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1708537768-1715567821-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,51,2b,c5,f7,f6,
c8,9f,fa,e2,63,26,f1,3f,c8,ff,68,9e,f2,52,fe,e0,f0,96,e8,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,82,de,c0,52,6b,
10,13,06,6a,9c,d6,61,af,45,84,18,92,49,fd,48,6e,44,b9,1d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,75,ff,94,11,32,
73,b4,29,ff,7c,85,e0,43,d4,0e,fe,91,d6,41,3e,77,e6,34,75,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,be,fa,2f,4e,ea,
c7,fa,83,86,8c,21,01,be,91,eb,e7,24,e7,94,8a,4a,c1,9e,90,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,44,15,09,3e,37,
95,6c,11,f5,1d,4d,73,a8,13,5c,05,4f,ad,59,4b,50,7d,7e,bd,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,23,81,57,42,d9,
a9,ef,70,df,20,58,62,78,6b,cf,c8,81,12,83,3b,cd,00,cb,2b,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,70,df,ad,e7,26,
22,6f,ee,fb,a7,78,e6,12,2f,9a,ea,c2,62,65,a5,59,fd,02,66,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,47,70,cd,93,03,
2a,b1,b4,01,3a,48,fc,e8,04,4a,f1,4e,3a,61,7c,92,0e,22,be,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,38,89,4e,1c,4d,
4e,ee,2f,f6,0f,4e,58,98,5b,89,c9,e2,7f,fe,47,92,45,e1,d5,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,d3,72,71,a2,a5,
3c,ff,4c,3d,ce,ea,26,2d,45,aa,78,e3,d7,b6,b9,3b,57,e2,bf,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,66,e1,46,82,0f,
4e,d9,c7,2a,b7,cc,b5,b9,7f,41,e7,7c,6c,49,9c,dd,99,e6,ed,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,69,86,58,2a,b3,
13,08,f2,6c,43,2d,1e,aa,22,2f,9c,e4,bf,2a,b7,03,87,23,04,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2328)
c:\windows\system32\WININET.dll
c:\docume~1\Fred\LOCALS~1\TempIadHide3.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\locator.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\searchindexer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft Office\Office\1033\MSOFFICE.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-09-08 21:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 01:11
ComboFix2.txt 2009-09-07 05:23

Pre-Run: 65,800,884,224 bytes free
Post-Run: 65,737,891,840 bytes free

455 --- E O F --- 2009-08-26 11:27

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:09 AM

Posted 08 September 2009 - 10:19 AM

Looks much better. How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 08 September 2009 - 11:13 AM

Hmmm... No internet access other than when in safe mode...
Same with mail.
...other than that... I will test things out later this afternoon

What damage can I expect?
Will this reappear later?
Can I trust the files?
Were any back doors left in here?
What AV software can I trust at this point?


Can you help me with my hal.dll problem?
All the normal MS Bulletin procedures don't work

Can I write a new MBR with recovery Console?

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:09 AM

Posted 08 September 2009 - 01:48 PM

First let's see if we can get your connection restored.
Download and run this tool.
http://majorgeeks.com/WinSock_XP_Fix_d4372.html

Reboot and check your connection after running it.


=================


We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

=================


What damage can I expect?
Will this reappear later?
Can I trust the files?
Were any back doors left in here?
What AV software can I trust at this point?

In the majority of cases such as yours damage to your system is minimal and can be restored.
You definitely can become infected again if the same circumstances present themselves. I'll suggest steps to prevent that.
I'm not sure what files you're referring to. Everything that I ask you to download is safe as long as you get it from the links I provide.
As far as backdoors, unless you format your system and reinstall everything you won't be 100% certain that there's not something that we missed.
Once we have no indication of remaining malware on your system and have resolved any other issues that you have I will suggest some programs that you can install. As of right now I recommend that you keep Malwarebytes and run it often.


Can you help me with my hal.dll problem?
All the normal MS Bulletin procedures don't work

Tell me exactly what the problem is and I'll see what I can do.

Can I write a new MBR with recovery Console?

Absolutely you can. Review these links for more info.
http://support.microsoft.com/kb/314058
http://www.tech-recipes.com/rx/483/xp_repa...covery_console/
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 08 September 2009 - 09:02 PM

HI Sam

Currently running the Junction utility
Just an update...
Mail is up and running (545 New e-mails)
IE Explorer will only run in Safe Mode
In regular account IE Explorer will not connect to the Internet.
From a command line I can ping www.yahoo.com and www.cnn.com just fine. Something is blocking IE Explorer and darned if I can figure out what it is.

hal.dll
On boot I have been getting the following message
"Windows could not start because the following file is missing or corrupt:
\system32\hal.dll.
Please re-install a copy of the above file."


I have been booting off my Windows CD for the last month since I am not crazy about doing a windows reinstall.

Currently looking at http://support.microsoft.com/kb/314477
Might try this procedure first.

#13 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 09 September 2009 - 06:54 AM

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


.
Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\RSIT.exe: Access is denied.


..

...

...

..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\edc5f280d3a1062cf0b3a165e447a04c_efbb568b-eb1e-4ee9-a70c-e0ff90194d94: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f486d6f127aa239d367cb83d115baf0e_efbb568b-eb1e-4ee9-a70c-e0ff90194d94: Access is denied.


.

...

.
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\Quarantine: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp: Access is denied.


.
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine: Access is denied.


.

..
Failed to open \\?\c:\\Documents and Settings\All Users\Temp_HijackThis\HijackThis.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\HJ-TEMP\Hijack_This.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Norton Internet Security\Engine\16.7.2.10\Navw32.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Trend Micro\Administrator.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


..
Failed to open \\?\c:\\VRS\VIPRERescueScanner.exe: Access is denied.


.

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\WINDOWS\system32\drivers\4087533c.sys: The system cannot find the file specified.


.

...

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:09 AM

Posted 09 September 2009 - 02:01 PM

We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Copy and paste Inherit.exe to the same directory where the following files are located, then drag the file to the tool and drop it:

    c:\\Documents and Settings\All Users\Temp_HijackThis\HijackThis.exe
    c:\\HJ-TEMP\Hijack_This.exe
    c:\\Program Files\Norton Internet Security\Engine\16.7.2.10\ccSvcHst.exe
    c:\\Program Files\Norton Internet Security\Engine\16.7.2.10\Navw32.exe
    c:\\VRS\VIPRERescueScanner.exe

  • when finished click OK. You may remove the Inherit.exe from the directory.

Reboot and then check to see if you can connect with IE.


For your hal.dll error message, try this resolution.
http://support.microsoft.com/kb/945380
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 09 September 2009 - 05:21 PM

Oh great!

On a whim, I ran VipreRecue and low and behold...

I see this red entry scroll by
C:\WINDOWS\system32\drivers\4087533c.sys 4191502 BackDoor.win32.newrest.ao (or a 0 not sure which)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4087533c.sys

Not wanting to wait all night... I terminated the scan...
(it might have stopped on it's own, not sure as it all happened around the same time)...
...and found three new xlm files in the Vipre Quarantine folder

They are
QR{5D1A963B-447D-4E72-8417-B2A4E3353DB4}4191502.xml
QR{DA9CA052-5F8E-4245-81EA-758884546D16}4009800.xml
QR{F9AF1C13-968C-46E0-AD21-8FB68AC07D1C}15196.xml

Did Vipre kill the Backdoor or will we have to try something elsE?

Norton AV and IE Explorer now run correctly although I may reinstall NAV since it is probably compromised.

Edited by woofer-001, 09 September 2009 - 06:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users